At its most basic, access control is a collection of policies that governs who can access data and applications with your organization’s secure network or server. It is also central to ensuring users who log on are who they say they are and are not being spoofed or impersonated.
If your organization has lax or flawed access control or broken access control vulnerabilities, a bad actor can easily gain access to your secure data. However, it isn’t so simple as just initiating blanket access policies. In most cases, specific departments or individuals require more access than others. Staying on top of all these permissions is complex, and since it can change often, it requires a system that can keep up.
In the event of a breach, access control policies are typically the first to be investigated. Without robust access control, trying to implement other cybersecurity measures is like trying to plug a leak in a ship that’s already half underwater.
Let’s explore the fundamentals of access control, including the four types of access control that IT professionals need to understand as they move to take more control of their cybersecurity.
What is Access Control?
Access control comprises all the authentication and authorization policies implemented by your company. If your policies are overly permissive or you have a broken access control vulnerability that you’re not aware of, it’s a huge security threat.
In fact, OWASP recently categorized broken access controls as the number one web application security risk for 2021. According to their research, broken access controls had an incidence rate of 3.81% and also had the most occurrences within their large contributed data set.
There are two reasons why access control is so important. The first is that if your access controls are not correctly implemented, it’s very easy for a bad actor to gain access to your system.
The other reason is that as long as this vulnerability remains unresolved, nothing else you do to protect your system will matter very much. You can set up the most secure firewall or anti-virus software available, but if someone can simply impersonate a staff member and gain access to any resource in your system, the rest of your security efforts can’t stop them.
4 Types of Access Control
There are several different models or types of access control that an organization can implement to protect its data and assets. Each has its own uses cases and benefits.
Discretionary Access Control (DAC)
Discretionary access control (DAC) is a system of control that gives the business owner or designated IT specialist permission to determine which users can access which resources. If you have the proper credentials, you can gain access to whatever files or data correspond to that authorization.
This system depends on oversight and active management from either an individual or a department. It’s flexible, because any authorization can be given to any credential. However, it requires a lot of effort on the part of the individual in control to monitor and assign permissions to every individual user.
Attribute Based Access Control (ABAC)
On the other hand, attribute based access control (ABAC) uses an algorithm or policy to set rules for access based on user attributes, such as:
- IP location
- Time of day
- Security clearance
For example, the system could be instructed to give access to anyone with a manager-level title or credentials from a specific department. Depending on the user’s location or time of day, access to certain resources or credentials could even be blocked.
These attributes can be assigned to each user and resource from scratch or imported from a separate database.
Mandatory Access Control (MAC)
Mandatory access control (MAC) is generally considered one of the strictest types of access control. Instead of the system giving access to a user through their attributes or credentials, MAC relies entirely on a system administrator giving permission – most frequently, the Chief Security Officer or someone with a similar title. This creates robust safety around valuable and sensitive information, which is why it’s most frequently used by government agencies.
MAC is a helpful model for access control, but it is very restrictive and relies entirely on a single individual to set and revoke permissions. It puts a huge amount of pressure on the CSO to establish a reliable permissions structure and oversee its functionality.
Role Based Access Control (RBAC)
Another access control model well-suited to organizations working among strict compliance or security requirements is role based access control (RBAC).
This model permits individual users to access specific resources based on their role. This helps ensure that no one can view or use information that does not pertain to their job responsibilities. This model is secure while being user-friendly since it ensures staff can access exactly what they need to do their job, but nothing more.
How to Implement Access Controls
There are many ways to implement various types of access controls. Here’s where we’d start for each type.
Discretionary Access Control
- Create a hierarchy of files with individual permissions that indicate the level of access required. Admins can also use access control lists obtained from other security organizations.
- From there, every resource is given a profile that determines who can access it.
- This system should be audited occasionally to ensure that it’s still working effectively, since resource owners as well as admins can grant access permissions.
Attribute Based Access Control
Setting up ABAC can be complex initially but leads to better overall security once implemented. Administrators need to manually go through all their chosen attributes and assign them to every component, then create an algorithm or policy that determines what the attributes can do based on certain situations.
Mandatory Access Control
Once a mandatory access system is set up, the administrator needs to create a new profile for every new employee, then label them with a variety of tags that indicate their level of access.
- Inventory your resources.
- Examine your workforce and sort them into groups with common access needs.
- Assign users to each role, then match the grouped roles with individual sets of permissions.
Learning How to Implement Access Control Boosts Your Security
One of the best ways to ensure your organization is protected from both external and internal threats is to learn about the various types of access control and how they can be successfully implemented.