In the age of increased technology consumption, various security controls are implemented in order to protect and secure assets such as information and data; these are called access controls.
Access control is a fundamental security mechanism used to regulate who can view or use resources in a computing environment. It involves processes that grant, restrict, or deny access to systems and information based on predefined policies. In fact, organizations depend on such controls to manage access to information and resources related to information technology infrastructures.
Security Principles
Least Privileged
The principle of the least privileged is a security concept that addresses the practice of granting entities, such as users and systems, minimum access rights to resources that are required to perform job functions.
For instance, consider a hospital setting. A doctor needs to update and write patients' health records, but cannot perform the tasks of other departments, such as human resources and IT. On the other hand, an accounting employee needs to read summaries of health services and write billing statements, but cannot diagnose and update patients' charts.
Need-to-Know
Similar to the concept of least privileged, need-to-know practices, the idea of limiting access to resources to only users or systems that require it to perform job duties. On the other hand, this principle further restricts access by limiting what users can see, rather than what they can do.
Continuing the hospital example, billing staff may view service summaries necessary for invoicing but not full patient histories, while medical staff can access detailed health records for treatment purposes. Users only access the information essential to their specific roles. What is known and accessed is restricted to need-to-know; this practice is based on the idea that employees in an organization have restricted access and only know what is required for their respective job duties.
Separation of Duties
Dividing tasks into different steps and assigning them to various individuals or systems is the foundation of the separation of duties. This concept of dividing tasks and responsibilities among multiple individuals or systems helps to reduce the risk of fraud, misuse, and insider threats.
For instance, consider a doctor who diagnoses and treats his patients and an accounting employee at the clinic. A doctor may treat patients, but only accounting staff handle billing. With separation of duties, a doctor cannot both treat and implement direct monetary charges to clients; the role falls between medical staff and accounting department employees. Likewise, an accounting employee at the clinic can code and bill patients but cannot treat and diagnose patients. This ensures that no single person can control all aspects of a critical process.
Access Control Models
Discretionary Access Control (DAC)
Discretionary access control is an access control model that is owner-based. To further explain, an object's owner can grant or revoke privileges from other users to the object they own.
For example, User A is the owner of a file. User B needs access to User A's file. User A can grant different permissions to User B, such as read, write, and execute. This provides flexibility and a more user-friendly management process.
DAC often uses Access Control Lists (ACLs) to define these permissions. Access control lists are lists of rules that determine the type of resources and specific privileges or actions that users and systems have to an object. While flexible and user-friendly, DAC may lack centralized oversight.
Role-Based Access Control (RBAC)
In role-based access control, specific privileges and permissions are granted based on users' roles in an infrastructure or system. Administrators determine the groups and permissions that a user is allowed access to. Administrators may define roles (e.g., HR, IT, Finance) and assign users accordingly. Users receive permissions aligned with their role, enforcing the principle of least privilege.
Going back to the previous example, in an RBAC setting, User A will not be able to grant privileges to User B. A system administrator will assign User A and User B roles based on their job positions and the functions they perform. If User A works with Human Resources (HR), they will be assigned to an HR group and have privileges granted based on their specific job title — likewise with User B.
The benefits of RBAC are that there is improved security, in which the principles of least privileged are implemented; this ensures that users are only allowed minimum access to resources. Unlike DAC, users cannot assign access to others, enhancing centralized control and security.
Mandatory Access Control (MAC)
MAC is a strict, policy-driven model commonly used in military and government systems. Both users and data are assigned security labels (e.g., "Secret," "Top Secret"). For instance, User A with a "secret" security clearance can access resources with "secret" asset labels but cannot access documents and resources with "top secret" classifications. In MAC models, systems administrators implement and maintain controls based on a uniform policy. Especially in dynamic and changing environments, implementing mandatory access control can be challenging and difficult.
Attribute-Based Access Control (ABAC)
Attribute-based access control relies on attributes or characteristics associated with a user. For example, a software engineer might only access certain systems during business hours from a corporate device. Access is granted based on several different attributes. In this case, the user's characteristics, such as department and job title, are included; other attributes include environmental attributes such as location and time, as well as actions such as view and edit.
ABAC provides granular, context-aware control, ideal for dynamic environments — allowing for flexibility while also improving security through the consideration of numerous attributes.
Rule-Based Access Control (RuBAC)
RuBAC governs access through predefined rules within a system. Models like RBAC, ABAC, and MAC fall under this broader category, where access decisions are not left to individual users but are enforced through system-wide policies.
Risk-Adaptive Access Control (RAdAC)
RAdAC is a model that is different from other traditional access control models. Instead, it takes a step further and dynamically adjusts access permissions based on real-time risk assessments. It considers factors like user behavior, device status, location, and historical access patterns. A calculated risk score determines whether access should be granted or denied.
Being a more involved process, risk-adaptive access control offers enhanced security and dynamic as well as adaptive policies.
Best Practices
- Implement Defense in Depth: Defense in depth is a security strategy that focuses on utilizing multiple layers of security controls to protect informational and system assets. For example, an organization may enforce strong security through implementing multi-factor authentication, attribute-based access control to computer resources, as well as strong firewall rules for network security.
- Continuous Monitoring and Management: Regularly assess systems for vulnerabilities, unusual activity, and policy compliance to stay ahead of emerging threats.
- Adopt a Zero-Trust Model: Operate under the principle of "never trust, always verify". Zero-trust is a foundational principle of never trusting or assuming that a subject is authorized to access a resource. Instead, always authenticate and authorize every access request, regardless of origin
- Enable Auditing and Logging: It is a crucial practice to log and audit events of access controls. Not only does this practice ensure compliance in meeting legal requirements set by state and federal organizations, but it also helps to identify vulnerabilities, anomalies and assists in security investigations.
References
Access Control and Identity Management by Mike Chapple, PhD | Jones & Barlett Learning