What are Access Control Models and Methods

Access control: explanation

Access control is a way of ensuring that customers are who they say they are and that they have the right access to company information. Access control is, at a high level, a selective restriction of access to data. It consists of two key components: authentication and authorization, says Daniel Crowley, head of research focusing on data protection for IBM's X-Force Red.

Authentication is a method used to check that who they appear to be is anyone. Authentication is not adequate to secure data on its own, states Crowley. An additional layer, authorization, which decides whether a user should be authorized to access the information or make the transaction they are attempting, is what is required.

There is no data protection without authentication and authorization, says Crowley. "Access controls are among the first policies investigated in every data breach," states Ted Wagner, CISO at SAP National Security Services, Inc.

What are the most prevalent templates for access control?

Models for access control are generally divided into three key categories: Mandatory Access Control, Discretionary Access Control, and Role-Based Access Control. A 4th form, Rule-Based Access Control, is now becoming popular.

What does each of these models of access control entail? And what advantages do users and administrators have?

Discretionary Control for Access

The discretionary access control system is the least restrictive type of access control models and provides full control over who has access and permissions in the system by the system owner or administrator. Using Access Control Lists and community members to establish access to certain points, it also runs off standard operating systems such as Windows and is generally easy to configure and control.

The pros of Arbitrary Access Control are that permissions can be set up easily and efficiently by the administrator. Moreover, it determines who gets in and where depending on what they see fit. The downside is that this also gives the list administrator too much power, which may pass on access to inappropriate users who should not have access.

Start your 30 days free trial to begin your InfoSec career journey today.

Mandatory Access control Systems

On the other hand, mandatory access control is the most restrictive type of access control templates, since it allows only the device owner or administrator control and management of the system and access points. End users and workers do not have power over permissions. Moreover, they can only access points have given to them by the owner of the device. Also, the administrator can only adjust settings.  Which are configured as such and cannot be foiled

All users are categorized and labeled following their permissions and are allowed to enter, access, and exit those points by their defined level of classification. In general, if the device owner wants to grant higher-level access to a user, they must establish a new profile and credential for that user, as any permissions not already defined in their profile cannot be issued to their previous classification.

For facilities and organizations where maximum protection and restrictions are necessary, such as military and government facilities, also even in businesses where security and secrecy are valued, mandatory access control is most advantageous.

 Role-Based Access Control

Role-based access control (RBAC) is often referred to as non-discretionary access control and is commonly used as one of the most common types. RBAC grants permission based on a user's status or function within the company and the required permissions are kept for these pre-defined positions. For example, if a user is identified as a Project Engineer, the permissions entitled to Project Engineers within the system are automatically given to them.

The advantage of this access control model is that setup and use is very easy. Particularly for the system owner or administrator, who simply has to set up predefined roles with necessary permissions. However, the drawbacks are that if a user requires permissions they do not have, the administrator must grant them permission beyond their predefined function, whether on a one-time or more permanent basis, which may or may not be feasible, depending on the specific configuration of the access control system.

Rule-Based Access Management

The fourth common form of access control is Rule-Based Access Control. Rule-based Access Control enables system owners and administrators to set authorization limits and restrictions as necessary, such as restricting access at certain periods of the day, requiring a user to be in a certain area, or restricting access based on the device being used. Permissions can also be measured based on the number of previous access attempts, the last action is taken, and the necessary action.

The model of access control is to ensuring transparency and monitoring.  It is very accommodating that permissions and rules can be dynamic. It can be configured by the system administrator for any number of conditions and needs that may occur. Permissions can be defined in any of the combination parameters, allowing endless combinations for almost any number of specific circumstances.

Methods of logical access control

Via access control lists (ACLs), community rules, passwords, and account limits, logical access control is done. To see how they provide managed access to services, we will take a look at each one of these.

Access Control Lists (ACLs) are permissions that are attached to an object (that is a spreadsheet file) that is verified by a device to allow or deny that object control. These permissions vary from full control to read-only to "access denied." When it comes to various operating systems (that is Windows®, Linux, Mac OS X®), the ACL entries are named "access control entry," or ACE, and are configured using four pieces of information: a security identifier (SID), an access mask, an object flag, and another flap collection.

Group policies are part of the Windows® environment and allow a network of computers using Microsoft directory services called Active Directory to centrally manage access control. This removes the need to go to each machine and set up control of access. These settings are stored in Group Policy Objects (GPOs) that make configuring settings easy for the system administrator. A determined hacker can get around these group policies, albeit convenient, and make life difficult for the system administrator or custodian.

Passwords are "the most common control of logical access... sometimes known as a logical token" (Ciampa, 2009). That being said, however, to have a vital degree of access control, they need to be tough to hack. They can be subject to brute force attacks, dictionary attacks, or other attacks using rainbow tables if one makes the password easy to guess or uses a word in the dictionary. UR passwords are protected.