There are numerous commonalities that can be addressed with access control.The purpose of access control is to ensure that only authorized individuals or processes acting on your behalf can access your digital systems. Companies need a formal documented access control policy.
The access control policy should address:
1. Account Management – manages and documents accounts (authorizing, establishing, activating, modifying, reviewing, disabling, and removing).
2. Access Enforcement – enforce authorizations in accordance with documented policies.
3. Information Flow – authorizes the flow of information between interconnected systems, regulate where information can travel.
4. Separation of functions – ensures the division of responsibilities to prevent conflicts of interest, no one person has power over all activitie Least Privilege – assign users the minimum set of rights they need.
Access Control is.
Access Control is a set of controls to restrict access to certain resources. If we think about it, access controls are everywhere around us. A door to your room, the guards allowing you to enter the office building on seeing your access card, swiping your card and scanning your fingers on the biometric system, a queue for food at the canteen or entering your credentials to access FB, all are examples of various types of access control. Here we focus only on the logical Access Control mechanisms.
There are two main types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data
Access Control Mechanisms
Discretionary Access Control (DAC)
As the name suggests, this access control model is based on a user’s discretion. i.e, the owner of the resource can give access rights on that resource to other users based on his discretion. Access Control Lists (ACLs) are a typical example of DAC. Specifying the “rwx” permissions on a unix file owned by you is another example of DAC Most of the operating systems including windows, flavours of unix are based on DAC Model.
Mandatory Access Control (MAC)
In this Model, users/owners do not enjoy the privilege of deciding who can access their files. Here the operating system is the decision maker overriding the user’s wishes. In this model every Subject (users) and Object (resources) are classified and assigned with a security label. The security labels of the subject and the object along with the security policy determine if the subject can access the object. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.
This is a stricter and rather static Access Control model as compared to DAC and is mostly suited for military organizations where data classification and confidentiality is of prime importance. Special types of the Unix operating systems are based on MAC model.
Role Based Access Control (RBAC)
RBAC is the buzzword across enterprises today. In this model the access to a resource is governed based on the role that the subject holds within an organization. RBAC is also known as non-discretionary Access Control because the user inherits privileges that are tied to his role. The user does not have a control over the role that he will be assigned. Each of the above Access Models has its own advantages and disadvantages. The selection of the appropriate Access Model by an organization should be done by considering various factors such as type of business, no of users, organization’s security policy etc.
As the no of users and the resources grow in an organization, it becomes extremely difficult to manage user’s access rights through ACLs. It not only increases the cost of administration but also results in granting of excess privileges to users thus violating the least privilege principle and hence exposing the organization to risks. Moreover, the complexity involved with this approach makes it too hard for any organization to comply with the regulatory compliances.
So in organizations where the no of users and the employee turnover is large, RBAC is the optimum solution for Access Control. By having privileges tied to roles, and users being assigned to these roles, makes it much simpler for an organization to manage the access to its resources. RBAC also fastens the employee on-boarding & de-boarding process by tying the provisioning/de-provisioning to the roles.