Recently I wrote about who will be the auditor of the auditors. This week’s topic is purely information systems audit related. Access control is vital and critical, both in case of physical and digital security. It determines who can access which resources within a system or at a facility.
Access control systems have various types, with each having its own distinguishing features and applications that are customized to different information security needs. In this article, we will discuss different types of access control and their defining characteristics.
7 Main Types of Access Control:
Here are top 7 types of access control and their key features and differences.
Mandatory Access Control (MAC):
Mandatory access control, also called MAC is the most regimented or restrictive type of access control where the system administrators have the sole power to grant or deny access on a system. Users have no power whatsoever to change permissions granted by system admin and even the resource owner do not have any power to grant access to the resources they own.
Each system user has a unique set of variable tags which define their digital security profile, indicating their level of access on the system. Because of its very stringent security measures, MAC is a favorite for use by government entities.
Discretionary Access Control (DAC):
When compare with MAC, DAC provides more control to resource owners and administrators. In systems following DAC, resource owners or system administrators can decide who will be able to access which resources and to what extent.
It is flexible access control system and requires active management of permissions. However, because of this flexible nature and its decentralized approach to access control, DAC can lead to more security challenges.
Role-Based Access Control (RBAC):
This is one of the most popular access control system used in large organizations which also have to deal with third partis and contractors. RBAC systems tie access of a user to their role within that organization.
This access control method ensures that employees are able to access only that resource or information which is related to their roles. Because of its role based restriction and access, RBAC is useful in preventing access to higher-level information by employees who are on the lower chain.
Rule-Based Access Control:
In this access control system, access to applications and resources is granted based on structured rules and policies, which usually are based on some context. For example, access may be granted or limited based on location or time of the day. Such access controls are usually used in conjunction with RBAC for even more enhanced security.
Attribute-Based Access Control (ABAC):
ABAC is access control that is more dynamic and features intelligent risk control. In this case, access is determined based on attributes of the user and these attributes may include their location, role in the organization or their time of access. These defining attributes can be quite complex and may be sourced from diverse and multiple databases. This results in a type of access control that adapts to changing environments and provides granular level controls on access.
Identity-Based Access Control:
This type controls access based on someone’s visual or biometric identity. Access is denied or granted based on matching the provided identity with a profile in the access control list. This type of access control also provides for granular access and is empowered by technology.
History-Based Access Control:
This system of access relies on past security actions or a user. It analyzes the past access records and the resources access by a user and then determines suitability of attempted access. For example, a sudden request to access a resource or system that has not been ever previously accessed might result in system flagging it as suspicious access based on user’s previous history.
Core Principles of Access Control
There are certain access control principles that are fundamental to access control systems. The first principle called “lease privilege” dictates that a user should be able to only access a resource that has been configured for them and all other access should be off limits.
The second principle called “segregation of duties” means that different areas of responsibility (especially those involving conflicting areas of responsibility” within an organization or a department or functional unit should be separated.
The last principle called “need to know” requires that users should be given only access to resources/information which is absolutely necessary for them to be able to perform their duties and all other access should not be available to them.
These diverse access control types illustrate the complexity and importance of managing access in different types of environments. From the strictest security offered by MAC to the dynamic and flexible ABAC and the granular access controls offered by identity based systems like IBAC and history based access controls, each plays a critical role in protection of sensitive information and systems.
The choice of which system to deploy mainly depends on the core requirements and security issues that concern an environment which it will be supposed to protect.