Picture the paths and patterns of modern data flowing through the cloud and on-premises, to remote employees and mobile devices. All of that insight now at people’s fingertips. And all those layers of complexity, only matched by the levels of management required.
Now add in the demand for real-time information and decisions where the business must decide on the permission levels for each use case. We’re talking about processes that need to be scaled for potentially thousands of workers, often in multiple jurisdictions.
Solving these compounding challenges is part of managing data in modern enterprises. Of course, access control is the answer. So, with that in mind, let’s first look at some crucial questions: What is access control? What are the models, methods, and use cases?
What is access control?
Access control means managing permissions and authorizations of people who need resources for their job. Rules are created for approving, denying, and restricting access to the resources. To better understand how this works in the real world, meet the three main players in access control management:
- The subject
The subject is the user: an employee or person requiring access. The subject can also be part of the network, such as an automatic workflow, application or module in the system. They may also be the owner or creator of the resource.
- The object
The object is the resource or form of data being requested. The object contains and/or receives information. Examples include a printer on the network, a file containing sensitive data, or a highly restricted folder.
- The access right/rule
This is the action or operation that can – depending on authorization – be run on objects. The access right/rule includes how much control can be granted, including read-only, read-write, execute (such as add, modify, delete).
Different types of access control models in cyber security
Some of the common models and use cases include:
Attribution-Based Policy Control
This method adds a dynamic element, with access determined by a set of contextual attributes. For example, a file request made out of usual office hours, from an unknown location, can trigger policy access confirmation or denial.
Discretionary Access Control
The data owner has control over the data and the related systems required for access. They can delegate subjects’ permissions locally, making DAC a flexible approach ideal for individual teams to define their own access rules. However, the flexibility can also lead to inconsistency, making this decentralized method less secure.
Mandatory Access Control
Mandatory Access Control in cyber security is the strictest form of data access control. It’s commonly used among governments and the military. Admins set labels and security clearances for subjects and objects. Access can only be granted by admins, and only to subjects with an equal or higher security clearance.
Role-Based Access Control
Permissions are pre-assigned to organizational roles that subjects already have within the system. That’s why this form of access control works best when it closely follows organizational structures and hierarchies. Data access is granted to any subject meeting the role-based criteria. It’s worth noting that this method is relatively rigid and can be hard to scale.
Policy-Based Access Control
PBAC adds even more dynamism and scalability to access enforcement and policy control. Access is as finely grained as your policy needs to be, down to column, rows and cell level. Filtering, masking, and anonymization takes place in real-time, allowing secure and compliant self-service.
“Adaptive artificial intelligence (AI) systems, data sharing and data fabrics are among the trends that data and analytics leaders need to build on to drive new growth, resilience and innovation”Gartner
The method of control you use can also be split into two types of access control types. Both of these types control and define the subjects that can access resources. And each one depends on whether the environment and use case is physical or virtual.
Physical access control methods
These cover control of physical locations, areas, and objects such as documents. Naturally, this would impact organizations using paper-based workflows in highly regulated industries. There would need to be implementation of mandatory access control in cyber security for PII, Intellectual Property, and related items.
An element of two-factor authentication is often used with physical access controls. A subject might first be asked for something they have, such as an ID card. They might then be asked for something they know, such as a PIN or password.
Common use cases for physical access control include:
- Gates, doors, locks
A typical example is restricting employee access to certain areas of a building.
- Keypads, fobs, badges
Depending on the budget and control level required, this could extend to biometrics and facial ID.
- Access logs, servers, dashboards
These may be cloud-based and electronic, or on-premises and paper-based. Either way, they require ongoing maintenance and management to track who’s logged in and out.
Logical access control methods
These controls involve restricting virtual access to resources, using a mixture of authorization, authentication, and identification where interactions with systems and networks are remote based. There are a variety of methods available for implementation and below are some of the more popular options.
Access Control Lists (ACLs)
ACLs are permissions attached to a data object. These file system ACLs are checked by the system where the request originates from. Access controls are then granted or denied based on the permissions found.
There are also networking ACLs. As you’ll guess by the name, these manage network access through switches and routers. Because ACLs are installed in these physical components, they’re difficult to scale when managing multiple changes.
This form of access control monitoring is configured using a mixture of:
- Access masks
(Contain the allowed privileges for objects, and are usually set by admins or the object owner)
- Operational flags
(Define the operations that can be completed when accessing an object)
- Permissions flags
(Define the permissions that are inherited between objects)
- Security identifiers
(Are unique values that are used to identify subjects, including groups and users, for authentication)
A feature of Microsoft 365, Group Policies offer a centralized way to manage policies in Active Directory (AD) environments. Policy settings are stored and applied to policy targets or objects. Rights for logins are applied to allowlists and blocklists.
The most well-known method of logical access control. A basic principle is that the longer the password, the harder it is to crack. At least, by brute force and other relatively low-tech routes. That’s why password managers and regular patching should form part of a password-based access control strategy.
If an account is breached, account restrictions can mitigate the impact. These can include automatic cut-offs when malicious or abnormal behavior is detected. Expiration policies can also limit the risks from compromised accounts.
Access Control Allow Methods
This defines the methods allowed when users try to connect and access resources. Access requests are made via browser, with ACLS specifying the systems and users that can be granted or denied. The objective is to control access to resources that are external to the domain.
Plotting the right path for access control methods
It’s clear there are many ways to implement access control methods. Start by considering your organization’s governance requirements. What are the industry regulations you must work to, and how often are these likely to require policy changes?
Analyze your firmographics. Factor in the number of users/subjects and their geographic distribution, and measure how long it takes access to be granted.
Map internal structures and roles, to get an idea of how easy it is to optimize authorizations, controls, and processes.
Also assess your infrastructure to identify potential for automation, AI, and related tools that will provide a platform and path to success.