Access controls are designed to allow, deny, limit, and revoke access to resources through identification, authentication, and authorization. When we discuss managing access to data, we have to address both physical and logical access. Physical access refers to buildings, devices, and documents while logical access refers to computer or system access.
Access Management Concepts
Let’s go over some of the security and identity management concepts which are included in the scope of some of the Identity Management Institute certification programs and examinations.
Identification is the introduction or presentation of an entity (person or device) to another entity.
Authentication is a process in which the credentials provided by an entity are compared to the entity’s information stored on a system to validate the identity.
Authorization occurs after an entity’s identification and authentication have occurred to determine exactly what they are allowed to do. Authorization is implemented through the use of access controls.
Principle of Least Privilege
The principle of least privilege dictates that we should only allow the bare minimum of access to an entity which may be a person, device, account, or process to allow it to perform the required function. This concept also applies to computer services which may be granted more access and capability than required to run the system through inappropriate programming.
Principle of Separation of Duties
The Separation of Duties principle is achieved by dividing a task and authority for a specific business process among multiple users. The primary objective is to prevent exploitation and fraud by allowing two people to complete a task. For example, to ensure security when transferring funds online, the system may require two people to enter the system and approve the transaction.
Access Control List
Access control list or ACL is a file, typically referred to a computer file system, which attaches permissions to an object or entity. An ACL specifies which users or system processes are granted access to objects, as well as what operations the objects are allowed. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read, write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.
Where ACLs define the permissions based on a given identity and a set of permissions, capability-based access provides an alternative method of granting access based entirely on something we possess such as a token, access badge, or pass code. In a capability-based system, applications can share with other applications the token that defines their level of access.
Access Control Methodologies
Depending on the access control methodology, access may be granted based on something that we know, have, and are.
An example of a something that we know is a password or code, something that we have is an access badge, and something that we are is our finger print or biometric data.
Access Control Models
The most common set of simple access control models includes discretionary access control, mandatory access control, rule-based access control, role-based access control, and attribute-based access control.
Discretionary Access Control
Discretionary Access Control (DAC) is a model of access control based on access being determined by the owner of the target resource. The owner of the resource can decide who does and does not have access, and exactly what access they are allowed to have.
Mandatory Access Control
Mandatory Access Control (MAC) is a model of access control in which the owner of the resource does not get to decide who gets to access it, but instead access is decided by a group or individual who has the authority to set access on resources. We can often find MAC implemented in government organizations, where access to a given resource is largely dictated by:
- the sensitivity label applied to data (secret, top secret, etc.),
- by the level of sensitive information the individual is allowed to access (perhaps only secret), and
- by whether the individual actually has a need to access the resource which is the principle of least privilege.
Role-Based Access Control
Role-Based Access Control (RBAC) is a model of access control that, similar to MAC, functions on access controls set by an authority, rather than by the owner of the resource. The difference between RBAC and MAC is that access control in RBAC is based on the role of the individual accessing the resource.
Attribute-Based Access Control
Attribute-Based Access Control (ABAC) is based on attributes. These can be the attributes of a particular person, of a resource, or of an environment. Attributes may be Subject (height of a person in an amusement park), Resource (software that only runs on a particular operating system or website), or Environmental (time of day or length of activity time passed).
Multilevel access control models may be used by military and government organizations where the simpler access control models that we just discussed may not be considered robust enough to protect the information to which we are controlling access.
Physical Access Controls
When discussing physical access controls, we are often largely concerned with controlling the access of individuals, devices, and vehicles.
Access control for individuals often revolves around controlling movement into and out of buildings or facilities. We can see simple examples of such controls on the buildings of many organizations in the form of badges that control door access to facilities (something we have). Such badges are typically configured on an ACL that permits or denies their use for certain doors and regulates the time of day that they can be used.
Physical access control for vehicles often revolves around keeping said vehicles from moving into or through restricted areas.
One of the more common issues with physical access controls is that of tailgating. Tailgating occurs when we authenticate to the physical access control measure, such as when using a badge, and then another person follows directly behind us without authenticating themselves.