Identity Management and Access Control
What are access controls?
Access control is a process that manages and identifies the users that should have access to an organization’s resources. Access controls help ensure that a user has appropriate network permissions, and are integral to identity and access management (IAM).
Depending on the type of access control used, these permissions could be determined in several ways:
- Predefined access policy based on job role
- Dynamic access policy based on location and time
- Users can only access data that is assigned the same ‘level’
By closely monitoring access permissions, the network’s attack surface - the number of potential entry points for unauthorized access to a system - can be dramatically reduced. To comply with data protection regulations, the implementation of a Zero Trust framework and conforming to the principle of least privilege (PoLP) is increasingly common. This approach uses Access Control to ensure that, once authorized, a user can only access the apps, tools, and resources that they specifically require for the tasks relating to their role.
Identity and access management (IAM) refers to the combined approaches of identity management and access management.
- Identity management is used to verify and authenticate a user’s identity via usernames, passwords, biometrics, etc.
- Access Management is the allocation of permissions for this verified user based on their role.
Common types of access control
IAM provides a framework for managing security in the way that best suits your business. This includes a wide variety of access control models. The three main types of access controls are MAC, DAC, and RBAC.
Mandatory access control
Mandatory access control (MAC) limits access to resources based on the sensitivity of the information. In this model, the owner of the resource does not decide on access. Instead, permissions are granted based on the user's authorization matching the same security level as the resource.
This means that users are given permission only to those files that match their ‘level’ - this could denote role seniority, such as admins and managers, or be based on department-specific requirements.
MAC offers high-level security and has centralized control, which means that making changes is simple, but that level of access is only available to an administrator.
Discretionary access control
Discretionary access control (DAC) gives the initial owner of the target resource the ability to change access control permissions.
The policy is set based on the common system of grouping resources and then assigning permissions based on user identity and authority. The discretionary element comes from the original owner of the resource having the ability to decide who should be permitted access, and their level of permission (view only, edit, etc.).
While this system is simple to implement, the fact that any file owner can give permission to another means it is not particularly secure. As there is no centralization, it is difficult to monitor data across the organization, which increases the risk of data breaches.
As a result, this system should only be used by companies with a small number (up to 50) of employees, so that it can be closely managed.
Role-based access control
Role-based access control (RBAC) allows permissions based on the user's role and the principle of least privilege (PoLP), which ensures that only the minimum amount of access is provided for a user to complete their job role.
This approach to identity-based access control is established by senior figures in the company, rather than the resource owners, and is decided based on an individual’s role.
Because RBAC follows PoLP principles, it reduces the attack surface, keeping the number of accounts that would be able to access sensitive data to a minimum.
Permissions can be quickly adjusted for new staff, contractors, and existing employees who change roles.
Concerns with RBAC include the challenge of managing a rapidly expanding network. RBAC can be fairly rigid and as the requirements of user roles change, so too will permissions. Over time, or with rapid expansion, this could see temporary fixes and ad-hoc roles added for convenience and to avoid an impact on productivity.
However, this will not only make RBAC harder to manage in the long term, but could also create issues with compliance by inadvertently opening gaps in your security.
Other access control types
Physical access control
Physical access control systems (PACS) grant location access only to those with the correct physical identification. This would typically be some form of ID card, making it easy to identify every person who enters a building.
This is particularly useful to protect against theft and trespassing by limiting access to physical devices.
To establish PACS, the following components are required:
- Access points: Barriers, electronic locks, and security gates
- Physical credentials: Key and card entry systems, biometrics, PIN codes
- Readers: To collect and send data for authentication
- PACS control panel: Checks with the access control server to authenticate the user and provide access
Traditional systems are considered secure by virtue of being hardwired and offline. They feature a control box connected to the credential reader, minimizing complications in use.
Modern systems send data to cloud services for verification. The setup and use of this type of system are both affordable and simple to use. It is also scalable and easier to upgrade. However, it can only be as secure as the network it is connected to, and might be more vulnerable to attack.
Rule-based access control
Rule-based control is a method that uses predetermined rules to grant access. This ensures a focus on the context of the user’s permissions. For example, access could be linked to IP address, location, time restrictions, or based on a limited number of times a resource can be accessed.
Additional benefits include the ability to regulate network use by ensuring that tools requiring complex processing or backing up are only permitted at certain times of the day – minimizing the impact on resources during peak business hours.
However, configuring a rule-based system is time-consuming and will still require monitoring to ensure that no loopholes are inadvertently created. Increasing the number of rules that are implemented can result in performance issues if they contradict each other or become obsolete.
Attribute-based access control
The attribute-based access control (ABAC) method looks at attributes such as subject, resource, environment, and action, to determine permissions.
While this approach can be complex to establish due to the highly personalized access controls, it offers more flexible and robust security than popular role-based access controls
If implemented using best practices, this approach provides a granular level of control, with variables allowing for the user’s identity, actions, and access permissions to be applied dynamically, rather than being entirely predefined as it would be through RBAC.
Policy-based access control
Policy-based access control determines access permissions dynamically, based on pre-set policies. For example, access to records containing the personal details of staff members could be set to only be available to managers in the same department and the HR team. Other variables could include time and location. This makes it more flexible than RBAC, which is based on static, predefined roles. Having this level of flexibility means that policies can be as broad or granular as required. They are also simple to amend, add, and remove.
Further contextual controls can also be introduced to restrict access to users outside of a particular location, or at different times.
The challenges come as the organization grows. With such a range of variables, adding more and more new roles over time will make it increasingly difficult to track and manage, potentially leading to gaps in security or issues with productivity.
Which access control should I use?
Access controls must meet many conditions to ensure that they can balance enhanced network security with reduced inconvenience for users, and ideally, contribute to improved productivity.
Choosing the correct access and identity management approach will depend on the size and type of the company in question. For example, role-based access control is one of the most popular options, but discretionary access control could offer more benefits regarding ease of setup in smaller companies.
Factors to consider include:
- Company size
- Impact on productivity
- Training requirements
- Level of security required – for example, based on the type of data being stored
- Ease of integration with existing systems
- Scope for expansion