Exploring Access Control Models: Building Secure Systems in Cybersecurity
In any organization, unrestricted access to systems and resources poses significant security risks. Recent cybersecurity events have shown that attackers will target any organization of any size. The most common attack vector is through unauthorized access to a legitimate account, often preceded by a phishing technique.
To protect against unauthorized access, it’s essential to establish rules and policies for authenticating and authorizing users. Access control serves as the mechanism for imposing these protections, determining who or what is permitted to perform actions or access resources within the organization.
Driven by security requirements, infrastructure considerations, and compliance mandates, companies implement access control measures for their employees. However, access control extends beyond human users to encompass system processes and applications as well.
Newer forms of access control improve security by replacing traditional systems with advanced methods, such as key cards and biometrics. These systems offer convenience to authorized users and enable flexible, remote operations through cloud-based solutions. They streamline security management, updating user databases automatically and allowing granular access control based on roles. Integration with other security systems enhances overall protection, providing comprehensive surveillance and situational awareness capabilities.
Types of access control models
Various access control models regulate resource access in organizations, defining rules and mechanisms for granting, denying, or revoking access rights. These models operate on specific principles, providing different levels of granularity and flexibility in managing permissions.
Mandatory Access Control (MAC)
Mandatory Access Control (MAC) adopts a centralized management approach, indicating the highest degree of available control. This model grants sole management authority of access controls to the owner and custodian, removing the ability for the end-users to confer privileges to anyone else. It assigns security labels to resources and users, considering classification, clearance, and compartmentalization, thereby restricting access unless labels align. Initially developed for military and intelligence use, MAC protects sensitive data across various sectors, including finance and government.
MAC employs two key security models: Biba and Bell-LaPadula.
- Biba emphasizes information integrity, enabling lower-level clearance subjects to read higher-level information (“read up”) and higher-level subjects to write for lower-level clearance objects (“write down”). This model suits business contexts, facilitating communication between executives and lower-level employees.
- Bell-LaPadula prioritizes confidentiality and is commonly applied in governmental or military roles. Users with higher clearance levels, e.g., Top Secret, are restricted to writing at their level or higher (“write up”), while they are permitted to read information at lower levels (“read down”). This model ensures strict control over access based on clearance levels.
Advantages
- Strong enforcement of rules since users cannot override organization-wide policies set by MAC administrators.
- Effective categorization of resources through security labels, limiting access to specific user groups.
Disadvantages
- Impedes collaboration due to stringent security measures.
- Complex implementation.
- Increased workload in maintaining security labels, leading to slower and more labor-intensive processes.
Discretionary Access Control (DAC)
Discretionary Access Control (DAC) empowers resource owners to make security decisions, allowing them to grant permissions for resources they control. In this process, a security administrator creates a resource profile detailing access permissions through an access control list.
Unlike mandatory access control, which depends on one person, DAC allows teams of admins or non-IT users to oversee access. While providing subjects with maximum freedom, DAC offers lower security compared to other models. The sharing option in most operating systems reflects DAC, allowing users to set read/write privileges and password requirements for their owned documents within a table of individuals and user groups.
Advantages
- Flexible and straightforward: DAC enables resource owners to promptly add new users and privileges without waiting for central approval.
- Business responsiveness: With policy change requests not requiring security administration approval, decision-making becomes more agile and aligned with business requirements.
Disadvantages
- Flexibility may lead to over/under-privileged users.
- Limited visibility: Security administrators struggle to monitor resource sharing and need to search through multiple ACLs to view individual privileges.
- DAC’s user discretion can create inconsistencies and oversight gaps, posing security risks.
- Requires constant monitoring and supervision.
Role-Based Access Control (RBAC)
Role-based access control (RBAC) assigns access privileges according to users’ job roles. This model is a common component of access control systems used in Industrial Control Systems (ICS). Contrasting mandatory and discretionary access control, RBAC streamlines IT privilege management through automation. It groups users into roles based on department and position, with corresponding permission roles tailored to each group’s access requirements. It simplifies the process of granting appropriate permissions to new users upon entry.
Advantages
- Automated and scalable.
- Ease of maintenance: Makes user onboarding, offboarding, and role adjustment tasks efficient.
- Centralized policies across the organization.
- Lower risk exposure: Users’ access to resources is aligned with their roles, reducing potential security risks.
Disadvantages
- Complex deployment in large organizations.
- Smaller roles enhance security but may lead to overlaps.
- Assigning too many roles can lead to unnecessary privileges.
Rule-Based Access Control (RuBAC)
RuBAC uses programmed conditions set by an administrator to determine access to objects. Unlike some models, RuBAC considers not only the subject and object but also the action, akin to if-then statements in coding. It can accommodate multiple conditions and variables for access decisions. Organizations needing access restrictions based on time or location may find RuBAC useful, but modifying the programmed conditions requires time and coding expertise.
Less common access control models
The following control models are less common but hold value in specific contexts:
Attribute-Based Access Control (ABAC): Combines RBAC and RuBAC, granting permissions based on subject clearance, object type, action, and environment. Allows extensive control but requires significant coding.
Risk-Adaptive Access Control (RAdAC): Assesses subject clearance, security metrics, connection type, location, and authentication methods to build a collective profile, and then determines access based upon the risk. Ideal for dynamic security needs but complex to configure.
Identity-Based Access Control (IBAC): Controls access based on a subject’s singular identity, often using login ID, password, fingerprinting, or facial recognition. Suitable for simple access scenarios but subject to privacy concerns and password fatigue.
Organization-Based Access Control (OrBAC): Considers subject role, action, object permissions, and organization affiliation. Ideal for large companies with multiple subsidiaries, streamlining permission management across the organization.
Conclusion
Access control is crucial for minimizing company risk and attacks and ensuring regulatory compliance. Various guidance, standards, and regulations such as ISO 27001, HIPAA, and PCI DSS outline specific requirements that businesses must meet. Choosing the right access control model depends on factors such as budget, organization size, ease of use, security needs, integration capabilities, and scalability. Therefore, choosing the appropriate access control model is essential to align with business goals while also ensuring the security of the organization.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.