Guide to the types of access control models
Choosing the correct access control model is an essential cybersecurity challenge. Robust access controls secure sensitive data by making it hard for hackers to gain access. Access control systems exclude malicious actors and allow legitimate users to use company tools safely.
This article will introduce the most prevalent types of access control, exploring how they function and their potential use cases. Additionally, we'll provide some guidance for organizations as they put in place effective access control measures.
Types of access control
Access control models fall into a couple of broad categories. Firstly, controls can be described as discretionary or mandatory. The key difference between these types of access control regards power. Who has the power to determine access policies for applications and data? Who controls the overall access setup?
Discretionary access control (DAC)
In discretionary access control models, power lies with the owner of each network asset. The resource owner sets access rights for every user. This creates a decentralized access control system. Administrators focus on specific resources, and there is usually little centralized oversight.
Discretionary access models tend to use access control lists (ACLs) for each resource. These documents include sets of rules that apply to every user. When users request access, the system compares their credentials to the ACL. If the user meets authentication conditions, the ACL determines their access level.
Discretionary types of access control system provide flexibility. System administrators can set different policies for the resources they control. But this comes at a price. Defining individual user rights places burdens on the time of admins. And with many ACLs to manage, errors can occur in larger organizations.
Mandatory access control (MAC)
In mandatory access control models, power lies with central network administrators. In these types of access control systems centralized systems define access to all network resources. Individual users generally have little scope to manage local access or tailor policies for individual apps.
Mandatory access controls are highly restrictive. Each user has a clearance level reflecting their role and seniority. Users without the necessary clearance lack access to apps and confidential data. And because users have no power to change their settings, any escalation must occur via central administrators.
This lack of flexibility makes mandatory controls popular with large governmental organizations like the US military. But mandatory systems can be too rigid for rapidly changing corporate architecture. And they do not suit organizations that provide autonomy to network users.
Discretionary controls are far more common than mandatory access models. But in practice, access control systems tend to balance central oversight and decentralized controls for specific assets. This balance can be achieved in various ways.
Role-based access control (RBAC)
In role-based systems, access is determined by an individual's role within an organization. The idea is to limit access to critical assets. The system should only grant access if the user requires access to carry out professional tasks.
Role-based access control streamlines access control in larger organizations. Administrators can set roles with appropriate privileges. The system provisions new hires with permissions when they access the network. There is no need to create and maintain individual profiles for each user or employee.
Problems can arise when roles are unclear or regularly change. For instance, companies may rely on short-term project teams instead of traditional roles. In these situations, admins may struggle to assign suitable privileges, putting data at risk.
Administrators also require knowledge of current roles and the assets users rely on. Security teams need to liaise with different departments to understand access requirements. This can be time-consuming and creates space for human error.
Rule-based access control
Rule-based access control systems use sets of rules to govern access to network resources. Rule sets are similar to Access Control Lists discussed above. They contain conditions that users must meet before the system grants access.
Access rules are not necessarily the same as role-based privileges. For example, an employee may normally have access to customer financial records. But the rule set for that resource may specify that access should be refused for users on remote Wi-Fi. In that case, rule-based controls will override role-based privileges.
In practice, role-based access control and rule-based controls tend to work together. ACLs apply to the most important applications or data. But role-based profiles determine access to most assets.
Attribute-based access control (ABAC)
Attribute-based access control models use metrics about users or assets to determine access levels. Examples of attributes could include the user's device type and location. But they could also include the employee's role and position, or the time of day.
Attribute-based types of access control provide more flexibility than alternatives like RBAC. Administrators can regulate access to databases, excluding users in certain locations. They can prevent junior staff from accessing applications, or define windows for time-limited access.
Because they offer so much freedom, attribute-based access systems are often highly secure. Administrators can impose granular controls for specific data sets. They can respond to security needs as threats emerge.
On the other hand, managing attributes across large network deployments is difficult. Setting access based on attributes for each application and user is a complex task. Security teams can lose sight of core goals and be swamped by small details.
Policy-based access control (PBAC)
According to NIST, in PBAC systems "the business roles of users is combined with policies to determine what access privileges users of each role should have."
This sounds very similar to rule-based or attribute-based access architecture. And that's no accident. PBAC is a development of those flexible access control systems.
Policies define dynamic attributes that determine user access. These policies are centrally created and can be delivered to all relevant endpoints instantly. They can also be automatically updated, with minimal input from the system administrator. The information included in policies varies but could include:
- Contextual markers like the user's device profile, their location, and even the duration of their session.
- The object or file that the user is seeking to access.
- Any actions that the user tries to carry out, such as moving, editing, or deleting records.
- The identity and role of the user involved.
The important aspect of PBAC is that policies are dynamic. Rule or attribute-focused solutions are more rigid. But modern PBAC solutions change rapidly to handle complex security environments.
Remote access control
Remote access controls apply one of the models listed above to remote work settings. Remote work creates an additional layer of complexity. Users logging in remotely may move between wifi networks. And they may use insecure mobile devices, raising data security risks.
Remote access controls impose additional authentication requirements on home workers. For example, policies could require the use of security tokens when accessing network resources. Admins may block connections from public Wi-Fi, or only permit access rights during office hours.
Another key part of remote access control is ease of use. Remote solutions tend to feature single sign on portals and identity management systems to facilitate secure access. VPN tools also encrypt user data.
Network access control (NAC)
Network access control solutions apply access policies across all network endpoints. NAC involves centralized control over device communities and applications. Administrators keep track of all connected devices and monitor every access request from external locations.
NAC includes on-premises workstations and remote devices. It encompasses access requests from third parties and seeks to control access to any cloud resources that the organization uses. As such, NAC is a general approach to network security and can include many of the access models discussed above.
Choosing the right access control model for your organization
Which access control model is the right fit for your cybersecurity needs? Here are some important factors to consider when choosing between security models:
What level of depth do you require?
As we've seen, access controls can be relatively superficial or they can be in-depth and granular. If you prioritize speed and easy management, a simple RBAC approach could work. But to fine-tune access to every app, attribute or policy-based models will be required.
Compliance
Every company must comply with data protection regulations. But the compliance challenge varies. Some organizations need very tight controls on customer data. In that case, mandatory or policy-based controls will be needed.
Scope and management
Access control should be easy to manage and understand. This can be challenging with completely discretionary policies. Find a blend that centralizes management but includes the flexibility to adapt to changing situations.
Expansion
Access systems must grow with the organization they support. On a smaller scale, it might make sense to apply very detailed access policies for each employee. But as the organization grows, automation and role-based controls become important. Plan for growth and be prepared to cover every network user.
Local or distributed?
Will you need to control access from remote locations or different regions? Or are most access requests likely to originate on-premises? If your workforce is mobile and global, using PBAC or ABAC models makes sense. If your workforce is static, standard RBAC approaches should work well.
Finding the right access control model is critically important. Poor access controls compromise network resources and put sensitive data at risk. But every organization requires an access system that suits their employees and corporate structure.