DeMISTIfying Infosec: Access Control

April 25, 2016
By Katherine Teitler

Access Control

Access control is the assignment of permissions to systems and network resources. Based on the entitlements created, access control is how a subject (person or entity) communicates and interacts with objects (networks, applications, programs, files, databases, etc.).

Access controls can be physical, such as a key card or door key, or digital, such as permissions to a database or system file, or a combination of both (like a Disney Magic Band). Access controls require an administrator to set a policy and permission levels for each object and subject, and dictate how or if a subject can retrieve, read, create, edit, move, delete, etc. defined objects.

Access control enables authorization (“allow/deny” and provides execution rules for functionality upon “allow”), authentication (validates credentials), identification (unique identifier), and approvals. For the appropriate entry, access controls relies on access control lists (ACLs) in combination with passwords, PINs, or keys.

There are three main types of access controls:

  • Role-based access control (RBAC): These are based on the user’s role and responsibility within the organization. RBAC is also known and “non-discretionary” (see below) because the user inherits privileges to objects based on his or her role within the organization instead of privileges based on the owner’s determination. Some features of RBAC, according to OWASP, include:
    • Easy to use
    • Easy to administer
    • Role descriptions are built into most organizational structures
    • Aligns with security principles like segregation of duties and the principle of least privilege

      Some issues with RBAC to consider:

    • Timely and accurate documentation by admin is necessary
    • Multi-tenancy is challenging
    • Scope creep is common
    • Does not support data-based access control
  • Discretionary access control (DAC): Access to objects is granted at the owner’s discretion using ACLs. Some features of DAC include:
    • Easy to us
    • Easy to administer
    • Aligns with least privilege
    • Object owner regulates access

Some issues with DAC to consider:

    • Timely and accurate documentation is necessary
    • Scope creep is common
    • Does not support data-based access control

  • Mandatory access control (MAC): The operating system makes the determination on whether or not to grant access. In MAC, the subject and object are classified and assigned a label; the assigned label is the determining factor for access. Some features of MAC include:
    • Access to an object is based on sensitivity
    • Access is based on “need-to-know,” and therefore scope creep is more easily managed

Some issues with MAC to consider:

    • Only an administrator may grant access
    • Difficult and expensive to implement
    • Not agile

The three reigning principles of effective access control are:

  • Principle of least privilege
  • Separation of duties
  • “Need to know” 
prestitial ad