What Is Access Control in Digital Society?
The ability to control access to sensitive data is paramount to any organization’s security and shouldn’t be taken lightly.
Whether you are accessing your office workstation or doing your job remotely, you’ll have to pass some form of authentication before you are allowed entry into the company’s systems. Depending on your position, you’ll probably only be authorized to access specific files and parts of the building.
Authentication and authorization are critical components of access control. Without proper access control, anyone can waltz right in and steal the company’s confidential information.
Access control can be physical or logical. Today, we'll focus solely on logical access control in its digital form, and see how businesses handle authentication and authorization to protect their own and their users’ sensitive data.
Access Controls Definition
Access control is a critical security component used to restrict and distribute user resources. It’s one of the most basic security concepts, but sometimes it’s difficult to implement properly. In the worst-case scenario, poor access management can lead to cybercriminals or disgruntled employees abusing company systems.
Even the most basic access control systems require the user to provide login credentials in conjunction with two-step or multiple-factor authentication, which may involve biometric scans and/or security tokens.
Poor implementation of access control policies could lead to guest accounts having the same authorization as someone from accounting or any other department. In most cases, it’s caused by human error, poorly configured user groups, a faulty security policy, or the nonexistence of the last two.
Components of Access Control
While the most talked about and definitely most important components of an access control system are authentication and authorization, they aren’t the only ones. In total, there are five key components:
1. Authentication
Before anyone can go anywhere and access anything, they need to register who they are, and said data needs to be verified. As mentioned before, this is done chiefly by verifying user credentials.
If we were talking about a Windows environment, the system administrator would create a username and password for the new employee to access the system.
2. Authorization
Authentication only provides access to the system in general, but what the user can view, modify, or remove is the domain of authorization. When it comes to Windows, those would be security groups each user is assigned to. These ascribe privileges and access rights to authenticated accounts.
3. Access
With the right security group assigned, the user can access the data and tools needed to do his job and shared company resources. That way, sensitive data unneeded for a given user's work stays safely locked away.
4. Manage
A company has to be able to manage access to data and tools used. In the Windows environment, the system administrator can revoke or modify access at any point. The problem arises when the company has multiple tools or services; for each, you have to log in to the admin panel and modify the user account.
5. Audit
Everything done in the system should leave a trace a system administrator can follow to discover any potential abuse or breaches. Luckily, all servers have these mechanisms in place, but various tools used by employees often do not.
Different Types of Access Control
There are five different access control models which can be implemented. Those are:
- Discretionary access control (DAC)
- Mandatory access control (MAC)
- Role-based access control (RBAC)
- Rule-based access control (RuBAC)
- Attribute-based access control (ABAC)
Discretionary Access Control
Within DAC, access is controlled by the owner or data or resource administrator the user is accessing. When you think about it, most systems work like this at their core, but DAC doesn’t possess any centralized control.
A simplified example of a DAC system would be sharing a Google document. You control user access by sending the sharing link (authentication), and the user can be set to either view, comment on, or edit your document (authorization). At any point, you can sever the link by restricting the file.
Mandatory Access Control
MAC, not to be confused with media access control, is a type of access control model where a central authority regulates access rights. The access can be configured in great detail, so users can access individual files or just parts of files. This type is the most restrictive and is therefore commonly used in banks, government institutions, and military environments.
Role-Based Access Control
RBAC is the most common access control type used by companies and organizations. Instead of each user having permissions delegated individually, the permissions are delegated based on their role in the company. While some groups may share some permissions, no two groups will ever have the same level of access.
Rule-Based Access Control
RuBAC gives access according to the rules set by the administrator. Such rules can be set for computer networks and electronic access control systems. In most cases, it includes the time and date when the user can access the building or data, but isn’t limited only to those parameters.
The acronyms RBAC and RuBAC are sometimes used interchangeably, which isn’t accurate, but we understand the confusion. In fact, RBAC and RuBAC complement each other: RBAC provides groups with permissions, while RuBAC further modifies them by adding specific rules.
Attribute-Based Access Control
Instead of access being tied to a user’s role, ABAC grants permissions based on user attributes or, simply put, who the user is. ABAC looks at the user’s account type, department, time of the day, current location, and other parameters before providing access to the files that correspond to their attributes.
This means users can have varying access when accessing company resources in the office and when working remotely. Additionally, many attributes can be stacked to provide a more complex but also more secure structure. For example, the system can also check each user’s local date and time and set permissions based on if the user is attempting to gain access during or after working hours.
Examples of Access Control in Regulatory Compliance
Access control isn’t only used to regulate what employees can access and use. Companies also use it to comply with data privacy regulations issued by the government when dealing with their customers or collecting user data.
A good example is the Payment Card Industry Data Security Standard established to protect customers from fraud and data theft. Aside from the many protection methods it imposed to prevent stealing card information during transactions, it also forced businesses to implement strict access control policies and restrict access to gathered cardholder information.
Another good example is The Health Insurance Portability and Accountability Act of 1966, which governs the national standard imposed to protect sensitive patient information from being disclosed without the patient's knowledge. If a company dealing with confidential patient information allowed access to anyone, it would find itself on the wrong side of the law, fast.
Challenges of Access Control
Considering the prediction that 33 billion accounts will be breached in 2023, access control should be among the top priorities for any company. It doesn’t matter if they conduct their business online or not – these are challenges every organization faces.
The most common problem of access control systems is weak and recycled passwords. This happens a lot with regular users, but companies aren’t immune to it, either. This is an even bigger risk when the company requires employees to know ten different passwords but refuses to pay for a quality password manager.
Using any form of access control software for two-factor or multiple-factor authentication presents an additional way to offset the problem.
Unmanaged employee devices (e.g., personal PCs) also create enormous security and access control risks due to the lack of industrial-grade security. Usually, the company will keep all of its devices accessible by the administrator to keep a close eye on the computer network for any potential attacks and intruders.
However, personal devices fall outside of this protection umbrella, and cybercriminals are fully aware of it. The easiest way to get into the organization's system is to infect the PC of one of their employees and scrape the credentials from it or use it to access the organization's network.
The lack of centralized access control is also one of the common problems, especially in today's dynamic IT environment, where employees need to use multiple tools and resources spread across several cloud, physical, or hybrid servers. Such a setup usually lacks sufficient access control security and, just like unmanaged devices, represents a security risk.
Although this article focused on digital access, physical access control, which can be mechanical or electronic, must also be managed. All elements must work together, and flawlessly, for companies handling sensitive data to have any kind of piece of mind.
Further Reading
In fact, there are five types of access control: discretionary access control, mandatory access control, role-based access control, rule-based access control, and attribute-based access control.
Access control decides who can access classified information and what they can do with it.
Access control is a basic security feature governing access to files and resources. Neglecting it can cause severe problems for any organization: Not only can somebody steal its sensitive data, but it can impede everyday operations because the right users can’t get access to necessary data or resources within the company.
The first step in access control is user authentication, which is followed by authorization, access, management, and audit in order of significance.
