We all have spaces, rooms, or data that we would rather no one access, be it at home or in the office. So how exactly do we protect these things? Well, access control. Access control is a security practice that is used to protect sensitive data or places from unwanted access. An access control system is designed to grant or deny access to a resource through identification, authentication, and authorization. It assures resource owners that whoever is accessing their resource is who they say they are and have the appropriate authorization to access it.
There are four different models of access control used, and they all work in different ways. The trick is to find which one best works for your system based on the security level needed, and the sensitivity of the resource. Let us take a look at the models used.
Discretionary Access Control
This is the least restrictive and most flexible model of access control. In this security paradigm, access control is determined by the resource owner (or any other user that has been given authority). Meaning that all the access permission will be specified by the resource owner and they can customize them at will allowing for more flexibility.
Hence each access point will have an access control list with the access permissions. The access point will then use user identification procedures such as usernames, passwords, or pins to identify users and grant or deny access accordingly. The main drawback of this model is that it is a low-level security model since the person in control can be unaware of the best security policies and accesses which can inadvertently cause them to allow access to a dangerous user.
Mandatory Access Control
This security paradigm is the most restrictive and least flexible compared to the other models. It gives or denies access based on user clearance, which is set by the system administrator(s) and cannot be altered without his permission.
This model utilizes a hierarchical approach where all users are ranked, and each is given a specific clearance in a centralized database. These clearances are defined by the system administrator and then enforced by the operating system or a security kernel and cannot be altered. This model is particularly popular with places that require a high level of security like the military or government.
Role-Based Access Control (RBAC)
The Role-Based Access Control model grants or denies access to users based on their roles. It is currently the most popular model of access control used. The system administrator assigns roles to every user, in a central database, and determines what sort of access these roles will have. These roles can be defined based on authority, responsibility, and competence.
Thus for example, if someone falls in the role of manager they may be able to access more resources than a person in the role of a regular employee. Furthermore, if someone is promoted all the system administrator has to do is switch their roles.
Attribute-Based Access Control (ABAC)
This is the most recent model of access control and is a step from role-based access control. Instead of using roles to determine access, this model uses assigned attributes. The system administrator(s) defines different attributes and assigns them to different users. They then define the rules which establish which attribute combination will grant different access permissions.
The best part about the ABAC model is it allows you more flexibility, in whom you give access to. It can allow you to give specific users more access while limiting others.
If you would wish to gather more information on access control models or wish for help finding the right model for your system, Dacha SSI is ready to help you with any issues you may have and help you better protect your resource.
