Security frameworks and regulations will inevitably dictate that organizations have the capabilities to deny access from unauthorized users. This facet of cybersecurity is so fundamental to compliance more broadly that it’s essentially impossible to engage in proper security without considering access control.
This article will discuss access controls and authorization as part of a larger approach to Identity and Access Management (IAM).
What Are the Components of Access Control?
Access controls are processes, policies, and technologies that allow organizations to manage unauthorized access to system resources. As such, these controls encompass a variety of functions that apply to user identity verification.
Some of the core components of an access control system include the following:
Digital identity is a hot topic in modern technology and security because these identities are at the heart of access control for any platform. Such identities are, in many cases, built on some sort of privileged or personal information that must remain protected. And that’s not taking into account the ethical implications of using private data to identify or centralize potentially catastrophic caches of information in ID databases.
Outside these conversations, however, identification refers to the ability of an organization to uniquely identify a user against a set of data, including verification credentials, in such a way that only one set of credentials is associated with a single digital ID.
The challenge of modern identification stems from the fracturing of platforms and services across hundreds of providers. With potentially hundreds of IDs to manage, users will often resort to poor cyber hygiene (simple or reused passwords, identical usernames, etc.). Sophisticated forms of federated identity and Single Sign-On (SSO) schemas have been developed.
Authentication is the process of determining that a user, currently seeking access to a system, is who they say they are. The credentials offered by the user must correlate with an identity within that system, either managed by the organization, platform, or provider of federated identity services.
Because authentication is often one of a system’s first lines of defense, the process must accurately provide that security by verifying that user. However, one of the oldest forms of authentication (usernames and passwords) are often the weakest because they are prone to hacking, phishing, and poor cybersecurity practices. That’s why most organizations have moved to Multi-Factor Authentication (MFA), which includes multiple forms of identity verification.
Some modern approaches to authentication and MFA include:
- One-Time Passwords (OTPs): OTPs are automatically generated passwords that can verify a user’s ownership of a given device or account and close the user presence gap during an authentication session. For example, a system can require a password followed by an OTP generated through an authentication app and refreshed once every 45 seconds. This ensures that the user (as the application owner) is who they say they are and is present at the point of authentication.
- Biometrics: Passwords, email accounts, and devices can be stolen, but features of our bodies are much harder to fake. Biometrics use unique biological or behavioral aspects of our bodies like fingerprints, iris patterns, facial recognition, or even patterns in typing, swiping, or voice and speech practices to verify the user. These are much more accurate and reliable than most other forms of authentication, and the proliferation of devices with scanners and cameras has made their use more widespread.
- Identity Assurance: More sensitive forms of security associated with the government, financial, or industrial access will often include forms of identity assurance that include in-person verification and the provision of government identification.
Authorization establishes a user’s capability to access resources within a system. Once the user is authenticated, and as they navigate system resources (using applications, making database queries, browsing files, etc.), authorization policies will determine which resources they can and cannot interact with. These access privileges can be based on the resource type, the role of the user, and other system attributes.
What Are Types of Access Control?
While identification, authentication, and authorization are all critical parts of access controls, authorization is a massive part of the policies your organization would put into place to determine how that user accesses system resources during their everyday job.
Some of the primary forms of access control that organizations use include:
Mandatory Access Control (MAC)
As the name suggests, mandatory access control is a strict and non-negotiable form of control used in sensitive systems like government or financial infrastructure. In MAC, administrators and security professionals set access controls from the top down, which are non-adjustable outside those authorized policies. This approach includes security labels and categories to which different pieces of information are assigned, and users are given access to specific labels and categories (and no others).
Discretionary Access Control (DAC)
DAC is somewhat polar opposite of MAC in that the users specify the rules of access. Using Access Control Lists (ACLs) and tables of access, the system can determine who can access a file or resource. This allows for scenarios where, for example, users with localized access to resources on an administrative level can share entry on an ad hoc basis, thus providing a more flexible access system.
Role-Based Access Control (RBAC)
RBAC uses an organizational hierarchy of roles and responsibilities to determine access. Within that hierarchy, every position would have a specific set of privileges and requirements that translate into access privileges within the IT infrastructure.
This approach is often the most common because it more readily maps onto real-world business operations, and system access is often easily restricted based on a person’s job description. Furthermore, RBAC is flexible, and can integrate with other methods as an attribute of acceptable system access.
Rule-Based Access Control
The other “RBAC” is rule-based access control, where rules within an access system are the final arbiter of access to system resources. These rules can be flexible and easy to implement for a top-down view of access (perfect for compliance and regulations). Still, they can become endlessly complex and time-consuming as you model out every possible access scenario within a given infrastructure.
Attribute-Based Access Control (ABAC)
ABAC uses a vast array of flexible variables as the foundation for access control. Some of these variables include time of access, user location, clearance levels, attributes of the data object or resource, or even the action the user is taking (reading, executing, etc.). ABAC allows for fairly sophisticated and dynamic forms of access control but can also find itself in a complex realm of “what-ifs” like rule-based systems.
Audit and Maintain Access Control Policies with Continuum GRC
It is absolutely critical that an organization with compliance and regulatory requirements manage their access controls. Regardless of whether these controls are role based, attribute based, or some combination of approaches, an automated cloud platform like Continuum GRC can provide a bird’s-eye view of your access policies so that they conform with your security needs.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.