What is access control and what are the major types of access control in information security?
Access control is a cybersecurity concept that regulates and controls who can access what resources in computing environment. It is one of the most important and fundamental concepts in information security that minimizes risks to businesses and organizational assets. Furthermore, it dictates who is allowed to access and entitled to use organizational assets and resources. Companies employ identification, authentication, authorization and accountability (IAAA) scheme to enforce access control policies on subjects and objects.
- Identification: the process of a subject asserting an identity before gaining access to resources
- Authentication: the process of proving the asserted identity that a subject accomplished by providing some information that they are control of and possess.
- Authorization: specifies access rights and privileges subjects should have before gaining access to resources to determine whether the subject should be granted access to resources or not.
- Accountability: make the subject accountable to their actions on the resources
There are two main types of access controls namely physical access control and logical access control.
- Physical access controls: ensures that only authorized entities have access to the restricted area. And the primary purpose of physical access controls do not impact the safety of people in the facility. Physical access controls should be designed in such a way that it does not affect the emergency evacuations. Physical access controls fall into one of the three security control categories; Administrative, technical and operational.
- Logical access controls: technical security controls used to protect access to information, systems, devices, and applications in an organization. It includes authentication, authorization and permissions granted to subjects. And it helps to prevent unauthorized access to organizational data and security configuration settings of systems and devices.
Access control models provide mechanisms of identifying subjects and objects and establishes relationships between the subjects and objects to determine authorization services. It identifies subjects by verifying various login credentials such as usernames, passwords, biometrics scans and security tokens before granting them access to objects or resources. Moreover, the subject can be a user, process or program, and an object is whatever the subject is attempting to gain access to, like a file, system, database, application, facility, devices or network resource.
The relationships between objects and subjects play significant role in access control systems. Besides, access control systems enforce control on subjects that access objects. And organizations employ the subject and object duality to maintain fundamental security objectives of data, which are confidentiality, integrity, availability, nonrepudiation and authenticity. Furthermore, controlling access to objects requires the ability to identify and validate the subjects requesting access and to hold them responsible for their actions.
Types of access control models include the following:
- Role Based Access Control (RBAC): Access control model that is based on functional roles that subjects are assigned within an organization. In Role Based Access Controls, access rules are defined after the organizational structure is established.
- Rule Based Access Control (RuBAC): Access control model that is based on a list of predefined security rules. And the security rules determine what access shall be granted to subjects.
- Mandatory Access Control (MAC): common in military institutions and establishes stringent security policies on subjects and the objects they will get access such as data, resources and systems.
- Discretionary Access Control (DAC): allows the data owner to decide access to objects by assigning access rights to each subject
- Attribute Based Access Control (ABAC): a dynamic and context-based access control that defines access depending on security policies that should be granted to subjects.