Access control is a fundamental aspect of IT security. In this video, you’ll learn about mandatory, discretionary, role-based, attribute-based, and rule-based access control.
Once a user gains access to a service, we now need to determine what type of resources does that user have access to. That process is authorization. It’s part of the access control that we would normally configure using some type of policy enforcement process that’s built into an application or an operating system.
Of course, prior to configuring this policy enforcement, we need to go through some process to determine who gains access and what type of access they get. This would be part of our policy definition, and it’s something that we can use to then assign any type of enforcement process. And there are many different ways to configure access control in an application or an operating system. And you’ll find that different businesses and different applications have different requirements on how that access is provided.
If you work for a highly secure organization or some type of government, then you may be using mandatory access control or MAC. This requires you to configure separate security clearance levels and then associate objects in the operating system with one of those security levels. This means that every object that you’d be working with– this could be a spreadsheet, a presentation, it could be a word processing document– but each one of these objects gets a security label. So we would assign these objects with labels such as confidential, secret, top secret, or perhaps others as well.
This means that we would assign a user with a minimum type of access. The administrator configures a particular user to have a particular access. For example, we could assign a user with secret access. The users don’t get to change this type of access. This is an access that is defined by the administrators of the site. Now that this user has secret access, they may be able to access objects that are labeled confidential or objects that are labeled secret, but they would not be able to access objects that are labeled top secret.
If you’re a user of Microsoft Windows, then you may be familiar with the discretionary access control or DAC. This means that you would create an object, and you, as the owner of that object, would assign rights and permissions to it. So you may create a spreadsheet, and then in that spreadsheet, you might decide that an individual or particular group in the organization has access to the spreadsheet, and that access may allow them to modify that spreadsheet. Or we might set permissions on that spreadsheet so that one group in the organization has ready-only access, and the other group in the organization is able to make changes.
This means the person that created or owns that spreadsheet has complete control over who has access to it. And although that does provide a lot of flexibility for access control, it requires the owner to be responsible for the security of that device, and on some cases, that may be considered very weak security and something that may not be the best security option in many organizations.
In many large organizations, we use an access control type called a role-based access control or RBAC. This is associated with the role that an employee might have in that company. So this might be a technician. It might be a manager. It could be someone responsible for a particular project. And they have been assigned rights and permissions based on their role.
The administrator of the system or the network is the person that would assign these particular access control rights. This means if someone is a manager in the organization, then they are assigned all of the rights and permissions that a manager should have. In Windows, we manage this role-based access control through the use of groups.
So we might have a group for someone who works in shipping and receiving, and we might have another group for someone who is the manager of the people that work in shipping and receiving. This means that someone who works in shipping and receiving might have access to the application that allows them to send and receive packages. But the manager of those people have a different role. They are an employee of shipping and receiving, so they would have access to the shipping software, but they have also enhanced access– since they are the manager– that allows them to review any of the logs associated with that shipping software.
With attribute-based access control, we can define a number of different criteria that have to be evaluated that would then allow someone access to a resource. This allows the system administrator to define a number of different parameters. And then as the user tries to access those resources, each one of those parameters is checked and evaluated.
This means if a user tries to access a spreadsheet, the system will evaluate what type of resource they’re trying to access. It will understand what IP address they’re trying to access this resource from. It may check the time of day to see if access to this resource is allowed in that particular time frame. It can see what type of action the user wants to perform to that particular object. And it may perform a check to see what the relationship of that user might be to that data. Once all of those different parameters are evaluated and the user meets all of the parameters that were previously defined, then they would have access to that resource.
Another type of access control is a rule-based access control. And this is more of a generic term that can be applied across many different operating systems or different ways to allow someone access to a resource. With rule-based access control, the system administrator is setting the rules. The users do not get to define whether someone might have access to a particular object or not. The rule is generally associated with the object that they’re trying to access.
So if somebody is trying to gain access to a network, then the rules are going to be associated with that particular network. Or if someone needs access to a spreadsheet, the rules are specific to that particular spreadsheet. For example, if someone’s trying to log into a lab, there might be a rule-based access control based on the time of day. So they would only be able to access those resources between 8:00 AM and 5:00 PM. Or perhaps there is a web form that someone’s trying to fill out, but they’re only able to see and complete that form if they happen to be using a specific type of browser.
There’s also a great deal of access control built into the operating systems that we use every day. When we’re storing files, we need to have some way to define who would have access to that file that’s stored on our system. So this might be stored on a hard drive, an SSD. It could be a flash drive that we plug in. And this is something that is commonly built into an operating system so that some users would have a certain set of rights, and other users would have a completely different set of rights.
Generically, we refer to this as an access control list, but you may find that in Windows, it’s a list of user rights or a list of groups, and then you’re assigning permissions to those users or groups. This could be something that is centrally managed through group policy on a Windows network, or it may be that the owner of the object has control to make those changes themselves in the file system of the OS. And in the case of NTFS that is used by Microsoft Windows, we can have the file system perform additional security, such as encryption and decryption, as part of the file system itself. We don’t have to install any additional software or have additional plug-ins. It is simply built into the operating system that we’re using.
One of the challenges we have with cloud-based systems is that people can access our resources from anywhere in the world, and we may have these resources changing and moving all the time. So we need a type of access control that is up to date with these more modern ways to access our resources in the cloud. To be able to do that, we use conditional access. This allows us to set certain conditions. We may check to see whether someone is an employee or whether they’re part of a third-party organization. We might also check what location they happen to be located in or what type of application they’re trying to access.
Once we know this condition, we can apply certain controls to that. So if it’s an employee, we may provide more access to a particular file; or if it’s a partner, we may require multifactor authentication during the login process; or if this is an employee and they happen to be in a different country, they may have a different type of access to that file. Many cloud services include this type of conditional access as part of their system. And if you’re the system administrator, you can build some very complex access rules so that you can customize exactly the type of security you would like to have over your data.
So far, we’ve talked about how users have access to applications and data. But we also have to be concerned about how administrators have access to applications, data, and the underlying operating system. To be able to manage this process, we use privileged access management or PAM. This is a centralized way to be able to handle elevated access to system resources. And if you are in a large organization with many different administrators, you may want to consider using privileged access management.
If you’re using this type of access control, then administrators to a system don’t automatically have administrator rights. They would need to access a centralized digital vault, and then that privileged access is then checked out to them to be able to use. These privileges only last for a certain amount of time, and then they’re revoked by the system.
This gives us much more control over what someone with administrator access may be allowed to do. They first have a centralized password management function, so that if you do need to change the administration passwords, you can do that in one central place. There’s also the advantage of being able to automate services that need administrator access, and we can do that by using this privileged access management. This would then allow us to manage this administrator access for each individual administrator on the system. And then we can log and audit for anyone who may be assigned these particular administrative rights.