Difference between revisions of "Access Control"
| Line 16: | Line 16: | ||
Basically, these types of physical and logical restrictions prevent unauthorized individuals from doing things they shouldn’t with your sensitive [[System|systems]] or data. Furthermore, they also help to prevent inadvertent exposure or disclosure of sensitive items.<ref>What is Access Control? - A Technical Definition [https://www.thesslstore.com/blog/the-role-of-access-control-in-information-security/ The SSL Store]</ref> | Basically, these types of physical and logical restrictions prevent unauthorized individuals from doing things they shouldn’t with your sensitive [[System|systems]] or data. Furthermore, they also help to prevent inadvertent exposure or disclosure of sensitive items.<ref>What is Access Control? - A Technical Definition [https://www.thesslstore.com/blog/the-role-of-access-control-in-information-security/ The SSL Store]</ref> | ||
| + | |||
| + | |||
| + | '''Types of access control<ref>4 Types of access control [https://www.csoonline.com/article/3251714/what-is-access-control-a-key-component-of-data-security.html CSO]</ref'''><br /> | ||
| + | Organizations must determine the appropriate access control model to adopt based on the type and sensitivity of data they’re processing. Older access models include discretionary access control (DAC) and mandatory access control (MAC), role based access control (RBAC) is the most common model today, and the most recent model is known as attribute based access control (ABAC). | ||
| + | *Discretionary access control (DAC): With DAC models, the data owner decides on access. DAC is a means of assigning access rights based on rules that users specify. | ||
| + | *Mandatory access control (MAC): MAC was developed using a nondiscretionary model, in which people are granted access based on an information clearance. MAC is a policy in which access rights are assigned based on regulations from a central authority. | ||
| + | *Role Based Access Control (RBAC): RBAC grants access based on a user’s role and implements key security principles, such as “least privilege” and “separation of privilege.” Thus, someone attempting to access information can only access data that’s deemed necessary for their role. | ||
| + | *Attribute Based Access Control (ABAC): In ABAC, each resource and user are assigned a series of attributes. “In this dynamic method, a comparative assessment of the user’s attributes, including time of day, position and location, are used to make a decision on access to a resource.” | ||
| + | It’s imperative for organizations to decide which model is most appropriate for them based on data sensitivity and operational requirements for [[Data Access|data access]]. In particular, organizations that process [[Personally Identifiable Information (PII)|personally identifiable information (PII)]] or other sensitive information types, including [[Health Insurance Portability and Accountability Act (HIPAA)]] or [[Controlled Unclassified Information (CUI)]] data, must make access control a core capability in their [[Security Architecture|security architecture]]. | ||
Revision as of 17:29, 17 February 2021
Access Control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources. Through authentication and authorization, access control policies make sure users are who they say they are and that they have appropriate access to company data. Access control can also be applied to limit physical access to campuses, buildings, rooms, and data centers.[1]
Access control is a broad term that describes policies and methods that ensure only verified individuals can physically or virtually touch items that they have permission to access. This process involves restricting access or granting permissions that allow someone to do something to a protected item. This includes having permissions to do any of the following to protected items (digital or physical resources):
- Access,
- Read,
- Modify,
- Communicate,
- Delete or otherwise destroy.
For longtime IT cybersecurity expert Greg Scott, access controls typically boil down to understanding the relationship between two specific terms: subjects and objects.
“Subjects are usually people or groups. Objects are usually files or directories. The key is, subjects access objects, and so access controls regulate how subjects access objects.”
In this understanding, objects could be resources that you want to protect from unauthorized access, use, or disclosure. And the subject is the user (or group of users or even non-person entities such as applications or services) that the access controls apply to. So, access controls (in a more technical sense) are the tools, policies, models, and mechanisms that enable you to grant or restrict access to your organization’s digital or physical resources. This includes everything from restricting or granting access to specific files and databases to IT systems and physical locations.
If you look at the definitions of access control on the National Institute of Standards and Technology (NIST) website, you’ll see a lot of variations. However, they all basically mean the same thing in a roundabout way: access control is a way for you to ensure that only the individuals (or groups) you choose have access to your sensitive data, applications, technologies, and critical infrastructure.
Basically, these types of physical and logical restrictions prevent unauthorized individuals from doing things they shouldn’t with your sensitive systems or data. Furthermore, they also help to prevent inadvertent exposure or disclosure of sensitive items.[2]
Types of access control<ref>4 Types of access control CSO</ref>
Organizations must determine the appropriate access control model to adopt based on the type and sensitivity of data they’re processing. Older access models include discretionary access control (DAC) and mandatory access control (MAC), role based access control (RBAC) is the most common model today, and the most recent model is known as attribute based access control (ABAC).
- Discretionary access control (DAC): With DAC models, the data owner decides on access. DAC is a means of assigning access rights based on rules that users specify.
- Mandatory access control (MAC): MAC was developed using a nondiscretionary model, in which people are granted access based on an information clearance. MAC is a policy in which access rights are assigned based on regulations from a central authority.
- Role Based Access Control (RBAC): RBAC grants access based on a user’s role and implements key security principles, such as “least privilege” and “separation of privilege.” Thus, someone attempting to access information can only access data that’s deemed necessary for their role.
- Attribute Based Access Control (ABAC): In ABAC, each resource and user are assigned a series of attributes. “In this dynamic method, a comparative assessment of the user’s attributes, including time of day, position and location, are used to make a decision on access to a resource.”
It’s imperative for organizations to decide which model is most appropriate for them based on data sensitivity and operational requirements for data access. In particular, organizations that process personally identifiable information (PII) or other sensitive information types, including Health Insurance Portability and Accountability Act (HIPAA) or Controlled Unclassified Information (CUI) data, must make access control a core capability in their security architecture.
- ↑ Definition of Access Control Citrix
- ↑ What is Access Control? - A Technical Definition The SSL Store