Access control
A security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk by ensuring users are who they say they are and have the appropriate permissions to access data and perform actions.
1960s
2
Definitions
Core Security Concept
Access control is a fundamental security mechanism that dictates who is allowed to access and use company information and resources. The core objective is to minimize security risk by ensuring that users can only access the information necessary to perform their job functions. This is often guided by the Principle of Least Privilege.
It involves two key processes:
-
Authentication: Verifying the identity of a user, system, or service. This is the 'who are you?' step, often accomplished with passwords, multi-factor authentication (MFA), or digital certificates.
-
Authorization: Determining the access levels or permissions an authenticated entity has for a specific resource. This is the 'what are you allowed to do?' step.
For example, after you log into your email (authentication), access control policies (authorization) determine that you can read and send emails from your own inbox but cannot access someone else's.
Types of Access Control Models
Different models of access control provide various ways to implement security policies. The choice of model depends on the organization's security needs.
Discretionary Access Control (DAC) In DAC, the owner of an object (like a file or folder) has the discretion to grant or deny access to other users. This is the model used in most consumer operating systems like Windows and macOS. For example, you can decide who to share your Google Doc with.
Mandatory Access Control (MAC) MAC is a non-discretionary model where access rights are regulated by a central authority (the system administrator) based on security classifications (e.g., Top Secret, Secret, Unclassified). Users cannot change access permissions, even for resources they own. This is common in government and military systems.
Role-Based Access Control (RBAC) RBAC, a form of permission management, grants access based on a user's job role within an organization. Instead of assigning permissions to individual users, administrators assign permissions to roles (e.g., 'Accountant,' 'Developer,' 'Manager') and then assign users to those roles. This simplifies administration and is highly scalable.
Attribute-Based Access Control (ABAC) Also known as policy-based access control, ABAC is a more dynamic and fine-grained model. It grants access based on a combination of attributes of the user (e.g., role, department), the resource being accessed (e.g., data sensitivity), and the current environment (e.g., time of day, location).
Origin & History
Etymology
The term is a straightforward combination of 'access' (the ability to approach or use something) and 'control' (the power to influence or direct). It directly describes its function: controlling access to resources.
Historical Context
The concept of **access control** emerged in the 1960s with the advent of multi-user, time-sharing operating systems like Multics. In these early systems, it was crucial to prevent users from accessing or modifying each other's files and processes. Early models were often simple, based on user identities and file ownership, a precursor to what we now call Discretionary Access Control (DAC). In the 1970s and 1980s, the U.S. Department of Defense drove the development of more rigid systems, leading to the formalization of Mandatory Access Control (MAC) models like Bell-LaPadula (for confidentiality) and Biba (for integrity). These were designed for high-security environments. The 1990s saw the rise of Role-Based Access Control (RBAC) as a more flexible and scalable alternative for commercial and enterprise environments. RBAC simplified **permission management** by grouping users into roles, making administration much easier than managing individual permissions. With the growth of the internet and distributed systems in the 2000s and beyond, **access control** evolved further with models like Attribute-Based Access Control (ABAC), which provides even more granular control based on attributes of the user, resource, and environment.
Usage Examples
The system administrator configured the access control list to ensure only the finance team could view the quarterly reports.
Implementing a robust access control policy, which includes strong authorization rules, is the first step in securing our cloud infrastructure.
Our new security model uses role-based access control, a form of permission management, to simplify user access and reduce administrative overhead.
Frequently Asked Questions
What are the three main types of access control models?
The three main types of access control models are:
-
Discretionary Access Control (DAC): The owner of the resource determines who has access and what privileges they have.
-
Mandatory Access Control (MAC): Access is determined by the system based on security labels assigned to subjects (users) and objects (resources), which cannot be changed by end-users.
-
Role-Based Access Control (RBAC): Access is granted based on the user's defined role within an organization, simplifying administration.
What is the difference between authentication and authorization in the context of access control?
Authentication is the process of verifying a user's identity to ensure they are who they claim to be (e.g., using a password or biometric scan). It answers the question, 'Who are you?'.
Authorization is the process that occurs after successful authentication. It determines what permissions an authenticated user has for a specific resource. It answers the question, 'What are you allowed to do?'. Access control encompasses both processes.