Q&A What

What access control model allows the owner of the resources to define what users may access it?

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise.

RBAC ensures employees access only information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.

An employee's role in an organization determines the permissions that individual is granted and ensures lower-level employees can't access sensitive information or perform high-level tasks.

In the role-based access control data model, roles are based on several factors, including authorization, responsibility and job competency. As such, companies can designate whether a user is an end user, an administrator or a specialist user. In addition, access to computer resources can be limited to specific tasks, such as the ability to view, create or modify files.

Limiting network access is important for organizations that have many workers, employ contractors or permit access to third parties, like customers and vendors, which makes it difficult to monitor network access effectively. Companies that depend on RBAC are better able to secure their sensitive data and critical applications.

Benefits of RBAC

There are multiple benefits to using RBAC, including:

  • Improving operational efficiency. With RBAC, companies can decrease the need for paperwork and password changes when they hire new employees or switch the roles of existing employees. RBAC lets organizations quickly add and change roles, as well as implement them across platforms, operating systems (OSes) and applications. It also cuts down on the potential for error when assigning user permissions. Additionally, with RBAC, companies can more easily integrate third-party users into their networks by giving them predefined roles.
  • Enhancing compliance. Every organization must comply with local, state and federal regulations. Companies generally prefer to implement RBAC systems to meet the regulatory and statutory requirements for confidentiality and privacy because executives and IT departments can more effectively manage how the data is accessed and used. This is particularly important for financial institutions and healthcare companies that manage sensitive data.
  • Giving administrators increased visibility. RBAC gives network administrators and managers more visibility and oversight into the business, while also guaranteeing authorized users and guests on the system are only given access to what they need to do their jobs.
  • Reducing costs. By not allowing user access to certain processes and applications, companies may conserve or more cost-effectively use resources, such as network bandwidth, memory and storage.
  • Decreasing risk of breaches and data leakage. Implementing RBAC means restricting access to sensitive information, thus reducing the potential for data breaches or data leakage.

Best practices for role-based access control implementations

There are a number of best practices organizations should follow for implementing RBAC, including:

  • Determine the resources for which companies need to control access, if they're not already listed -- for instance, customer databases, email systems and contact management systems.
  • Analyze the workforce and establish roles that have the same access needs. However, don't create too many roles because that would defeat the purpose of role-based access control and create user-based access control instead. Some RBAC examples include a basic role that includes the access every employee needs, such as to email and the corporate intranet. Another role could be that of a customer service representative who would have read/write access to the customer database. Another role could be that of a customer database admin with full control of the customer database.
  • After creating a list of roles and their access rights, align the employees to those roles, and set their access.
  • Evaluate how roles can be changed, as well as how to close accounts for those leaving the company and how to register new employees.
  • Ensure RBAC is integrated across all systems throughout the company.
  • Conduct training so employees understand the principles of RBAC.
  • Periodicallyconduct audits of the roles, so the employees who are assigned to them and the access that's permitted for each role. If a role is found to have unnecessary access to a certain system, change the role and modify the access level.
Role-based access controls ensure employees only have access to the processes and programs necessary.

RBAC vs. ABAC

Role-based access control and attribute-based access control (ABAC) are both types of access control methods, but their approaches are different.

While RBAC grants access rights depending on the roles of users, ABAC controls access based on a combination of attributes, i.e., user attributes, resource attributes, attributes associated with the system or application to be accessed and environmental attributes.

User attributes may include name, nationality, organization, ID, role and security clearance. Examples of resource attributes include owner, name and data creation date, while environmental attributes include access location, time of access and threat levels.

In addition to simplifying access management, ABAC enables companies to reduce risks from unauthorized access and helps to centralize auditing.

Organizations should use RBAC for coarse-grained access control, such as giving all professors in a university access to Google for doing research or giving all contractors access to corporate email. On the other hand, companies should use ABAC for fine-grained access control or if they need to make decisions under specific conditions, e.g., giving professors access to Google only if they work in building X and teach freshman classes.

Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization.

There are two types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data.

To secure a facility, organizations use electronic access control systems that rely on user credentials, access card readers, auditing and reports to track employee access to restricted business locations and proprietary areas, such as data centers. Some of these systems incorporate access control panels to restrict entry to rooms and buildings, as well as alarms and lockdown capabilities, to prevent unauthorized access or operations.

Logical access control systems perform identification authentication and authorization of users and entities by evaluating required login credentials that can include passwords, personal identification numbers, biometric scans, security tokens or other authentication factors. Multifactor authentication (MFA), which requires two or more authentication factors, is often an important part of a layered defense to protect access control systems.

Why is access control important?

The goal of access control is to minimize the security risk of unauthorized access to physical and logical systems. Access control is a fundamental component of security compliance programs that ensures security technology and access control policies are in place to protect confidential information, such as customer data. Most organizations have infrastructure and procedures that limit access to networks, computer systems, applications, files and sensitive data, such as personally identifiable information and intellectual property.

Access control systems are complex and can be challenging to manage in dynamic IT environments that involve on-premises systems and cloud services. After high-profile breaches, technology vendors have shifted away from single sign-on systems to unified access management, which offers access controls for on-premises and cloud environments.

How access control works

Access controls identify an individual or entity, verify the person or application is who or what it claims to be, and authorizes the access level and set of actions associated with the username or IP address. Directory services and protocols, including Lightweight Directory Access Protocol and Security Assertion Markup Language, provide access controls for authenticating and authorizing users and entities and enabling them to connect to computer resources, such as distributed applications and web servers.

Organizations use different access control models depending on their compliance requirements and the security levels of IT they are trying to protect.

Types of access control

The main models of access control are the following:

  • Mandatory access control (MAC). This is a security model in which access rights are regulated by a central authority based on multiple levels of security. Often used in government and military environments, classifications are assigned to system resources and the operating system or security kernel. MAC grants or denies access to resource objects based on the information security clearance of the user or device. For example, Security-Enhanced Linux is an implementation of MAC on Linux.
  • Discretionary access control (DAC). This is an access control method in which owners or administrators of the protected system, data or resource set the policies defining who or what is authorized to access the resource. Many of these systems enable administrators to limit the propagation of access rights. A common criticism of DAC systems is a lack of centralized control.
  • Role-based access control (RBAC). This is a widely used access control mechanism that restricts access to computer resources based on individuals or groups with defined business functions -- e.g., executive level, engineer level 1, etc. -- rather than the identities of individual users. The role-based security model relies on a complex structure of role assignments, role authorizations and role permissions developed using role engineering to regulate employee access to systems. RBAC systems can be used to enforce MAC and DAC frameworks.
  • Rule-based access control. This is a security model in which the system administrator defines the rules that govern access to resource objects. These rules are often based on conditions, such as time of day or location. It is not uncommon to use some form of both rule-based access control and RBAC to enforce access policies and procedures.
  • Attribute-based access control. This is a methodology that manages access rights by evaluating a set of rules, policies and relationships using the attributes of users, systems and environmental conditions.

Implementing access control

Access control is integrated into an organization's IT environment. It can involve identity management and access management systems. These systems provide access control software, a user database and management tools for access control policies, auditing and enforcement.

When a user is added to an access management system, system administrators use an automated provisioning system to set up permissions based on access control frameworks, job responsibilities and workflows.

The best practice of least privilege restricts access to only resources that employees require to perform their immediate job functions.

Challenges of access control

Many of the challenges of access control stem from the highly distributed nature of modern IT. It is difficult to keep track of constantly evolving assets because they are spread out both physically and logically. Specific examples of challenges include the following:

  • dynamically managing distributed IT environments;
  • password fatigue;
  • compliance visibility through consistent reporting;
  • centralizing user directories and avoiding application-specific silos; and
  • data governance and visibility through consistent reporting.

Many traditional access control strategies -- which worked well in static environments where a company's computing assets were help on premises -- are ineffective in today's dispersed IT environments. Modern IT environments consist of multiple cloud-based and hybrid implementations, which spreads assets out over physical locations and over a variety of unique devices, and require dynamic access control strategies.

Organizations often struggle to understand the difference between authentication and authorization. Authentication is the process of verifying individuals are who they say they are using biometric identification and MFA. The distributed nature of assets gives organizations many avenues for authenticating an individual.

Authorization is the act of giving individuals the correct data access based on their authenticated identity. One example of where authorization often falls short is if an individual leaves a job but still has access to that company's assets. This creates security holes because the asset the individual used for work -- a smartphone with company software on it, for example -- is still connected to the company's internal infrastructure but is no longer monitored because the individual is no longer with the company. Left unchecked, this can cause major security problems for an organization. If the ex-employee's device were to be hacked, for example, the attacker could gain access to sensitive company data, change passwords or sell the employee's credentials or the company's data.

One solution to this problem is strict monitoring and reporting on who has access to protected resources so, when a change occurs, it can be immediately identified and access control lists and permissions can be updated to reflect the change.

Another often overlooked challenge of access control is user experience. If an access management technology is difficult to use, employees may use it incorrectly or circumvent it entirely, creating security holes and compliance gaps. If a reporting or monitoring application is difficult to use, the reporting may be compromised due to an employee mistake, which would result in a security gap because an important permissions change or security vulnerability went unreported.

Access control software

Many types of access control software and technology exist, and multiple components are often used together as part of a larger identity and access management (IAM) strategy. Software tools may be deployed on premises, in the cloud or both. They may focus primarily on a company's internal access management or outwardly on access management for customers. Types of access management software tools include the following:

Microsoft Active Directory is one example of software that includes most of the tools listed above in a single offering. Other IAM vendors with popular products include IBM, Idaptive and Okta.

Related Posts

What do you call ability to rapidly and accurately change direction of the whole body in space?
How long does it take a woman to fall in love
What is the smallest number by which 24300 must be divided so that the quotient is a perfect cube?
What time do the lakers game come on
What makes someone a Deadhead?
What happens to the magnitude of the force of gravitation between two objects if distance between two objects is tripled?
What is the purpose of an evidence hierarchy
What is 1 3 of a teaspoon
What are the most comfortable steel toe work boots
How long is STEM bug spray effective?

Toplist

Latest post

TAGs

Q&A What When Why Who How to Reviews Best Ways How long Step Deal Review Health Calories Game Guide Lose weight Top List Cryto Eth List Macbook Review Top