Access Control Methods: A Comprehensive Guide

Access control is a cornerstone of information security, protecting valuable data and assets by regulating who or what can access them. This includes both physical and digital spaces. Access control systems enforce these rules, supporting the fundamental principles of confidentiality, integrity, and availability.

There are various access control categories:

• Administrative controls: Policies, procedures, security awareness training
• Physical controls: Security cameras, guards, locked rooms.
• Technical controls: Encryption, smart cards, access control lists (ACLs).

Key access control models include:

• Mandatory Access Control (MAC): System-enforced permissions based on security labels.
• Discretionary Access Control (DAC): Object owners grant permissions.
• Role-Based Access Control (RBAC): Access determined by job function.

Other crucial aspects of access control are user access management (registration, privileges, passwords) and network/operating system controls. It's essential to regularly review and update access controls to mitigate risks and prevent unauthorized access.

Let Us Assess the Various Access Control Methods Discussed Below

As described by Peltier (2013), one of the fundamentals of information security is access control. Access control includes protecting valuable items and understanding to which people's data and items(s) receive access. Access controls are used for physical spaces and information, as Peltier (2013) points out. As Layton (2016) described, access controls are essential to information security strategy. Access controls support core security principles of confidentiality, integrity, and availability (CIA) by users having to identify themselves and confirm that they possess the credentials, rights, and privileges to access a system and its information. Access control systems, access control models, user access management, and network or operating systems access controls are the main areas that will be accessed.

Access control systems are implemented to confirm only approved individuals have access to information and remain intact and available when needed, as described by Peltier (2013). Access control systems can prevent the change of details by unapproved users, supply access and modification of information by certified users, and preserve the internal and external consistency of the data. Controls are implemented to prevent user access for some and not others. Controls assist in mitigating risk and reduce the potential for lost as Peltier (2013) points out. There are other ways to categorize controls by what they do described above; they are administrative, physical, and technical controls.

Administrative controls include policies and procedures, security awareness training, background investigations, and the review of time off. Understanding administrative controls can be beneficial in identifying insider threats.Physical controls include security cameras and guards and locking down sensitive rooms such as data centers.Technical controls include encryption methods, smart cards, and access control lists or ACLs. Technical controls protect information by restricting access to systems. These are the main access control models.

There are three primary access controls described by Peltier (2013): mandatory access control (MAC), discretionary access control (DAC), and role-based access control (R-BAC) or nondiscretionary access control. MAC is where a system policy grants permission.  The MAC is common where highly secure government or defense installations occur. Labels are given to data to address sensitivity.  Moreover, classifications are granted to users. Typically, clearances are required to enter an environment, and information is provided on a need-to-know basis. DAC, as described by Peltier (2013), is one of the most common access control models. Discretionary access is identity-based. With DAC, objects have an owner, and permissions are granted by the owner. Windows security model is an example of the DAC model. Ownership in Windows can be a group or an individual. Nondiscretionary access control or R-BAC is a control where a user is given access based on the job description or title in the organization. This type of access control model is suitable for a company where numerous personnel changes occur, as Peltier (2013) points out. R-BAC also works well where the organization has formalized job structures.

Another control needed is managing user access. Providers of user access must be sure authorized users have access to the system, and unauthorized users are disabled and kept out of the system, as Peltier (2013) points out. User access also includes user registration, privilege management, password management, and unattended user equipment. User registration is the process of account authorization. Management approval and review are normally needed before an account authorization can be approved.

Along with users authorized to use the system, they are often limited to certain file shares or files. This is known as privilege management and may also need management approval to before providing access to the user. Passwords normally have built-in strong password requirements. A policy should be in place that describes the password requirement and is normally enforced by the operating system password or application in use by the user. Unattended user's equipment that is not locked before leaving desk can become a security issue.

Network access and operating system controls, including cloud computing and remote network access to the organization, are a part of access control as described by Peltier (2013). The security team uses a series of tools to protect the internal network, such as firewalls, intrusion detection systems, and other technical solutions to protect network services. Network devices only need to run the services they need and turn off all others. Users access the network using network authentication, and networks are monitored for various issues, including port activity. One way networks can be secured, as Peltier (2013) points out, is by implementing network segmentation or subnets that allow traffic for specific areas of the organization. Then, if a network breach occurs in the subnet, other network parts will be unaffected. The networking and security teams complete the safe work between the organization's network and cloud computing networks.   Authentication methods are important for the organization to standardize. Use two-factor authentication within the company and out to other data centers such as the cloud. Operating system access control enables those authorized to access sensitive information on servers, and policies and procedures are developed and put in place to protect the information. Remote access to the organization's networks must be robust, using VPN or other encryption technologies to protect the company's internal systems.

There are many access controls. Some access controls are used each day of our lives such as locking car doors or house doors.Protecting information or physical property is important, but in some cases, policy, procedures or methods of securing data or property can be ignored and increase risk leading to an unwanted source breaking into the network or physical location. Having access controls in place and revisiting them regularly lowers the risk of breaches.

References

Layton, T. P. (2016). Information Security. Retrieved from https://www.taylorfrancis.com/books/mono/10.1201/9781420013412/information-security-timothy-layton

Peltier, T. R. (2013). Information Security Fundamentals, Second Edition, 2nd Edition. Retrieved from https://www.routledge.com/Information-Security-Fundamentals/Peltier/p/book/9781439810620