Access control is a data security process that enables organizations to manage who is authorized to access corporate data and resources. Secure access control uses policies that verify users are who they claim to be and ensures appropriate control access levels are granted to user.
Access control is used
to verify the identity of users attempting to log in to digital resources.
Access control is
crucial to helping organizations comply with various data privacy regulations.
Components of Access
Control
Authentication
Authentication is the
initial process of establishing the identity of a user. For example, when a
user signs in to their email service or online banking account with a username
and password combination, their identity has been authenticated. However, authentication
alone is not sufficient to protect organizations’ data.
Authorization
Authorization adds an
extra layer of security to the authentication process. It specifies access
rights and privileges to resources to determine whether the user should be granted
access to data or make a specific transaction.
Access
Once a user has
completed the authentication and authorization steps, their identity will be
verified. This grants them access to the resource they are attempting to log in
to.
Manage
Organizations can
manage their access control system by adding and removing the authentication
and authorization of their users and systems. Managing these systems can become
complex in modern IT environments that comprise cloud services and on-premises
systems.
Audit
Organizations can
enforce the principle of least privilege through the access control
audit process. This enables them to gather data around user activity and
analyze that information to discover potential access violations.
Access control can be
categorized as
i. Physical Access
Control: used to grant access to physical buildings and physical devices.
ii. Logical/Information
Access Control: involves tools and protocols being used to identify,
authenticate, and authorize users in computer systems. The access controller
system enforces measures for data, processes, programs, and systems.
Types of Access
Controls
There are several types
of access controls that organizations can implement for access control. These
include:
i. Attribute-based
Access Control (ABAC)
ABAC provides access to
users based on who they are rather than what they do. For example, the business
unit they work in and how they were hired.
Attribute-based access
control (ABAC) is an authorization system that defines access based on attributes
associated with security principals, resources, and environment.
Attributes allow for an
easier control structure because permissions can be based on the user’s type,
location, department and so on, mirroring the physical aspects of the business.
ii. Discretionary
Access Control (DAC)
DAC models allow the
data owner to decide access control by assigning access rights to rules that
users specify. When a user is granted access to a system, they can then provide
access to other users as they see fit.
iii. Mandatory Access
Control (MAC)
MAC places strict
policies on individual users and the data, resources, and systems they want to
access. The policies are managed by an organization’s administrator. Users are
not able to alter, revoke, or set permissions.
iv. Role-Based Access
Control (RBAC)
RBAC creates
permissions based on groups of users, roles that users hold, and actions that
users take. Users are able to perform any action enabled to their role and
cannot change the access control level they are assigned.
v. Rule-based Access
Control
A rule-based approach
sees a system admin define rules that govern access to corporate resources.
These rules are typically built around conditions, such as the location or time
of day that users access resources.
vi. Break-glass Access
Control
Break-glass access
control involves the creation of an emergency account that bypasses regular
permissions. In the event of a critical emergency, the user is given immediate
access to a system or account they would not usually be authorized to use.
No comments:
Post a Comment