Access control security is unarguably one of the essential aspects of information security. It is the means or method by which your business or any entity or organisation of interest can deny access to an object to subjects or entities not permitted specific access rights. Access control provides an organisational means to limit and control access permission to and by end-users and other interested entities to grant only approved and adequate access. This article discusses the basics of access controls, types and access control security, and examples.
By securing your information security access controls, you can construct systems and applications that can be used at any time with any size of user base or load – and only your users can get to the data they need, when and how they need it. How is this done? Through access control data security software.
What is access control?
Access control is a security mechanism by which an entity, such as an individual or system process, is allowed or disallowed access to a physical or logical resource. The term also refers to how this restriction is applied.
There are two types of access control, i.e. physical access control and logical access control. Access controls provide a means to control who can do, use, or see what can be applied at many different levels in any system or application.
What if there was a way to control who, when and how people can get into places to protect themselves from vandalism? Physical access control systems (PACS) are just that- designed for the sole purpose of restricting or allowing entrance. They’re often used at businesses to protect against theft, trespassing and other vandalism. If you have an area where higher levels of security are needed – such as hospitals with sensitive materials on-site – PACS might be your best bet!
Logical access controls tools to enforce security measures for the systems, applications, processes and information. These control methods can be implemented inside web and mobile applications, databases, operating systems, among other things, to protect them from unauthorised use. For cloud, an example would be Cloud Access Security Broker controls in place.
The most commonly recognised information security access control is the username and password combination. Some controls are straightforward, while others are complex, depending on the desired control that you seek to apply. But in modern software, controls are mostly structured and implemented within an application.
How does access control work?
Organisations often deploy an electronic control system to rely on access card readers and/or other factors of authentication such as biometrics to verify identity against an access control policy. Where we see a combination of controls deployed with multi-factor authentication mechanisms, it is an example of a defence in-depth approach.
There are multiple ways of authentication such as card reader access, password or personal identification number (PIN) on a keypad, fingerprint, biometrics usage or using access control software handling both authentication and authorisation.
Modern-day access control software verifies the identity of a person or a system (a computer or a mobile device), authorises the required access and in line with access control guidelines ensures logging of events for audit trails and incident response/digital forensics if needed.
Access control systems or mechanisms are required in every business because they provide for the entire security framework. Other elements of data security remain affected if the business did not apply controls correctly and appropriately. Every control required to be operational for your business must have security management and a design addressing the access control data security implementation.
Components of access control security
Your business must provide the necessary environment to secure your assets, and access to only authorised users or entities can be granted. These access control security mechanisms must be in place for each resource or asset that must be secured and protected and for each person and process authorised to obtain access rights. The following points discuss the main components of the access control system.
At the heart of every access control is the process of authentication – obtaining authenticated user identification and password information that has been validated. Another critical component of many access control systems is the process of authorisation, where the identity or element is verified based on available access to a specified object.
Authentication systems allow the organisation or company to confirm user identity by providing valid, legally acceptable identification information such as a unique employee id, access id, etc. Access is then granted based on the authentication and authorisation policy. On the other hand, authorisation requires valid information or identification. It requires an ongoing evaluation, which attributes determine the rights and privileges that the user should be given for the requested resource.
Change management and audit trails are important components ensuring records and critical help during the incident response process. This process records events around who has access, what access rights have been granted, which resources are accessed and when are all this happening/happened.
An access control system must be able to manage the authentication and authorisation of users and systems. On a higher level, an information security management system (ISMS) enables an organisation to evaluate, audit, and correct information, access, and other data security management processes, thereby keeping them running smoothly and correctly.
Why is access control security important?
Data security is crucial in our evolving IT environment. Data security access control (ACL security) is not a low-priority item on your long-term priorities. Access control refers to who can do what and when, end-to-end, and within a larger context; it is also about the process of obtaining, validating, and using that access information.
ACL security is a critical element of your security strategy when you are designing and implementing authentication and authorization controls.
Access control policy, systems and processes are more important with work from home and hybrid, multi-cloud environments handling varied resources, apps storing and processing sensitive data. Without a solid access control policy, organisations are exposed to physical and digital security risks leading to company data theft, leakage or insider attacks.
Before we address this question in technical terms, compliance and regulatory requirements often cite this as important requirements:
PCI DSS requirement 9 states that businesses should have sufficient controls to restrict physical access to cardholder data. It is defined as:
“Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.”
PCI DSS requirement 10 ‘Track and monitor all access to network resources and cardholder data’ relates to logging and monitoring user activities that are important in preventing, detecting and minimizing the impact of a data compromise. Therefore, exercises such as PCI DSS penetration tests are often a business case assuring the PCI DSS scope. Similarly, ISO 27001, SOC2, GDPR and other regulations mandate secure access controls to protect data confidentiality, integrity, availability, and review of access control software and systems.
While the process may seem simple enough, ensuring accurate and appropriate access control is crucial for providing your company’s foundational security. Secure access controls are necessary for:
The first and most important reason for access control is to preserve confidentiality. While this might seem like a simple concept on the surface, the more you delve into confidentiality’s underlying requirements, the more complicated – yet, essential, the information to be protected becomes.
Confidentiality describes the concept or means by which information is not disclosed or revealed and protected from unauthorised users and entities. Ideally, the information that you want to protect is such that it is not directly available or assignable to any one individual user or entity. It is where the notion of group privileges comes into play.
- Restrict unauthorised access:
Another essential aspect of access control data security is ensuring that only authorised users can access or use the objects they are permitted to access. It is also critical that an unauthorised user or entity’s attempt or action to access protected information be contained and reduced.
An access control security solution can provide an increased security and reliability level over utilising only local access control options – such as physical locks or username and password combination. A multi-tiered system or mechanism will provide an increased security level to prevent unauthorised users from gaining access to company data.
- Eliminate key concerns:
Another fundamental consideration when considering access control and security mechanisms is that access control is a long-standing concept that will not go away anytime soon. Many emerging security concepts and technologies are replacing certain aspects of data security access control. However, the need to identify a specific user or entity, validate the credentials, and then provide specific access rights and privileges will continue to be part of the security management process for the foreseeable future.
- Prevent data interception:
While the solution may not always be as glamorous as the typical Hollywood thriller, controls also include a means to ensure that the accessing or using entity does not try to gain unauthorised access to the data they are attempting to use or access. All access must be collected and then processed to provide reliable or authorised service and prevent any sensitive information interception.
- Control data ownership & duplicates:
The ability to control data ownership provides a means to ensure that you have control and ownership of the data that has been created or entered – and that you are the only user for which you have the authority to control and change. Access controls significantly impact the processes in which your business can operate securely – and these controls can be put into place to reduce or eliminate data duplication.
What are the different types of Access Control?
The most widely used and common types of access control in cyber security are listed below. The underline of this concept remains following the principle of least privilege and default deny rule. These are also known as different access control models, known by their abbreviations MAC (Mandatory Access Control), DAC (Discretionary Access Control), RBAC (Role-based Access Control), ABAC (Attribute-based Access Control) and RB-RBAC.
Discretionary Access Control (DAC):
The term discretionary in this context means that it is up to either the company, the system, or the user to determine what access privileges will be granted for the user to be granted or denied access. Discretionary Access Control (DAC) is typically done with the use of access control lists – ACLs. Any given access control of this type may be implemented in a wide variety of ways depending on your specific access control requirement. There are no standards, but basically, there are the local or user-level access controls and the group-level access controls.
Mandatory Access Control:
Mandatory access control (MAC) is an implementation where all access requests are denied unless the requesting entity has established enough validated credentials to allow access. It is specifically for more sensitive or restricted information or resources such as government and military environments where access is restricted based on device or user’s security clearance.
Again, for mandatory access control (MAC), your access control requirement dictates the specific implementation and drills down to access rights that the central authority has granted. All other access requests must be denied.
Role-Based Access Control:
Role-based access control (RBAC) is an implementation where the user or entity must be associated with a specific role or job function. This typically means that access is granted based on the position or function the user is playing or filling. It is considered a more secure and best-controlled access control type because it is generally easy to group access privileges and period them into easily digestible components. This way, a single user will have several access privileges granted by their position in the organisation, function, team, or other logical entity.
Attribute-Based Access Control:
Attribute-based access control is an implementation where rights are granted by virtue or based on a third-party attribute or attribute base. Attribute-based access control (ABAC) is an internal access control model and not available for external access. This particular access control model is generally based on validating attributes such as a username, token, digital certificate, or role validation. It provides a more granular and specific approach to access control than most traditional access control models. Any violations of access control policy are generally logged as part of the logging and monitoring processes.
An example of an Attribute-based access control model (ABAC) would be an access control policy allowing only payroll team staff members to access the HR system during office hours within the HQ location timezone only.
Rule-based Access Control
This strategy manages user access rights on systems such as administrator-defined rules. These may be based on certain conditions such as date, time, location or days/months. Role-based and rule-based controls are used together in certain scenarios to ensure high security.
Break glass is another interesting control model where privileged account access bypasses normal access control procedures. It is similar to extending someone’s rights temporarily when other alternatives (normal process) are exhausted, such as helpdesk or support is unavailable, and the system admin is on leave. Break glass is normally the case where the user does not have privileged account access otherwise and is allowed in exceptional instances as defined by the organisation.
What does ACL mean in Computers?
Access control list or ACL is a list of permissions or permissions for a specific resource. Typically ACLs are applied on a file, directory, or network resource, though they also may be used at the process level. Access control security measures include access control lists, commonly written as ACLs, to maintain the integrity of a network or an environment.
An ACL can be a precise control that can be applied to the most in-depth and most granular level, or it can be as simple as you or your network management team need it to be. Control of access to resources is based on:
- Who has access to the network/system/application or resource: Most commonly, this is who is allowed on the network, though it could also be who is allowed to access software or resources in an application or system.
- The user or users can do with the resource accessed based on allocated privileges: This includes key functions such as modifying, viewing, writing, etc.
- What resource the user or users are accessing: This is typically associated with resources at the directory or file level – the file or directory they can access.
In this context, it’s important to note that access control generally has to be secure, and its specific location must be known. This is critical to the successful implementation of an access control security system.
What is the purpose of NAC?
Network Access Control (NAC) is a means by which network and system access is restricted based on the access control list. NAC provides a means to ensure that only authorised users or entities can access the network and its resources. It differentiates users based on the type of access they are allowed or denied. Any unauthorised users who try to access the network without proper validation and authorisation will be denied access.
Network NAC can be applied in various ways. It can be applied to the network, devices, or specific applications such as company email. Another use is to ensure employees connect to the relevant systems and networks in compliance with your company-provided security policies and rules. Depersonalised access control mechanisms and methods may be used to validate and authorise the proper access to the company data, network, email, and devices.
Network access control also provides a means by which access to other systems or applications within your business can be protected. Any unauthorised access can be successfully prevented or detected.
What are the three key activities performed by NAC?
Network access control can enforce authentication, authorisation, and accounting activities. All devices communicating with the network are required to complete these activities based on validating the user or other requesting entity credentials against the existing access control policies, rules and regulations.
- User Authentication:
Authentication is the process of obtaining user credentials or credentials for some entity or device. It is a means by which the validity of the identity of the requesting entity is established. The authentication process distinguishes entities, and port access privileges or policies are validated.
- User/Entity Authorisation:
When the network receives a request to access or connect, that request must be compared to the access control list for the resource or system. If the request passes the evaluation, then the network access is validated. If the request fails the evaluation, then access to the network is denied. It is an authorisation process whereby access is validated by comparing the requested access and the actual or granting access rules.
Accounting is the process by which the network access control system can provide data that depicts the user’s or entity’s access. This added accountability ensures that network and system resources are used appropriately.
With the current threat landscape and data significance, businesses can’t rely only on the perimeter firewall and anti-virus solutions. Defence in depth principle requires a layered approach towards security while balancing usability and other security elements to ensure cyber security returns.
Effective access controls should be applied to ensure authorised users have pain free access and unauthorised access attempts are logged, monitored and responded to in line with security policies. One of the methods to identify the gaps in your security strategy covering controls is third party validation exercises such as network penetration testing assessments that include reviews of key components such as authentication, authorisation, logging, monitoring. Get in touch to discuss your primary security concerns or discuss our access control security services. We offer a free consultation to help you make informed choices about your environment while providing flexibility and transparency around deliverables, costs and time frames.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.