What Type of Access Control Do I Need?
When it comes to secure access control, a lot of responsibility falls upon system administrators. These admins must properly configure access credentials – to give access to those who need it, and restrict those who don’t. Fortunately, there are diverse systems that can handle just about any access-related security task. Not only are there both on-premises and cloud-based access control systems available, but you can also fine-tune how access is actually dictated within these platforms.
The first step to choosing the correct system is understanding your property, business or organization. Assess the need for flexible credential assigning and security. Then, determine the organizational structure and the potential of future expansion. With these factors in mind, IT and HR professionals can properly choose from four types of access control:
- Discretionary access control
- Mandatory access control
- Rule-based access control
- Role-based access control
This article explores the benefits and drawbacks of the four types of access control.
Rule-based vs. Role-based Access Control
Rule-based and role-based are two types of access control models. The two systems differ in how access is assigned to specific people in your building.
Note: Both rule-based and role-based access control are represented with the acronym “RBAC.” For simplicity, we will only discuss RBAC systems using their full names.
Rule-based Access Control
What is it?
Rule-based access control manages access to areas, devices, or databases according to a predetermined set of rules or access permissions regardless of their role or position in an organization.
How does it work?
In rule-based access control, an administrator would set the security system to allow entry based on preset criteria. For example, in a rule-based access control setting, an administrator might set access hours for the regular business day. In this instance, a person cannot gain entry into your building outside the hours of 9 a.m – 5 p.m.
The steps in the rule-based access control are:
- Access rules are created by the system administrator.
- Rules are integrated throughout the access control system.
- A person exhibits their access credentials, such as a keyfob or mobile phone.
- The control mechanism checks their credentials against the access rules.
- The person is granted or denied access.
Benefits of rule-based access control
Detail and flexibility are the primary motivators for businesses to adopt rule-based access control.
For larger organizations, there may be value in having flexible access control policies. System administrators may restrict access to parts of the building only during certain days of the week.
The flexibility of access rights is a major benefit for rule-based access control.
Drawbacks of rule-based access control
The biggest drawback of rule-based access control is the amount of hands-on administrative work that these computer systems require. Because rules must be consistently monitored and changed, these systems can prove quite laborious or a bit more hands-on than some administrators wish to be.
Role-based Access Control
What is it?
Role-based access control systems, sometimes known as non-discretionary access control, are dictated by different user job titles within an organization. Simply put, access levels are created in conjunction with particular roles or departments, as opposed to other predefined rules. An example of role-based access control is if a bank’s security system only gives finance managers but not the janitorial staff access to the vault.
How does it work?
Role-based access control systems operate in a fashion very similar to rule-based systems. However, people’s job functions and specific roles in an organization, rather than rules developed by an administrator, are the driving details behind these systems.
Benefits of role-based access control
By and large, end-users enjoy role-based access control systems due to their simplicity and ease of use.
Role-based access control systems are both centralized and comprehensive. In other words, the criteria used to give people access to your building are very clear and simple. For example, all IT technicians have the same level of access within your operation.
Because role-based access control systems operate with such clear parameters based on user accounts, they negate the need for administrators as required with rule-based access control.
Drawbacks of role-based access control
The biggest drawback of these systems is the lack of customization. Because they are only dictated by user access in an organization, these systems cannot account for the detailed access and flexibility required in highly dynamic business environments.
Other Types of Access Control to Consider
Discretionary Access Control
What is it?
Defined by the Trusted Computer System Evaluation Criteria (TCSEC), discretionary access control is “a means of restricting access to objects (areas) based on the identity of subjects and/or groups (employees) to which they belong.
The controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).”
In short, if a user has access to an area, they have total control. Users can share those spaces with others who might not need access to the space. An example is if Lazy Lilly, Administrative Assistant and professional slacker, is an end-user. She has access to the storage room with all the company snacks. She gives her colleague, Maple, the credentials. The problem is Maple is infamous for her sweet tooth and probably shouldn’t have these credentials. Goodbye company snacks.
How does it work?
To begin, system administrators set user privileges. But users with the privileges can share them with users without the privileges. With DAC, users can issue access to other users without administrator involvement.
Benefits of discretionary access control
DAC systems are easier to manage than MAC systems (see below) they rely less on the administrators. Consequently, DAC systems provide more flexibility, and allow for quick changes.
Drawbacks of discretionary access control
The end-user receives complete control to set security permissions. This inherently makes it less secure than other systems. Since the administrator does not control all object access, permissions may get set incorrectly (e.g., Lazy Lilly giving the permissions to everyone). Worst case scenario: a breach of information…or a depleted supply of company snacks.
Mandatory Access Control
What is it?
If discretionary access control is the laissez-faire, every-user-shares-with-every-other-user model, mandatory access control (MAC) is the strict, tie-suit-and-jacket wearing sibling.
In a MAC system, an operating system provides individual users with access based on data confidentiality and levels of user clearance. MAC is the strictest of all models. Access is granted on a strict, need-to-know basis. Users must prove they need the requested information or access before gaining permission.
Organizations requiring a high level of security, such as the military or government, typically employ MAC systems. These systems safeguard the most confidential data. Consequently, they require the greatest amount of administrative work and granular planning.
How does it work?
Administrators manually assign access to users, and the operating system enforces privileges. Upon implementation, a system administrator configures access policies and defines security permissions. Labels contain two pieces of information—classification (e.g., “top secret”) and category (e.g., “management”).
Benefits of mandatory access control
MAC offers a high level of data protection and security in an access control system. Administrators set everything manually. Further, these systems are immune to Trojan Horse attacks since users can’t declassify data or share access.
Drawbacks of mandatory access control
Regular users can’t alter security attributes even for data they’ve created, which may feel like the proverbial double-edged sword. Not having permission to alter security attributes, even those they have created, minimizes the risk of data sharing.
Therefore, provisioning the wrong person is unlikely. However, making a legitimate change is complex. Making a change will require more time and labor from administrators than a DAC system. MAC does not scale automatically, meaning that if a company expands more manual work will be necessary.
Smart, Cloud-based Access Control for Enterprises Everywhere
In today’s highly advanced business world, there are technological solutions to just about any security problem. For building security, cloud-based access control systems are gaining immense popularity with businesses and organizations alike. API integrations, increased data security, and flexible IT infrastructure are among the most popular features of cloud-based access control.
Genea’s cloud-based access control systems afford the perfect balance of security and convenience. Learn firsthand how our platform can benefit your operation.