Controlling how network resources are accessed is paramount to protecting private and confidential information from unauthorized users. The types of access control mechanisms available for information technology initiatives today continues to increase at a breakneck pace. Most access control methodologies are based on the same underlying principles. If you understand the underlying concepts and principles, you can apply this understanding to new products and technologies and shorten the learning curve so you can keep pace with new technology initiatives.
Access control devices properly identify people, and verify their identity through an authentication process so they can be held accountable for their actions. Good access control systems record and timestamp all communications and transactions so that access to systems and information can be audited at later dates.
Reputable access control systems all provide authentication, authorization, and administration. Authentication is a process in which users are challenged for identity credentials so that it is possible to verify that they are who they say they are. Once a user has been authenticated, authorization determines what resources a user is allowed to access. A user can be authenticated to a network domain, but only be authorized to access one system or file within that domain. Administration refers to the ability to add, delete, and modify user accounts and user account privileges.

Access Control Objectives

The primary objective of access control is to preserve and protect the confidentiality, integrity, and availability of information, systems, and resources. Many people confuse confidentiality with integrity. Confidentiality refers to the assurance that only authorized individuals are able to view and access data and systems. Integrity refers to protecting the data from unauthorized modification. You can have confidentiality without integrity and vice versa. It’s important that only the right people have access to the data, but it’s also important that the data is the right data, and not data that has been modified either accidentally or on purpose.
Availability is certainly less confusing than confidentiality or integrity. While data and resources need to be secure, they also need to be accessible and available in a timely manner. If you have to open 10 locked safes to obtain a piece of data, the data is not very available in a timely fashion. While availability may seem obvious, it is important to acknowledge that it is a goal so that security is not overdone to the point where the data is of no use to anyone.

Types of Access Control

Discretionary access control systems allow the owner of the information to decide who can read, write, and execute a particular file or service. When users create and modify files in their own home directories, their ability to do this is because they have been granted discretionary access control over the files that they own. On end-user laptops and desktops, discretionary access control systems are prevalent.
Mandatory access control systems do not allow the creator of the information to govern who can access it or modify data. Administrators and overseeing authorities pre-determine who can access and modify data, systems, and resources. Mandatory access control systems are commonly used in military installation, financial institutions, and because of the new HIPAA privacy laws in medical institutions as well.
Role-based access control systems allow users to access systems and information based on their role within the organization. Role-based access allows end-users access to information and resources based on their role within the organization. Roles based access can be applied to groups of people or individuals. For example, you can allow everyone in a group named sysadmin access to privileged resources.
Rule-based access control systems allow users to access systems and information based on pre-determined and configured rules. Rules can be established that allow access to all end-users coming from a particular domain, host, network, or IP addresses. If an employee changes their role within the organization, their existing authentication credentials remain in effect and do not need to be re-configured. Using rules in conjunction with roles adds greater flexibility because rules can be applied to people, as well as devices.

Understanding the basics of access controls is good preparation for a variety of information technology initiatives including:

  • Shopping for new access control products
  • Developing an information security budget
  • Writing access control and authentication security policies
  • Evaluating and deploying single sign-on technologies
  • Configuring authentication services
  • Architecting data classification schemes
  • Preparing to perform an information technology audit
  • Getting ready for certification and accreditation initiatives

All organizations should have their access control configurations and policies well documented and available for upper management review as part of their security systems. Keep in mind that access control configurations and policies would by their very nature contain sensitive information, so the documentation should be stored securely, and its access should be monitored.