One of the most integral aspects of computer security is access control models. It is through these models that we define how users interact with organizational computing resources.
They provide a permissible structure for controlling access to systems, and applications, and uphold the CIA triad by ensuring confidentiality, integrity, and availability of information with comprehensive certainty.
Through the contents of this article, we will be able to get a better understanding of control models, including mandatory access control, discretionary access control, and attribute-based access control. Alongside this, we will also weigh each of their pros and cons.
Mandatory Access Control (MAC)
Mandatory access control is a security model that restricts one’s access to resources based on a scale of the sensitivity of the information that is being requested. It is generally put to use in high-security domains such as the military, government, and financial agencies. In this system, It is the administrator that holds the authority to make access control decisions rather than the user.
MAC assigns security labels to users and resources. These labels contain key information regarding the classification levels of the resource and thus help with the segregation and control of assets. Access is only granted to users whose clearance stature exceeds or matches the security label of said resource.
Thus, it can be said that a key feature of the MAC is that it operates on a need-to-know basis. However, MAC systems are highly complex and are difficult to manage and implement in organizations with dense and dynamic environments.
on Discretionary Access Control (DAC)
Discretionary Access Control is a more root-level system that involves users in the decision-making process as to who may gain access to resources.
Here, users are assigned ownership of assets and are responsible for granting or denying access to other users. It is commonly used in smaller organizations where users are more likely to hold a personal stake in the resources they are given permission to manage.
These systems used Access Control Lists(ACL), which specify which groups or individuals are allowed what type of access and to which resource.
What gives DAC an edge, is that it is easy to control and implement, as users are solely responsible for managing their assets and their respective permissions. However, this approach can also lead to general confusion, insubordination, and inconsistent policies in security. Thus it is not suitable for high-level discretion and organizations that require this.
Role-Based Access Control(RBAC)
Role-based access control is a security model that grants access to users based on their corresponding roles within an organization. It is in this system that users are assigned roles based on what their job responsibilities entail. It is usually used in larger organizations, wherein users have varied responsibilities and access demands.
The upside to RBAC is that it encompasses a slightly more granular level of access control in comparison to DAC, as access is granted based on the user's role rather than their designation.
However, RBAC systems are harder to manage and implement in organizations with seemingly turbulent workforces.
Attribute-Based Access Control(ABAC)
Attribute-based access control is a security model that grants access based on the characteristics of the person and the resource. An ABAC system bases access choices on a set of rules that consider a number of factors, including the user's location, the time of day, their job title, and their clearance level.
Policies are used by ABAC systems to define the guidelines for giving access based on attributes. A policy enforcement point (PEP) makes access choices by comparing the user's attributes and the resource's attributes to the policies.
Which is the best option?
In cases like these micro-managing and nitpicking information and individuals who have access to it can be very cumbersome. However strongly a system of structure is implemented there will always be underlying gaps in infrastructure or mistakes induced by human error. It is an established balance that would allow organizational prowess to come forth while maintaining utmost discretion when required, which is the essence of these methods.
Discretionary Access control appears to be a middle ground satisfying these terms as it that offers versatility in regards to who can assign permissions to users without the admin's consent.
However, it is important to note that caution must be taken by enforcing security policies before implementation.