What are the 5 access control models?

05 Feb.,2024

 

With most organizations migrating to the cloud, access control is becoming increasingly complex with the need for both on-premise and cloud solutions. Whether located across the world remotely or on-prem, employees need access to do their jobs.

When employees don’t have the appropriate level of access to read and/or modify information, such as documents, slides, and other files on a network drive, business is impeded and the results can be drastic.

This can happen at the most inconvenient time, and users quickly need a system administrator to grant the appropriate levels of privileges.

So, why they can’t just have overall access to the information in a folder?

Usually, employees and users end up asking why they can’t just have overall access to the information in a folder so they can sort through the items and find what they need. Unfortunately for the users, the system admin's answer could be along the lines of, “Sorry, you need to submit a ticket before we can grant you the level of access you need.”

This response leads to more frustration as the user needs to get on with their task and all they need is access to one folder. So now what? As inconvenient as it may be, there are reasons why access control comes into play for a scenario like this, particularly from a cybersecurity point of view. Below, I will define access control and talk about the 4 access control models. I will also describe the methods of logical access control and explain the different types of physical access control.

Types of access control

Access control and access control models

Access Control Models allow organizations to grant user permissions and enforce access policies. There are four types of access control methods: Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Discretionary Access Control (DAC), and Rule-Based Access Control (RBAC or RB-RBAC). A method is chosen based on the level of access needed by each user, security requirement, infrastructure, etc.

Simply put, this is the access control process:

  • identifying a person doing a specific job
  • authenticating them by looking at their identification
  • granting a person only the key to the door or computer that they need access to and nothing more

In information security, one would look at this as:

  • granting an individual permission to get onto a network via a username and password
  • allowing them access to files, computers, or other hardware or software they need
  • ensuring they have the right level of permission to do their job

So, how does one grant the right level of permission to an individual so that they can perform their duties? This is where access control models come into the picture.

Access control models have four flavors:

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

Discretionary Access Control (DAC)

Rule-Based Access Control (RBAC or RB-RBAC)

Let’s look at each of these and what they entail

1. The Mandatory Access Control, or MAC, model gives only the owner and custodian management of the access controls. This means the end-user has no control over any settings that provide any privileges to anyone. Now, there are two security models associated with MAC: Biba and Bell-LaPadula.

The Biba model is focused on the integrity of information, whereas the Bell-LaPadula model is focused on the confidentiality of information. Biba is a setup where a user with low-level clearance can read higher-level information (called “read up”) and a user with high-level clearance can write for lower levels of clearance (called “write down”). The Biba model is typically utilized in businesses where employees at lower levels can read higher-level information and executives can write to inform the lower-level employees.

Bell-LaPadula, on the other hand, is a setup where a user at a higher level (i.e. Top Secret) can only write at that level and no lower (called “write up”), but can also read at lower levels (called “read down”). Bell-LaPadula was developed for governmental and/or military purposes where if one does not have the correct clearance level and does not need to know certain information, they have no business with the information.

At one time, MAC was associated with a numbering system that would assign a level number to files and level numbers to employees. This system made it so that if a file (i.e. myfile.ppt) had is level 400, another file (i.e. yourfile.docx) is level 600 and the employee had a level of 500, the employee would not be able to access “yourfile.docx” due to the higher level (600) associated with the file.

MAC is the highest access control there is and is utilized in military and/or government settings utilizing the classifications of Classified, Secret, and Unclassified in place of the numbering system previously mentioned.

2. The Role-Based Access Control, or RBAC, model provides access control based on the position an individual fills in an organization. So, instead of assigning Alice permissions as a security manager, the position of security manager already has permissions assigned to it. In essence, Alice would just need access to the security manager profile.

RBAC makes life easier for the system administrator of the organization. The big issue with this access control model is that if Alice requires access to other files, there has to be another way to do it since the roles are only associated with the position; otherwise, security managers from other organizations could possibly get access to files for which they are unauthorized.

3. The Discretionary Access Control, or DAC, model is the least restrictive model compared to the most restrictive MAC model. DAC allows an individual complete control over any objects they own along with the programs associated with those objects.

This gives DAC two major weaknesses. First, it gives the end-user complete control to set security level settings for other users which could result in users having higher privileges than they’re supposed to. Secondly, and worse, the permissions that the end-user has are inherited into other programs they execute. This means the end-user can execute malware without knowing it and the malware could take advantage of the potentially high-level privileges the end-user possesses.

4. The fourth and final access control model is Rule-Based Access Control, also with the acronym RBAC or RB-RBAC. Rule-Based Access Control will dynamically assign roles to users based on criteria defined by the custodian or system administrator. For example, if someone is only allowed access to files during certain hours of the day, Rule-Based Access Control would be the tool of choice.

The additional “rules” of Rule-Based Access Control requiring implementation may need to be “programmed” into the network by the custodian or system administrator in the form of code versus “checking the box.”

Now that I have covered access control and its models, let's look at how they are logically implemented.

Logical access control methods

Logical access control is done via access control lists (ACLs), group policies, passwords, and account restrictions. We will take a look at each of these to see how they provide controlled access to resources.

Access Control Lists (ACLs) are permissions attached to an object (i.e. spreadsheet file) that a system will check to allow or deny control to that object. These permissions range from full control to read-only to “access denied.” When it comes to the various operating systems (i.e. Windows®, Linux, Mac OS X®), the entries in the ACLs are named “access control entry,” or ACE, and are configured via four pieces of information: a security identifier (SID), an access mask, a flag for operations that can be performed on the object, and another set of flags to determine inherited permissions of the object. So, as one can see, ACLs provide detailed access control for objects. However, they can become cumbersome when changes occur frequently, and one needs to manage many objects.

Read about Privilege Escalation on Windows or Privilege Escalation on Linux.

Group policies are part of the Windows® environment and allow for centralized management of access control to a network of computers utilizing the directory services of Microsoft called Active Directory. This eliminates the need to go to each computer and configure access control. These settings are stored in Group Policy Objects (GPOs) which make it convenient for the system administrator to be able to configure settings. Although convenient, a determined cybercriminal can get around these group policies and make life miserable for the system administrator or custodian.

Passwords are “the most common logical access control, sometimes referred to as a logical token” (Ciampa, 2009). Passwords need to be tough to hack in order to provide an essential level of access control. If one makes the password easy to guess or uses a word in the dictionary, they can be subject to brute-force attacks, dictionary attacks, or other attacks using rainbow tables.

Keeping this in mind, experts agree that the longer the password is, the harder it is to crack, provided the user remembers it and used many different characters and non-keyboard type characters in creating it. Utilizing this concept also makes it more difficult for a cybercriminal to crack the password with the use of rainbow tables.

In addition, ensuring patches are accomplished regularly, deleting, or disabling unnecessary accounts, making the BIOS password-protected, ensuring the computer only boots from the hard drive, and keeping your door locked with your computer behind it will help ensure your passwords are protected.

Of course, not writing down the password will help, too.

If you want to learn more about how to improve your cybersecurity defenses beyond passwords, take a look at this PDF: Beyond Password Managers.

Pinpoint risky stored passwords in minutes

Our free Browser-Stored Discovery Tool for those sneaky passwords.

Get the Tool

 

Account restrictions are the last logical access control method in the list. Ciampa points out, “The two most common account restrictions are time-of-day restrictions and account expiration” (Ciampa, 2009). Time of day restrictions can ensure that a user has access to certain records only during certain hours. This would make it so that administrators could update records at night without interference from other users. Account expirations are needed to ensure unused accounts are no longer available so cybercriminals cannot possibly utilize them for any “dirty work.”

Types of physical access control

Physical access control is utilizing physical barriers which can help prevent unauthorized users from accessing systems. It also allows authorized users to access systems keeping physical security in mind. This type of control includes keeping the computer secure by securing the door which provides access to the system; using a paper access log; performing video surveillance with closed-circuit television; and in extreme situations, having “mantraps.”

Securing the computer consists of disabling hardware so that if a bad guy were to gain access, they can’t do any damage to the computer due to disabled USB ports, CD or DVD drives, or even a password-protected BIOS. Again, this just reduces the risk of malicious code being loaded onto the system and possibly spreading to other parts of a network.

Door security can be very basic or it can utilize electronic devices such as keyed dead-bolt locks on the door, cipher locks, or physical tokens. A keyed dead-bolt lock is the same as one would use for a house lock. The cipher lock only allows access if one knows the code to unlock the door. Physical tokens will typically consist of an ID badge which can either be swiped for access, or they may instead contain a radio frequency identification tag (RFID) that contains information on it identifying the individual needing access to the door.

Paper access logs are common in many places for physical security. This allows a company to log a person in with name, company, phone number, time in, and time out. It can also document the employee who escorted the person during the time they were there. Paper access logs, filled out accurately, will complement video surveillance.

Video surveillance on closed-circuit television allows for the recording of people who pass through a security checkpoint. This type of door security allows one to observe the individuals going through the checkpoint, as well as the date and time, which can be useful when trying to catch bad guys. Video surveillance can also be utilized in mantraps.

Mantraps take door security to another level. This type of security can be seen in military and government settings, among others when entering very high-security areas. A person will present their identification to the security attendant and the attendant will allow the person to enter the first door into a room. Only if the individual’s identification credentials are valid will they be allowed to pass through the room and go through the second door; if not, mantrap! They can only get out of the room by going back through the first door they came in.

In summary, I presented a definition of access control and discussed the 4 access control models. Additionally, I described the logical access control methods and explained the different types of physical access control.

Remember, no access control model or method is perfect. However, if one does something to deter an attacker, they can count that as a success in information security practice.

References: Ciampa, Mark. (2009). Security+ Guide to Network Security Fundamentals Third Edition. Boston, MA.

FREE EBOOK


Privileged Access Management For Dummies

Get smart about Privileged Account password security with this quick read.

Download Ebook

 

 

When it comes to controlling access to your property, there’s no one access system that benefits everybody. Different access control models come with a variety of features and technology. The usefulness of any one of these models depends on your unique property and the levels of access that you wish to manage.

In this guide, we’ll steer you toward the best access control system model that works for you. First, we’ll cover what access control is. Next, we’ll review the four main types of access control, followed by four less common ones. Lastly, we’ll explore the best access control model.

This post covers:

 

 

What is access control?

Access control is the act of maintaining building security by strategically controlling who can access your property and when. Access control can be as simple as a door with a lock on it or as complex as a video intercom, biometric eyeball scanners, and a metal detector. Access control allows you to manage who enters your property and at which time they are allowed to do so.

 

What are access control models?

The access control models covered in this post all feature electronic hardware that controls access to a property using technology. Models are distinguished by the user permissions they allow.

Some types of access control in security are more strict than others and are more suitable for commercial properties and businesses. Other models are better suited for buildings that receive a high volume of visitors. Some basic access control models are better for buildings with low traffic.

Reminder: While looking elsewhere on the web, you may learn about different types of access control models or alternate definitions for the models that we list below. This is because there are two categories of access control models: models that benefit physical properties and models used to set software permissions for accessing digital files.

While there are some interesting connections to be made here, they actually have very little to do with each other. This is especially true when it comes to finding the right physical access control system for your property.

 

 

What are the 4 main access control models?

There are 4 types of access control models that you will commonly see across a variety of properties. Keep in mind that some models are exclusively used for commercial properties.

The 4 main access control models are:

 

1. Discretionary access control (DAC)

The discretionary access control model is one of least restrictive access control models. It allows for multiple administrators to control access to a property. This is especially convenient for residential properties or businesses with multiple managers.

Pro:

  • This model is straightforward to use and makes it easy to assign access to users.

Con:

  • This model can lead to confusion if the multiple administrators don’t communicate properly about who does and doesn’t have access.

 

2. Mandatory access control (MAC)

Mandatory access control stands as a complete alternative to discretionary access control. This access control design is best used for businesses that emphasize security and confidentiality. As a result, this model features only one system administrator.

The system administrator cannot be overridden or bypassed, and they determine who is granted access to a property. Government facilities primarily use mandatory access control models.

Pro:

  • One system administrator in charge can lead to a more organized database of users with access to the property.

Con:

  • Having one person in charge can lead to a slower approval process when somebody new needs access.

 

 

3. Role-based access control (RBAC)

The role-based model is also known as non-discretionary access control. This model assigns every user a specific role that has unique access permissions. System administrators have the ability to assign user roles and manage access for each role.

This type of access control model benefits both residential and commercial properties.

For residential properties, residents tend to move in and out of a building depending on the terms of their lease. This model makes it easy to give new residents access permissions while revoking access for prior tenants.

For commercial properties, different levels of access can be granted based on an employee’s job title. A server room, for example, can be restricted to computer engineers. If a computer engineer switches over to a different team, their access to the server room can be easily revoked.

There are only positives with a role-based access control system unless your property would benefit from specific criteria that define the other three access control models.

 

Learn how ButterflyMX works:

 

4. Rule-based access control (RuBAC)

Rule-based access control features an algorithm that changes a user’s access permissions based on a number of qualifying factors such as the time of day.

An example of rule-based access control is adjusting access permissions for an amenity such as a pool or gym that’s only open during daylight hours.

Another example is an office that’s only accessible to certain users during business hours. In this scenario, a manager with different permissions can still access the office when others can’t.

Another high-security use for this model is the ability to program a role-based access control system to lock down specific areas of a building if there’s a security compromise detected at a main entrance. Of course, the specifics of this feature vary from system to system.

Pro:

  • A property can comply with local laws by restricting access to certain areas after hours (such as a pool or room with heavy machinery).

Cons:

  • RuBAC does not provide access based on a user’s specific role, which makes it difficult for employees at a residential or commercial property to enter restricted areas after hours.
  • This model can be difficult to set up and program depending on how many rooms require time-based access.

 

Which is the best access control model?

While the most useful access control model depends on the type of property you oversee, a role-based access control system is likely your best choice. User-friendliness and accessibility are key concerns for most people.

Role-based access control systems are some of the most convenient for both property managers and daily users. They benefit both commercial and residential properties, which means you can’t go wrong with choosing a system that uses this model.

 

Takeaways

  • Access control systems allow verified users to access a property while preventing unauthorized people from entering.
  • Access control models differ based on the user permissions they grant.
  • The five types of access control models are discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC), and rule-based access control (RuBac).
  • RuBAC models are considered the best access control model because of their high flexibility for most types of properties.

 

What are the 5 access control models?

The 4 Types of Access Control Models Explained [+Examples]

If you are looking for more details, kindly visit homogeneous flooring, ABA spc flooring, hybrid flooring vs spc flooring.