Access Control is the process of restricting access to systems, networks, or resources based on predefined security policies. It determines who can access specific resources and what actions they can perform. Access control systems verify user identity using credentials such as passwords, PINs, biometric scans, or security tokens, helping prevent unauthorized access. Its key features include:
- Identity Verification: Ensures that the user attempting to access the system is legitimate.
- Permission Management: Defines what actions an authorized user is allowed to perform within the system.
- Security Enforcement: Prevents unauthorized users from accessing sensitive resources or data.
- Policy-Based Access: Grants or restricts access according to predefined organizational security policies.
Authentication Factors
- Password or PIN
- Bio-metric measurement (fingerprint & retina scan)
- Card or Key
For computer security, access control includes the authorization, authentication, and audit of the entity trying to gain access. Access control models have a subject and an object.
Components of Access Control
- Authentication: Authentication is the process of verifying the identity of a user. User authentication is the process of verifying the identity of a user when that user logs in to a computer system.
- Authorization: Authorization determines the extent of access to the network and what type of services and resources are accessible by the authenticated user. Authorization is the method of enforcing policies.
- Access: After the successful authentication and authorization, their identity becomes verified, This allows them to access the resource to which they are attempting to log in.
- Manage: Organizations can manage their access control system by adding and removing authentication and authorization for users and systems. Managing these systems can be difficult in modern IT setups that combine cloud services and physical systems.
- Audit: The access control audit method enables organizations to follow the principle. This allows them to collect data about user activities and analyze it to identify possible access violations.
Working of Access Control
Access control works by verifying a user's identity and granting permissions based on predefined security policies. Users provide credentials such as passwords, PINs, security tokens, or biometric data to authenticate their identity. In many systems, Multi-Factor Authentication (MFA) is used to increase security by requiring more than one verification method. Once the user's identity is confirmed, the system applies access control policies to determine what resources the user can access and what actions they are allowed to perform.
The process generally includes the following steps:
- Identification: User provides credentials such as a username or ID.
- Authentication: System verifies the user’s identity using passwords, biometrics, or tokens.
- Authorization: System determines the level of access granted to the user.
- Access Granting: User is allowed to access permitted resources based on security policies.
Types of Access Control
- Attribute-based Access Control (ABAC): In this model, access is granted or declined by evaluating a set of rules, policies, and relationships using the attributes of users, systems and environmental conditions.
- Discretionary Access Control (DAC): In DAC, the owner of data determines who can access specific resources.
- History-Based Access Control (HBAC): Access is granted or declined by evaluating the history of activities of the inquiring party that includes behavior, the time between requests and content of requests.
- Identity-Based Access Control (IBAC): By using this model network administrators can more effectively manage activity and access based on individual requirements.
- Mandatory Access Control (MAC): A control model in which access rights are regulated by a central authority based on multiple levels of security. Security Enhanced Linux is implemented using MAC on the Linux operating system.
- Organization-Based Access control (OrBAC): This model allows the policy designer to define a security policy independently of the implementation.
- Role-Based Access Control (RBAC): RBAC allows access based on the job title. RBAC eliminates discretion on a large scale when providing access to objects. For example, there should not be permissions for human resources specialist to create network accounts.
- Rule-Based Access Control (RAC): RAC method is largely context based. Example of this would be only allowing students to use the labs during a certain time of day.
Different access control models are used depending on the compliance requirements and the security levels of information technology that is to be protected. Access control is of 2 types:
- Physical Access Control: Physical access control restricts entry to campuses, buildings, rooms and physical IT assets.
- Logical Access Control: Logical access control limits connections to computer networks, system files and data.
Challenges of Access Control
- Distributed IT Systems: Current IT systems frequently combine internet and on-premise networks. These systems may be distributed geographically and comprise various devices, assets, and virtual machines. Access is allowed to all of these devices, and keeping track of them can be challenging.
- Policy Management: Policy makers within the organization create policies, and the IT department converts the planned policies into code for implementation. Coordination between these two groups is essential for keeping the access control system up to date and functioning properly.
- Monitoring and Reporting: Organizations must constantly check access control systems to guarantee compliance with corporate policies and regulatory laws. Any violations or changes must be recognized and reported immediately.
- Access Control Models: Access control mechanisms provide varying levels of precision. Choosing the right access control strategy for your organization allows you to balance acceptable security with employee efficiency.
Types of Authentication Mechanism
- Two-factor authentication
- Multi-factor authentication
- one-time password
- Three-factor authentication
- Biometrics
- Hard Tokens
- Soft Tokens
- Contextual Authentication
- Device identification
Methods for Implementing Access Control
- Virtual Private Networks (VPNs): VPNs allow users to securely access organizational networks remotely by encrypting internet connections. However, excessive use may sometimes cause performance issues such as latency.
- Other Methods: Additional techniques include identity repositories, monitoring and reporting tools, password management systems, provisioning tools, and security policy enforcement services that help manage and enforce access permissions effectively.
Authentication vs Authorization
Authentication | Authorization |
|---|---|
Authentication is the process of verifying the identity of a user. | Authorization determines the extent of access to the network and what type of services and resources are accessible by the authenticated user. |
It is done before the authorization process. | While this process is done after the authentication process. |
It needs usually the user’s login details. | While it needs the user’s privilege or security levels. |
The authentication credentials can be changed in part as and when required by the user. | The authorization permissions cannot be changed by user as these are granted by the owner of the system and only he/she has the access to change it. |
Authentication determines whether the person is user or not. | While it determines What permission does the user have? |
The user authentication is visible at user end. | The user authorization is not visible at the user end. |
The user authentication is identified with username, password, face recognition, retina scan, fingerprints, etc. | The user authorization is carried out through the access rights to resources by using roles that have been pre-defined. |