In which form of access control environment is access controlled by rules rather than identity?

When we refer to access control, we’re talking about providing access to restricted areas of our businesses. But familiarity and wielding it’s power correctly to protect proprietary information are two completely different levels of understanding. For example, who gets access to what? What are the rules? How is it tracked?

You first have to identify and authenticate a person before giving them access to private information—which means the basics of a control system include criteria and records for every time someone “enters” the system.

Depending on what kind of organization you have, you’ll want to consider a couple of broad ideas—what level of ownership you want over the system, and how you decide which employees get access to what. There are many models, all with different benefits.

Mandatory Access Control (MAC)

The mandatory access control system provides the most restrictive protections, where the power to permit access falls entirely on system administrators. That means users cannot change permissions that deny or allow them entry into different areas, creating formidable security around sensitive information.

It even restricts the resource owner’s ability to grant access to anything listed in the system. Once an employee enters the system, they’re tagged with a unique connection of variable “tags”—like a digital security profile—that speaks to what level of access they have. So depending on what tags a user has, they will have limited access to resources based on the sensitivity of the information contained in it. This system is so shrewd, in fact, that it’s commonly used by government entities because of its commitment to confidentiality.

Discretionary Access Control (DAC)

A discretionary access control system, on the other hand, puts a little more control back into the business owner’s hands. They get to determine who can access which resources, even if the system administrator created a hierarchy of files with certain permissions. All it takes is the right credentials to gain access. The only disadvantage, of course, is giving the end-user control of security levels might cause some oversight. And since the system requires a more active role in managing permissions, it’s easy to let actions fall through the cracks. Where the MAC approach is rigid and low-effort, a DAC system is flexible and high-effort.

Role-Based Access Control (RBAC)

Role-based access control attributes permissions to a user based on their business responsibilities. As the most common access control system, it determines access based on your role in the company—ensuring lower-level employees aren’t gaining access to high-level information. Access rights in this method are designed around a collection of variables that map back to the business—such as resources needs, environment, job, location, and more. Most owners like this approach because it’s simple to group employees based on the kind of resources they need access to. For example, someone in human resources does not need access to private marketing materials, and marketing employees don’t need access to employee salaries. RBAC provides a flexible model that increases visibility while maintaining protection against breaches and data leaks.

The More Detailed, Hands-On Access Control

While there are some established practices in access control, technology has given us the opportunity for more customized approaches. Depending on how “hands-on” you want to get with your system, there are many ways to think about it.

Rule-Based Access Control

As you might have guessed, this system grants permissions based on structured rules and policies. Largely context-based, when a user attempts to access a resource, the operating system checks the rules decided on in the “access control list” for that specific resource. Creating the rules, policies, and context adds some effort to your roll-out. Additionally, this system will often be blended with the role-based approach we discussed earlier.

Attribute Access Control

Drilling down a level deeper, this type of system gives different dynamic and risk-intelligent control based on attributes given to a specific user. Think of these attributes as components of your user profile, together they define your access. Once policies are set, they can use these attributes to read whether or not a user should have control. These attributes can also be obtained and imported from a separate database—like Salesforce, for example.

The “Smarter,” More Intuitive Control Systems

Some control systems transcend technology all together. These are the systems that operate on a deeper, more intuitive level.

Identity-Based Access Control

The most simple, yet the most complex—identity-based control dictates whether a user is permitted access to a resource based on their individual visual or biometric identity. The user will then be denied or permitted access based on whether or not their identity can be matched with a name appearing on the access control list. One of the main benefits of this approach is providing more granular access to individuals in the system, as opposed to grouping employees manually. This is a very detailed, technology-driven approach that gives an abundance of control to the business owner.

History-Based Access Control

Another moderately “smart” solution is a history-based access control system. Based on past security actions, the system determines whether or not the user gains access to the resource they’re requesting. The system will then scrape that user’s history of activities—time between requests, content requested, which doors have been recently opened, etc. For example, if a user has a long history of working exclusively with secured accounting materials, a request to access next year’s marketing roadmap might flag in the system.

The Future: AI-Driven Identity Management

As access control moves into the future, the responsibility of managing the systems will continue to shift away from people and towards technology. AI (artificial intelligence) not only allows us to evaluate access permissions for users in real-time, but it’s also able to forecast the entire lifecycle of an employee. These solutions not only protect us from the “now,” they’re able to identify risks and compliance issues before they become serious. You’ll no longer have to tightly monitor the complicated web of policies and access control lists, because the AI makes it simple to look at everything from a high level.

Wrapping Up

While access control has evolved from protecting physical documents in real buildings to cloud-based systems, the idea of protecting your resources is never going out of style. The smarter we get with technology, the more options we’re going to have. Understanding the variables that matter—things like organization size, resource needs, employee locations—will help inform your decision.

Want to learn more about how we use technology and AI to recommend the right access model for you? Read more here.

What are the 4 types of access control?

What are the 3 types of access control?

What is the rule in access control?

What type of permissions can be configured in an access control rule?