Understanding the concept of access control

Access control is a set of policies meant to restrict access to information, physical locations, and tools used. It is crucial to understand the concept of physical access control in comparison.

Physical control encompasses several areas including, airport custom agents, subway turnstiles, key card or badge scanners in corporate offices, a ticket checker at a movie theatre, or nightclub bouncers in the real world.  

These are examples where devices or persons are a part of the policy that decides who will be allowed access to a restricted physical location. 

Information Access Control 

Information access control restricts access to software that manipulates data and data itself. 

Some examples are 

• Password for signing into a laptop
• Using a thumbprint scan
• Accessing an internal network using VPN

In all of the above cases, the software needs to authenticate the login credentials to give authorization to the users who want to access digital information. The two main and integral components of information access control are authorization and authentication.

Difference between authentication and authorization 

Authentication is a process to confirm the user identity who wants access. In contrast, authorization is the process of determining what level of access is to be allowed to the users.

An example of authentication in physical terms is when one checks into a hotel and has to provide identity proof like Passport to verify that the person asking for a reservation is the same person. It is an example of the authentication process that takes place. 

Once the guest's identity is authenticated at the hotel's front desk, a key card will then be handed over that consists of limited privileges. These privileges include access to particular areas like the assigned rooms, guest elevator, and pool. Therefore, not to other guest rooms or the service elevator, or the hotel administration office. It is an example of limited authorization compared to hotel employees authorized to access more areas of the hotel.

Taking the above example as an analogy, computers and networking systems have similar authentication and authorization processes and controls.

When a user signs into their email account or to their bank account online, they use login or username and a password in a combination, known to the user only. The software authenticates the username and Password. Some applications have even stricter control features to abide by. An email login will suffice with a password. However, in online banking or smartphone login, the system asks for two–factor authentication or a biometric confirmation like a thumbprint or face ID Scan. 

Once the user is authenticated only, they are authorized to access their account. In the case of a bank account, only he can access his account and see the information. However, the bank Manager can log into the same application and see the overall position of multiple accounts under him or the level of the authorization given to him as a Relationship Manager. The is authorization whose access level is defined to the concerned manager only. 

Different types of Data access control  

Mandatory Access control (MAC) 

The policy of enforcing strict mandatory access control for individual users and the systems or data are controlled by the administrator. Individual users don't have the authority to set permissions or alter the policies of accessing data. 

In this system, the user and the system or data or any other resource are assigned security attributes so that they can interact with each other as per set policy. Comparing this with a Bank Senior Manager who would require a security clearance to access customer data files, but in that case, the system administrator would specify which files can be accessed and viewed, or edited.  

Role-based access control (RBAC)

The RBAC allows permission given to groups such as a defined set of users based on their roles and roles, such as actions performed by users. Individuals often do various actions assigned to their position and role. Hence, people usually are also assigned multiple roles as necessary. Like MAC, the users cannot change access control levels that the administrator has approved for their role.

For example, a bank employee working as a bank teller has the assigned role of processing account transactions and opening new customer accounts and is also authorized to do it. On the other hand, a Branch Manager at the Bank has several roles, including authorization to open customer accounts, process account transactions, and assign the role of a bank teller, to another employee, etc.

Discretionary access control (DAC): 

This discretionary power is allowed to a user who can grant access to other users. The user has access rights and authority given to them by the system administrator from the access control list as defined in the security policy. The risk here is the discretionary granting of permission to other users may have security vulnerabilities. 

When evaluating the different authorization methods, security is the topmost consideration whether one gives authorization to role-based, position-based, or discretionary based for accessing data. Many organizations with sensitive operations and others having financial implications like Banks require a high level of security, and data confidentiality is critical. Therefore, stringent norms are enforced in these setups where MAC type of access control will be enforced. In contrast, RBAC and DAC, which are flexible and less tight on the policy, will be preferred by other organizations. 

Methods for implementing Access Control

A virtual private network or VPN is a tool that allows information access control to users who are remotely based. Here the users can access the network if connected to a private network. Corporates use VPN to manage access control for their internal network spread to different geographical locations.

If an organization is headquartered at location A and has a corporate office in Location B  

with employees scattered throughout the globe in the branch offices, they can use VPN. It will allow employees to log into the internal network in a secured manner, irrespective of their location. The VPN also protects users against on-path attacks if connected to a public network. 

There are, however, drawbacks with VPNs which is the slowness of its speed of data transmission. Also, VPN is good in giving authentication but cannot provide specific authorization controls. Security is all or nothing. Hence, organizations are replacing VPNs with zero trust security solutions nowadays.