When looking into access control, it is first important to understand what it is and how it can affect you no matter what role you are in.
Access control is an essential component of any information security program, as it helps to prevent unauthorised access to sensitive data and systems.
By implementing effective access control measures, organisations can protect themselves against a wide range of security threats, including data breaches, cyber attacks, and insider threats.
Access control is linked to ISO 27001 standards, specifically annex control A.9.1, which requires businesses to have access control implemented to limit access to information and information processing facilities.
Now that we have a general sense of what access control is, we can look deeper into how it works. There are five main steps that access control goes through to work correctly and I’m going to explain what each step is and why it’s done.
Access control models are frameworks that organisations use to manage and restrict access to resources, such as data, systems, and facilities. There are several types of access control models. I will go through four of these models in this section to help you better understand the different methods of implementing access control.
Mandatory Access Control (MAC)
The mandatory access control model is a very inflexible and rigid solution but due to this, it is also one of the most secure. In this case, it means that the end user has no control over any settings that could provide any privileges to anyone.
There are two security models associated with MAC and these are Biba Model and Bell-LaPadula Model, I won’t be going into them here but if you wish to, you can read up on Wikipedia for more information.
MAC is the highest access control there is. It is mostly utilised in military or government settings, utilising the access levels of Classified, Secret and Unclassified.
Role-Based Access Control (RBAC)
The role-based access control model is designed to provide access control based on the position an individual fills in a business. Eg. an individual who works as a network engineer would be assigned permissions that their role as a network engineer actually requires, instead of sweeping global permissions.
This makes life easier for the system administrator since access controls can be grouped together in roles which makes large permission changes much faster.
Discretionary Access Control (DAC)
The discretionary access control model is the least restrictive when compared to the MAC model discussed above. This is because DAC allows individuals complete control over any data they own, along with any other programs associated with it.
This isn’t ideal as it gives the end user complete control over being able to set security level settings for other users and, even worse, the permissions the users is provided are inherited into other programs – which could lead to the end user executing malware that has more access than it should, leading to more damage.
Rule-Based Access Control (RBAC or RB-RBAC)
Rule-Based Access Control (RBAC) is a model in which access to resources is granted based on the defined rules and policies. These rules specify the actions that a user can perform on a resource. This, for example, could be used in a situation where a user should only have access to files during a certain period of time.
The main issue of this approach is that these extra rules may require being implemented into the network by the system administrator in the form of code.
Access controls are important in relation to ISO 27001, because they are required as part of the annex controls under A.9.
In order to gain ISO 27001 certification, a business must have an access control policy that successfully limits access to information and information processing systems. This is because it mitigates the risk of information being accessed without appropriate authorisation and the risk of a data breach.
The topic of access control may seem simple at first glance but it can get quite complicated when you venture into the different models out there and the process of implementing it into a business.
In conclusion, access control is a crucial component of any information security program. It helps organisations protect themselves against a range of security threats by limiting access to sensitive data and systems to authorised users. There are several types of access control models. Each model has its own strengths and weaknesses and is best suited to different types of organisations and needs. By understanding and implementing the right access control model for your organisation, you can ensure the security and integrity of your sensitive data and systems.
If you have any questions about access control or want to share your experiences with different access control models, get in touch with us.
Streamlining compliance – introducing Inverifi’s new compliance standard templates Introducing Inverifi’s Annex control functionality We’re happy to announce that compliance standards are now live in
ISO 27001 Controls: Developing Secure Apps The importance of privacy and security When you’re developing an application, it is important to consider how it handles
Introducing Diagrams A new way to visualise and connect your organisation’s process flows We are thrilled to announce the release of Diagrams, a brand new
©Copyright Inverifi 2023, All rights reserved. Registered in England, No: 06959535, , +44 20 4574 9908
