Information Access control

Information Access control in network security is the process of restricting or limiting access of any object to the resource, in digital world authenticating and authorizing use access to data is comes under access control.

Access control is the technical mechanism that restricts unauthorized users from the system, grants access to authorized users, and limits what authorized users can do on the system” (Peltier, Peltier, & Blackley, 2005).

Authentication is process of identify use who needs access to a resource or data, authorization is process of granting access to authenticated user. There are standard access control models which layout the rules for access control, these include Mandatory Access Control (MAC), Role Based Access Control (RBAC), Discretionary Access Control (DAC) and Permissions Based Access Control.

Mandatory Access Control

Mandatory Access Control is the mechanism where the owner or custodian or given resource are given access control management in other words only administrator can grant access.

This method enables labeling data or resource according to sensitivity; which is evaluated at the time when access is being granted against user level being requesting access.

This form of access control is popular in government or defense organizations which require access based on user security clearance level. Mandatory Access Control is effective in government organizations, but it is inherently difficult and expensive to implement and maintain.

Discretionary Access Control

Discretionary Access Control framework provide mechanism to grant or deny access based on user group association or membership. The user permissions are evaluated after authentication and at time of authorization, and granted or denied based on current configuration by administrator; the resource administrator however can change the access level at any time as needed.

This type of access control framework is easier to implement and maintain but keep documentation of roles and their associated rights, plus multi-role associations are challenges of this approach; careful evaluation is required to grant trusts for some roles.

Role-based Access Control

Role-based Access Control enables creation of access control based on user role within organization. Each organization has different structure of user roles which is associated with its security policy for example principal, instructor or student in school have different roles and hence required different access to certain data; these permissions for each role are managed by administrator role.

This type of access mechanism is easy to develop, maintain and control; but documenting roles, and multiple roles for one use are challenges of this method for implementing access control.

Permissions-based Access Control

Permissions-based Access Control is driven by set of permissions abstracted from application being applied on. The process of creating permission is purely based on application and its usage, a file processing application for instance can have READ, WRITE, DELETE permissions.

Once the permissions are extracted for the application then it can be assigned to individual user or group of users, in group permissions can be inherited from other groups which makes it easier to manage and maintain. If a user is member of certain group then he or she is granted all the permission of that group pulse any inheriting groups, in group inheritance hierarchy.

All aforementioned methods of access control can be implemented either logically or physically. Logical access control is employed through Access Control List (ACL) and group policies. Access Control Lists are set of permission associated with object for example administrative, read-only, read-write.

When the object is accessed these policies are evaluated. Physical access control is implemented using securing doors, video surveillance and access logs are some methods to enforce access security.