What are Access Control Models?

By Bernhard Mehl
May 12, 2020

Access Control Security Models refer to software that allows and restricts access to certain resources based on user credentials and identity. Access Control is a way to guarantee users are who they say they are and can only see what they have been allowed to. These models protect resources within businesses and ensure everything is being accessed securely. Before implementing anything, access control models and types should be considered in relation to a company’s goals. 

Modes of Access Control 

Web-Based Access Control 

These completely cloud based systems store access information on the web. Security managers can have greater access and visibility into whatever they are monitoring and can easily update permissions from any location. 

Mobile-Based Access Control 

This control model works similarly. Security teams can use their phones to see a business’s security system and control access via codes. 

IoT-Based Access Control 

IoT-based models keep systems up to date. All access control software and hardware can be connected in one network. This allows managers to update devices at one time and allows businesses to have greater flexibility.

5d08d789b1cfe27cf389a13f
template-4
container

Types of Access Control

Mandatory Access Control

The mandatory access control model (MAC) was designed by the government. It is often associated with military clearance-based systems. It’s a strict access control model with administrator pre-defined access to all data in the system.

MAC focuses on classification of the data, things like importance level or security, and user category, meaning things like department or project related. The system knows which objects should be available to users in certain groups. When a user tries to access something, they will only be granted access if the user has the access settings that pair up with access requirements of whatever the user is trying to look at. 

MAC is secure, but it’s also complicated. The structure itself is vague and because there are various ways to implement it, a lot of planning is required. Difficulties arise when data needs to be managed to show changes in infrastructure and the appearance of new data, departments, and employees. Typically, firms that use mandatory access control use another model too. 

Discretionary Access Control 

Under a discretionary access control (DAC) model, access to resources or functions is decided based on users or groups of users. Owners have the power to assign access to certain users, rather than all data and access being controlled by the operating system.

This model is managed through an access control list (ACL) which includes a list of users with their access level. For example, some users may be able to only view a document while others can edit the material. Even though users can control access to their own data, they can’t change anything regarding access for someone else’s files. DAC is a lot like social media-- people can only change the visibility of their own content.

The DAC model is the least restrictive access control model, but it also creates risk because everyone is relying on individual users. Mistakes regarding access can be made easily. Typically it is used in small businesses. 

Role-Based Access Control 

Also known as non-discretionary access control, role-based access control (RBAC) is useful when system administrators must assign access based on organizational roles. The idea is that an individual only has access to what is needed to do their job and nothing more. RBAC is popular in businesses with highly confidential or sensitive information. 

This model is a mixture of both MAC and DAC. Users are a member in a specific role, and depending on what their role is, different resources become available. Roles can be classified based on job position, group membership, or security access labels. Accountants can access financial information while software engineers or sales reps receive their own job specific accessible files. This system also allows companies to set additional data access restrictions. With these, an action can only be performed on specific objects within the database if the data access restriction allows such an action.

Rule-Based Access Control 

This system is a variation of RBAC. Each object has its own ACL and the operating system checks whether a user is authorized. Access is dependent on rules created by business administrators to deny or allow access to company resources. There are no user accounts or defined roles. 

This access control model is often used when there is a need for a business to organize something like a network connection for a set number of users at a specific time. It is similar to MAC because identity is not considered-- individuals are simply allowed or denied.

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.