Access control is the backbone technology of ensuring information security and privacy (Qiu et al., 2020). As organizations scale up employee count, regulating access permissions is critical in preventing unauthorized access, mitigating data loss and cyber invasions. An effective access control mechanism is embedded in an access control policy that determines the appropriate access control model for the organization (role-based, discretionary, or mandatory access control).

Discretionary Access Control (DAC)

With Discretionary Access Control (DAC) model, system users can allow or disallow other users access to objects under their control (Rosa et al., 2019). Even though the DAC model meets the security requirements of resource owners, the fact that access depends on user authorization makes the management of DAC decentralized thus, requiring users and resources to be managed manually (Qiu et al., 2020). 

Mandatory Access Control (MAC)

On the other hand, Mandatory Access Control (MAC) is a multilayered security model administered through a centralized management system that assigns access rights based on regulations by a central authority (Qiu et al., 2020). MAC restricts access to objects based on the object’s sensitivity as represented by a label and the authorization or clearance level of subjects. MAC is great for governments but not for civilian and private organizations.

Role-Based Access control (RBAC)

On the other hand, Role-Based Access control (RBAC) model bases access decisions on the functions performed by users within an organization (Tamir & Flowerday, 2020). With RBAC, a given role may apply to an individual or group of individuals, and permissions are inherited through a role hierarchy that aligns with the requirements of a particular role.

Why Use RBAC Over MAC

Based on the properties of each access control model, I recommend RBAC over MAC or DAC. With RBAC, the assignment of access permissions is systematic and repeatable. Thus, operational efficiency is attained as roles can be quickly added and changed. Also, RBAC can be implemented across different platforms, operating systems, and applications and ensures compliance with various regulatory and statutory authorities. Furthermore, it is much easier to implement, manage and audit access rights and correct issues given that access is granted to roles rather than individuals (Nyame & Qin, 2020). RBAC is a better access control model which meets the information integrity requirements of information systems and facilitates the administration of access permissions in any organization while ensuring separation of duties.

RBAC Setup

Several tools could be used to set up RBAC. For instance, Microsoft Active Directory (AD) has inbuilt roles that could be tweaked to meet the organization’s specific access needs. Also, Identity and Access Management systems could be used to automate the assignment of privileges based on roles. Irrespective of the tool used to implement RBAC, the following steps are required to set up RBAC. First, we need an inventory of the resources and systems we have that require access control, for instance, customer databases, applications, files, and folders. Next, we analyze our workforce and create roles based on job functions by grouping users into roles with common access. Then we map users to roles and set permissions accordingly while avoiding one-off changes to users. If more or less permissions are required to perform a specific task, add or remove permissions from the role rather than individual user accounts. Finally, periodically review roles and employees’ access permissions to check against privilege creep over time as employees move from one position to another within the organization.

Centralized Versus Decentralized Access Control Management System

With centralized access control management, the user can access applications, websites, and other computing systems using a single profile. On the contrary, decentralized access control management implies that Identity and Access Management (IAM) spreads across multiple environments. Though using a single profile signifies elevated risk of compromise if access credentials fall into the wrong hands and are associated with a single point of failure, centralized access control management systems, in my opinion, are better. This is because they are cost-effective, efficient and offer increased mobility, quick deployments, automated lifecycle management, unified profiles, and more opportunities for improvements. To reduce the probability of a potential compromise and increase security when using a centralized system, organizations use trusted third parties for single sign-on (SSO) and federated identify management (FIM) capabilities. Thus, OAuth 2.0, OpenID Connect, and Security Assertion Markup Language (SAML) are used depending on the organizational need to bring structure and security to the federation process (El Sibai et al., 2020).

References

El Sibai, R., Gemayel, N., Bou Abdo, J., & Demerjian, J. (2020). A survey on access control mechanisms for cloud computing. Transactions on Emerging Telecommunications Technologies, 31(2), e3720. https://doi.org/10.1002/ett.3720        

Nyame, G., & Qin, Z. (2020). Precursors of Role-Based Access Control Design in KMS: A Conceptual Framework. Information, 11(6), 334. https://doi.org/http://dx.doi.org/10.3390/info11060334       

Qiu, J., Tian, Z., Du, C., Zuo, Q., Su, S., & Fang, B. (2020). A Survey on Access Control in the Age of Internet of Things. IEEE Internet of Things Journal, 7(6), 4682-4696. https://doi.org/10.1109/JIOT.2020.2969326

Rosa, M., Barraca, J. P., Zuquete, A., & Rocha, N. P. (2019). A Parser to Support the Definition of Access Control Policies and Rules Using Natural Languages. Journal of Medical Systems, 44(2), 41. https://doi.org/10.1007/s10916-019-1467-2  

Tamir, T., & Flowerday, S. (2020). A Clark-Wilson and ANSI role-based access control model. Information and Computer Security, 28(3), 373-395. https://doi.org/http://dx.doi.org/10.1108/ICS-08-2019-0100