What Should You Know About Access Control? HBR, November 16, 2023 Access control, a fundamental aspect of security in any system, delineates interactions between subjects and objects within that system. It shapes who can access what and how they can do so, playing a pivotal role in safeguarding valuable assets from potential damage or theft. Subjects and Objects In this context, subjects can range from individuals to applications or networks—entities that initiate actions. Objects encompass various entities such as information, devices, physical resources, applications or networks—those acted upon by subjects. The crux lies in managing these interactions via access controls, setting rules that govern the ‘who’ and ‘what.’ Complexity and Significance The complexity of the access control varies, contingent upon organisational size, trust dynamics and asset sensitivity. Personal computer access controls often appear straightforward, yet within businesses, they become critical shields safeguarding sensitive assets. Core Process: Identification, Authentication, Authorisation and Accounting Identification Users state their identity, whether by username, card swiping or biometrics. Each subject must possess a unique label for clear identification within the system. Authentication This step verifies user identity via factors like passwords, tangible items (such as keys or ID badges) or biometrics. Multi-factor authentication enhances security by leveraging multiple factors. Authorisation Post-authentication, the system determines the level of access users have to specific resources. Access control lists often play a crucial role, outlining subject permissions for various objects. Accounting Systems track actions within the network or system. Though precision varies, accounting maintains a log of user interactions, aiding in security monitoring and analysis. Policies and Principles: Least Privilege and Need-to-Know Principle of Least Privilege Limiting user access to resources they require for their role significantly reduces the risks associated with potential breaches or data leaks. While this principle enhances security, it necessitates a balanced approach to facilitate efficient workflows. Logical vs. Physical Access Control Logical access control governs computer systems, whereas physical access control manages physical premises or resources. Authentication methods and authorisation implementations differ based on these distinctions. Access Control Models: Insights and Variations Discretionary Access Control (DAC) It offers flexibility by allowing object owners to set access permissions at their discretion, and it is widely used in consumer operating systems. Mandatory Access Control (MAC) It imposes strict rules where administrators assign security labels to both users and objects, demanding specific clearances for access. Role-Based Access Control It assigns users to predefined roles or groups, granting access based on group permissions. It facilitates streamlined access management in larger organisations. Rule-Based Access Control It dictates access based on rules set by administrators and is often used in network traffic protection through criteria like IP addresses or user attributes. Access Control in Practice Access controls pervade daily life, from vehicle registration and driving licences to premises entry protocols. Organisations employ diverse access control models to safeguard sensitive assets while enabling collaborative workflows. Summing Up Operating systems like Windows integrate various access control models in the digital domain to fortify security. Evolving approaches like user account control have bolstered defences against malware attacks, highlighting the importance of adaptive access control strategies. Access control is the linchpin of security, balancing protection and accessibility across various domains. Understanding its nuances is key to fortifying organisational defences and maintaining a robust security posture. Blog