Access Control Models

Once a user or entity has been authenticated (verified their identity), access control mechanisms determine
what they are permitted to do and what resources they can access. The choice of access control model
significantly influences the security posture, manageability, and flexibility of a system.

Today, we will delve into the intricacies of the five primary access control models: Discretionary Access Control
(DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Attribute-Based Access Control
(ABAC), and Rule-Based Access Control. We will explore their underlying principles, strengths, weaknesses, and
illustrate their practical application with real-world examples.

Discretionary Access Control (DAC): Owner Knows Best

• Core Principle: In DAC, the owner of a resource (e.g., a file, a directory, a database record) has the
authority to determine who can access that resource and what level of access they have (e.g., read, write,
execute). This control is discretionary, meaning the owner can grant or revoke access at their own will.

• Mechanism: Access control lists (ACLs) are a common mechanism for implementing DAC. Each resource
has an associated ACL that specifies which users or groups have been granted specific permissions.

• Strengths:

o Flexibility: Owners have direct control over their resources, making it easy to grant or restrict
access as needed.

o Ease of Implementation (in simple scenarios): Basic DAC mechanisms are often straightforward
to implement in file systems and personal computing environments.

o User Empowerment: Empowers individual users to manage access to their own data.

• Weaknesses:

o Security Risks: Relies on the judgment and security awareness of individual owners. Owners
might inadvertently grant excessive permissions or fail to revoke access when it's no longer
needed.

o Lack of Centralized Policy Enforcement: Access decisions are decentralized, making it difficult to
enforce consistent security policies across the entire system.

o Vulnerability to Privilege Escalation: If an attacker compromises an owner's account, they inherit

all the owner's access rights.

o Management Overhead in Large Environments: Managing individual permissions for a large

number of users and resources can become complex and time-consuming.

• Examples:
 o File Permissions on Personal Computers (Windows/macOS/Linux): When you create a file or
folder, you are typically the owner and can set permissions for other users on the same system
(e.g., read-only, read/write, full control).

o Shared Folders with Permissions: On a network share, the user who created the folder or a
designated owner can grant specific access rights to other users or groups.

o Database Object Permissions (e.g., SQL Databases): The owner of a table or view can grant
SELECT, INSERT, UPDATE, DELETE permissions to other database users.

Discussion Points:

• In what types of environments is DAC most commonly used and why?

• What are some best practices that can mitigate the security risks associated with DAC?

• How does DAC differ from other access control models in terms of who makes access decisions?

Mandatory Access Control (MAC): System Knows Best

• Core Principle: In MAC, access decisions are based on a system-wide security policy determined by a
central authority. Users and resources are assigned security labels (classifications), and access is granted
only if the subject's label dominates (is equal to or higher than) the object's label according to predefined
rules. Users cannot override these policies.

• Mechanism: Security labels are typically hierarchical (e.g., Unclassified < Confidential < Secret < Top
Secret) or non-hierarchical categories. The operating system or security kernel enforces access based on
these labels.

• Strengths:

o High Security: Enforces strict and consistent security policies across the system, minimizing the
risk of unauthorized access and information leaks.

o Centralized Control: Access decisions are made by a central authority, ensuring adherence to
organizational security policies.

o Prevention of Privilege Escalation: Users cannot grant themselves or others higher levels of
access than their clearance allows.

• Weaknesses:

o Lack of Flexibility: Can be rigid and may hinder collaboration if not carefully configured.

o Complexity of Implementation and Management: Setting up and managing security labels and
policies can be complex and require specialized expertise.

o Potential for Information Flow Control Issues: Ensuring that information flows only in authorized
directions can be challenging.
 • Examples:

o Military and Government Systems: Systems handling classified information often employ MAC
to prevent lower-cleared personnel from accessing higher-classified data.

o SELinux (Security-Enhanced Linux): A Linux security module that implements MAC to enforce
security policies and confine processes.

o Trusted Operating Systems: Operating systems designed with strong security features, often
incorporating MAC principles.

Discussion Points:

• Why is MAC preferred in high-security environments despite its limitations in flexibility?

• What are some real-world scenarios where the strict control of MAC is essential?

• How do security labels and the concept of "domination" work in MAC?

Role-Based Access Control (RBAC): Access by Responsibility

• Core Principle: In RBAC, access permissions are associated with roles within an organization. Users are
assigned to one or more roles, and they inherit the permissions associated with those roles. This
simplifies access management by focusing on job functions rather than individual users.

• Mechanism: Roles are defined based on job responsibilities or organizational functions. Permissions
(e.g., read, write, execute specific files or applications) are assigned to these roles. Users are then
assigned to the appropriate roles, granting them the necessary access.

• Strengths:

o Simplified Administration: Managing access based on roles is much easier than managing
individual user permissions, especially in large organizations.

o Improved Consistency: Ensures that users with similar job responsibilities have consistent access
privileges.

o Reduced Risk of Errors: Less chance of accidentally granting excessive or insufficient permissions
to individual users.

o Facilitates Auditing: Easier to track who has access to what based on their assigned roles.

o Supports Principle of Least Privilege: Roles can be designed to grant only the necessary
permissions for users to perform their job functions.

• Weaknesses:

o Complexity in Defining Roles: Requires careful analysis of organizational roles and responsibilities
to define effective and granular roles.
 o Role Explosion: In very complex organizations, the number of roles can proliferate, making
management challenging.

o Potential for Role Creep: Users may accumulate roles over time, potentially granting them more
access than they currently need.

• Examples:

o Hospital Information Systems: Doctors might be assigned the "Physician" role with permissions
to view patient records and prescribe medication, while nurses might have the "Nurse" role with
permissions to view records and administer medication but not prescribe.

o Enterprise Resource Planning (ERP) Systems: Different roles like "Sales Manager," "Accountant,"
and "Warehouse Staff" would have distinct sets of permissions within the system.

o Content Management Systems (CMS): Roles like "Editor," "Author," and "Administrator" define
what actions users can perform on website content.

Discussion Points:

• Why is RBAC the most widely adopted access control model in enterprise environments?

• What are the key steps involved in implementing RBAC effectively?

• How can organizations prevent "role explosion" and "role creep"?

Attribute-Based Access Control (ABAC): Context is Key

• Core Principle: In ABAC, access decisions are based on a set of attributes associated with the subject
(user), the object (resource), the action being performed, and the environment. Policies are defined using
these attributes, allowing for fine-grained and context-aware access control.

• Mechanism: An ABAC system evaluates a set of rules or policies against the attributes of the request.
Access is granted only if the attributes satisfy the conditions defined in the relevant policies.

• Strengths:

o Granular Control: Enables highly specific and dynamic access policies based on various contextual
factors.

o Flexibility and Adaptability: Policies can be easily modified to accommodate changing business
needs and security requirements.

o Context-Awareness: Can take into account factors like time of day, location, device security
posture, and user clearance level.

o Policy-Driven: Access decisions are based on explicitly defined policies, promoting consistency
and transparency.

• Weaknesses:
 o Complexity of Implementation and Management: Designing and managing a large number of
attributes and policies can be complex and require specialized expertise and tools.

o Performance Considerations: Evaluating a large number of attributes and policies in real-time

can impact system performance.

o Potential for Policy Conflicts: Ensuring that policies do not contradict each other requires careful
design and management.

• Examples:

o Cloud-Based Resource Access: Allowing access to a specific database only if the user belongs to
the "Finance" department, is accessing from a corporate network IP address, and the request is
made during business hours.

o Data Loss Prevention (DLP) Systems: Preventing users from copying sensitive data to removable
media unless they have the "Approved for External Transfer" attribute and the file is not classified
as "Highly Confidential."

o Healthcare Systems: Allowing a doctor to access a patient's full medical history only if they are
the patient's primary care physician or if the request is made during an emergency.

Discussion Points:

• What makes ABAC more flexible and context-aware than other access control models?

• What are some key attributes that can be used in ABAC policies?

• What are the architectural components typically involved in an ABAC system?

Rule-Based Access Control: If This, Then That

• Core Principle: In Rule-Based Access Control, access decisions are based on a set of predefined rules or
policies. These rules are often static and based on specific conditions.

• Mechanism: The system evaluates each access request against the defined rules. If a rule matches the
request conditions, the corresponding action (allow or deny) is taken.

• Strengths:

o Simple Implementation for Specific Scenarios: Can be straightforward to implement for well-
defined and static access requirements.

o Automation of Access Decisions: Once rules are defined, access decisions are made
automatically.

• Weaknesses:

o Limited Flexibility: Can be difficult to adapt to changing requirements or complex scenarios.

 o Management Overhead for Large Rule Sets: Managing a large number of rules can become
cumbersome and error-prone.

o Lack of Contextual Awareness: Rules are often based on static attributes and may not consider
dynamic contextual factors.

• Examples:

o Firewall Rules: Allowing or blocking network traffic based on source/destination IP addresses,

ports, and protocols.

o Traffic Control Systems: Allowing access to certain network resources based on the time of day.

o Basic File System Permissions (in some simplified systems): Rules like "Only administrators can
modify system files."

Discussion Points:

• How does Rule-Based Access Control differ from ABAC in terms of flexibility and context-awareness?

• In what types of systems or applications is Rule-Based Access Control commonly used?

• What are the limitations of relying solely on Rule-Based Access Control in complex environments?

Conclusion
Choosing the appropriate access control model is a critical decision that directly impacts an organization's
security posture and operational efficiency. Each model has its own strengths and weaknesses, and the best
choice often depends on the specific requirements of the system, the sensitivity of the data being protected,
and the organizational context. In many modern systems, hybrid approaches that combine elements of different
models may be employed to achieve a balance between security, flexibility, and manageability. Understanding
the principles and applications of these access control models is fundamental to designing and maintaining
secure and effective cybersecurity defenses.