Vice President, Operations
What is an Access Control Policy?Access control is a data security technique that limits system access based on the user’s specified authorization (e.g. personas). This can be as simple as enabling password protection or far more complex with a system requiring varying sensitivity levels and sophisticated clearance models. By creating an access control policy, an organization defines rules and guidelines detailing who can access specific data and resources. Access control policies are a key measure in ensuring adequate information system security. NIST discusses access control policies as part of the fundamental management responsibility to ensure adequate security of information.
Common Access Control SystemsAccess control can be achieved through a variety of techniques and models. Information system types, number of users, data sensitivity, and other factors can influence how an organization may approach access control. The four most common types of access control include:
- Mandatory Access Control (MAC) is the most restrictive and inflexible type of access control. In this type of access control, only system administrators have the ability to permit system access. This provides a high level of security, but also requires lengthy approval processes to change user permissions or grant new user access.
- Discretionary Access Control (DAC) is the least restrictive and most flexible type of access control. In this system, the owner of the resource can specify who can access the resource. In other words, if you create a file in a Discretionary Access Control system, you as the file owner can transfer access to whichever users you specify. This puts the security control into the hands of the users. While this can be flexible and easy to use, it does require more active management by the users to upkeep resource security.
- Role-based Access Control (RBAC) has become one of the most popular access control systems. Instead of individual user assignments such as in MAC or user-specified access such as in DAC, RBAC provides a proactive level of user permission based on their position in the organization. Each role in an organization is provided a customized level of access rights. Users are then assigned to a role and inherit those access rights.
- Rule-Based Access Control is typically used in conjunction with other Access Control types and is relatively vague in its definition. Rule-based Access Control allows or denies resource access based on a set of rules and limitations set by the system administrator. For example, Rule-Based Access Control can be used to restrict data access on holidays, or after working hours.