Access control is the process of authenticating a user, and governing the rules that dictate their access to digital assets within a system. There are several models that establish how an end-user accesses and edits data in a given software environment.
There are four common types of access control: Mandatory Access Control (MAC), Role-based Access Control (RBAC), Discretionary Access Control (DAC), and Attribute-based Access Control (ABAC). Let’s explore each in more detail:
The Mandatory Access Control (MAC) access model gives the owner or a superuser/admin the power to manage who has access to what. In this case, the end user has no control over settings that govern access. There are 2 MAC models that are employed. The first, the Biba model, allows end users to “read up,” or view data at a higher level of privilege, and “write down,” or edit data with a lower level of privilege. The second model, Bell-LaPadula, was designed for government organizations to have stricter protocols. In Bell-LaPaula, end users can “write-up,” or edit at that level and no lower, and “read-down”, or view data at a lower level of access.
The Role-based access control (RBAC) model limits entry to systems and resources based on a user’s “role.” The goal of RBAC is to prevent security breaches and protect critical systems by managing identity roles and privileges.
Traditional RBAC restricts access to individual resources and assigns a user to a pre-defined role, often based on job function. The role can access or change the data in the resource assigned to it but cannot access resources not assigned to the role.
Typically, RBAC is defined with high-level, coarse-grained access controls which allow organizations to quickly and easily define permissions over a breadth of resources. While this makes coarse-grained RBAC easier to implement, it doesn’t allow for the more precise, code-level restrictions required by many regulations to prevent accidental disclosures and maintain data privacy and security.
Legacy RBAC systems rely on static user identities. Each job function may have a corresponding role that will always have permission to access the same resources. The hardware’s capabilities limit on-premises infrastructure. An on-premises server has a limited amount of memory, and stored applications rarely change, creating static, role-based identities.
For example, anyone with the role of “manager” can always edit data. However, digital transformation lacks that limitation. Organizations use cloud-based infrastructures because they scale based on your needs at the time. If you need additional storage or expect further activity, you can increase your cloud usage for a short period. In a modernized environment, identity needs to be dynamic because the infrastructure is dynamic.
The Discretionary Access Control (DAC) access model has the least amount of restriction because it allows end users to create rules that specify who has access to what. Users have complete control over any asset they “own” as well as the applications they use. It gives the end user the ability to change security settings and control what others have access to.
The Attribute-based Access Control (ABAC) model helps you create detailed access definitions that link a user’s role to context, such as resources, IT environment, or user location. Detailed privileges, also called “fine-grained entitlements,” create multi-dimensional access controls that go beyond application access and define the accessible resources within the application.
With ABAC, you create a central identity governance and access administration policy that focuses on attributes and context. This can include user job function or time of day and resource attribute, object, or environment. Using ABAC within complex on-premises, hybrid, and cloud-based infrastructures allows you to establish an “if, then” approach to providing access to resources within your ecosystem. Unlike RBAC, which uses generalizations to grant access, ABAC allows you to create sophisticated restrictions that improve data privacy.
ABAC allows you to restrict access and grant access on a more detailed level. With ABAC, you can use “if/then” statements that define how users interact with resources. Instead of giving a user multiple roles, you can tie access to a resource to an attribute value.
For example, “If user’s <department> is HR, grant access to the HR Application.” You can also create broader definitions for the HR Manager users, such as “If user’s <title> is Manager, grant access to all HR, Training Application, and Payroll Application.” Two defined sets of attributes now grant the appropriate level of access to sensitive information.
Many companies still rely on RBAC but they should move to an ABAC model to reduce their attack surface. RBAC has a set it and forget it mindset. In the past, RBAC alone was sufficient. Today, cloud migration strategies and blended workforces require time-bound access to maintain proper governance. RBAC falls short of meeting data privacy and security needs.
Identity management in legacy on-premises infrastructures focuses on authorizing user identity access to resources using a rule-based policy. This easily controllable process used to be sufficient in an on-prem environment because contexts were often static. With digital transformation and resources shifting to the cloud, authorization via traditional models opens organizations up to new risks. Using RBAC, authorizing a user to a Software-as-a-Service (SaaS) application may create excess access.
For example, your marketing and sales departments may need access to the same SaaS application, but they often require different information. Offering both departments the same access may violate the principle of “least privilege.” Suppose marketing employees can access addresses or sales department notes they do not need. In that case, you may be creating excess access that leads to a data security risk.
Managing a modern workplace requires a shift from static access control to more continuous identity and access rights management. By utilizing identity and continuous controls, organizations can create a holistic approach to data security and privacy without compromising operational agility and effectiveness.
Saviynt’s innovative, cloud-native IGA solution provides full visibility into how and where users interact with data and offers flexible deployment opportunities for on-premises, hybrid, and cloud infrastructures.
Organizations must focus on access and identity management to create holistic information security and privacy programs. Saviynt’s peer and usage-based analytics and fine-grained attribute capabilities enable you to create context and risk-aware ABAC rules to protect data privacy. Saviynts’s analytics compare users’ requests to their peers’ data usage so organizations can use our predictive analytics to streamline the provisioning process while maintaining “least privilege” data privacy compliance. Moreover, after the organization sets the appropriate access controls in the Saviynt platform, our automation and analytics prove governance over their data security and privacy.
To make a modernized approach possible from an implementation point of view, administration shouldn’t impose a burden. These administrative burdens prove challenging because as an organization grows and individuals require more access, the number of requests can become overwhelming.
Companies can streamline their access controls by using intelligent analytics to monitor request risk and provide appropriate access. Users can request and obtain near-real-time access as their risk gets assessed across a wide swath of peer and usage-based data. Predictive analytics prevents excessive access and informs the requestor if access presents a risk.
When automation isn’t an option for excessive risk requests, Saviynt provides analytical data in a single-pane-of-glass interface. Approvers can examine the risk in question and, if uncertain about approval, can easily consult with other relevant parties in the organization. The approver never has to do in-depth reviews manually; it is all right at their fingertips. Whatever information isn’t there can swiftly be gathered from other decision-makers. This dramatically reduces the burden of work an approver would have to do to make data-driven decisions about granting or denying access.
Saviynt helps organizations embrace new technologies and migrate to a modern, identity-based foundation for security. Saviynt facilitates transcending rigid RBAC controls and instead leverages agile ABAC and time-based access to more precisely manage access. Saviynt’s cloud-native Identity Governance and Administration (IGA) platform protects your most sensitive information. It increases organizational efficiency and agility by ensuring that the right people have the right access to the right resources for only the right amount of time.