July 11th, 2019 7:30 am
What computer security access controls do I need?
To grant access or not grant access. That is the question… at least when it comes to computer security. If you haven’t been paying attention to access control, now is the time to start. Computer and network security hinge on having the appropriate access controls in place to protect your business.
Often, access control is about access approval — how the system decides whether to grant or reject an access request. Passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring are all forms of authentication. It’s common to combine authentication and access control into a single operation: success authentication grants access.
The two types of access control models are those based on capabilities and those based on access control lists (ACLs). They best type for your business will depend on the level of computer security you need and the access controls that will provide it.
- In a capability-based model, users are granted the ability to access, (kind of like car key allows you to start the car, even you don’t need to put the key in the ignition). l
- In an ACL-based model, the user appears on a list (like being on a coveted private party list for your favorite band that lets you walk through the door).
Of course, both are a little more complicated than that, but you get the idea.
All computer security access control systems provide the essential services of:
- authorization (what the user can do)
- identification and authentication (I&A) (ensuring only legitimate users gain access)
- access approval (granting access based on the company’s authorization policy)
- accountability (noting what a user did during the access period)
Enforcement: 9 types of access controls for computer security
The ability to enforce access controls to the level of security your business needs depends on the type of access controls you’re using. These are the 9 types of access controls for computer security that you should know about.
- Role-Based Access Control (RBAC)
RBAC allows access based on the job title.
- Rule-Based Access Control (RAC)
The RAC method is context based, such as only allowing access during certain hours or from certain IP addresses.
- Attribute-based Access Control (ABAC)
Users gain access rights through the use of policies that evaluate attributes (user attributes, resource attributes, and environment conditions).
- Discretionary Access Control (DAC)
The data owner determines who is allowed to access specific resources.
- History-Based Access Control (HBAC)
The system grants or denies access based on a real-time evaluation of the user’s real-time history (such as content of requests).
- Identity-Based Access Control (IBAC)
With IBAC, network administrators can manage activity and access based on individual needs.
- Mandatory Access Control (MAC)
With MAC, users are not typically able to decide who has access to their files.
- Organization-Based Access control (OrBAC)
The OrBAC model allows for defining a security policy independently of the implementation.
- Responsibility Based Access control
The responsibilities assigned to the user or their business role determine the level of access.
The computer security access controls you need
Bringing this back to the initial question of what you need, the answer is in how you answer these questions for your business:
- What level of monitoring do we need?
If your business doesn’t handle sensitive information, a simple RBAC will probably work well. But if you’re storing sensitive data, you want to make sure you have the highest levels of protection.
- Will we be able to manage the system easily?
Access controls systems are only as effective as your ability to manage them—will you be able to stay on top of the provisioning? Who will be responsible for it?
- What functions and integrations do we need?
Do you have employees that work remotely? Are there areas of the building that you want to deny some people access to? Do you need to integrate with a point of sale system or some other efficiency tool?
- How much traffic do we have?
I’m not talking about commuter traffic. How big is your company? How many people need access at any given time? They system you choose, and the levels of permissions, will make a difference depending on whether you’re a 10 person firm or 10,000.
There are other questions to ask too, but once you answer these four questions you’ll have a better idea of what you need. That’s when it’s time to call an IT professional to discuss your needs and options in depth.
We would love to talk to you about our computer security. Book a call today.
Did you like this article? Share it with your friends!