Learn about role-based access control (RBAC) in Data Protection 101, our series on the fundamentals of information security.
Role-based access control (RBAC) restricts network access based on a person's role within an organization and has become one of the main methods for advanced access control. The roles in RBAC refer to the levels of access that employees have to the network. Employees are only allowed to access the information necessary to effectively perform their job duties. Access can be based on several factors, such as authority, responsibility, and job competency. In addition, access to computer resources can be limited to specific tasks such as the ability to view, create, or modify a file. As a result, lower-level employees usually do not have access to sensitive data if they do not need it to fulfill their responsibilities. This is especially helpful if you have many employees and use third-parties and contractors that make it difficult to closely monitor network access. Using RBAC will help in securing your company’s sensitive data and important applications. Examples of Role-Based Access ControlThrough RBAC, you can control what end-users can do at both broad and granular levels. You can designate whether the user is an administrator, a specialist user, or an end-user, and align roles and access permissions with your employees’ positions in the organization. Permissions are allocated only with enough access as needed for employees to do their jobs. What if an end-user's job changes? You may need to manually assign their role to another user, or you can also assign roles to a role group or use a role assignment policy to add or remove members of a role group. Some of the designations in an RBAC tool can include:
By adding a user to a role group, the user has access to all the roles in that group. If they are removed, access becomes restricted. Users may also be assigned to multiple groups in the event they need temporary access to certain data or programs and then removed once the project is complete. Other options for user access may include:
Managing and auditing network access is essential to information security. Access can and should be granted on a need-to-know basis. With hundreds or thousands of employees, security is more easily maintained by limiting unnecessary access to sensitive information based on each user’s established role within the organization. Other advantages include:
Best Practices for Implementing RBACImplementing a RBAC into your organization shouldn’t happen without a great deal of consideration. There are a series of broad steps to bring the team onboard without causing unnecessary confusion and possible workplace irritations. Here are a few things to map out first.
A core business function of any organization is protecting data. An RBAC system can ensure the company's information meets privacy and confidentiality regulations. Furthermore, it can secure key business processes, including access to IP, that affect the business from a competitive standpoint.
By Robert Townsend on November 21, 2018 Background – Considered one of the most crucial assets in a company, access control systems hold significant value. The term ‘access control’ refers to “the control of access to system resources after a user’s account credentials and identity have been authenticated and access to the system has been granted.” Access control is used to identify a subject (user/human) and to authorize the subject to access an object (data/resource) based on the required task. These controls are used to protect resources from unauthorized access and are put into place to ensure that subjects can only access objects using secure and pre-approved methods. Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC). Discretionary Access Control (DAC) – DAC is a type of access control system that assigns access rights based on rules specified by users. The principle behind DAC is that subjects can determine who has access to their objects. The DAC model takes advantage of using access control lists (ACLs) and capability tables. Capability tables contain rows with ‘subject’ and columns containing ‘object’. The security kernel within the operating system checks the tables to determine if access is allowed. Sometimes a subject/program may only have access to read a file; the security kernel makes sure no unauthorized changes occur. Implementation – This popular model is utilized by some of the most popular operating systems, like Microsoft Windows file systems. Figure 1 – https://www.codeproject.com/Articles/10811/The-Windows-Access-Control-Model-Part-4 Role-Based Access Control (RBAC) – RBAC, also known as a non-discretionary access control, is used when system administrators need to assign rights based on organizational roles instead of individual user accounts within an organization. It presents an opportunity for the organization to address the principle of ‘least privilege’. This gives an individual only the access needed to do their job, since access is connected to their job. Implementation- Windows and Linux environments use something similar by creating ‘Groups’. Each group has individual file permissions and each user is assigned to groups based on their work role. RBAC assigns access based on roles. This is different from groups since users can belong to multiple groups but should only be assigned to one role. Example roles are: accountants, developer, among others. An accountant would only gain access to resources that an accountant would need on the system. This requires the organization to constantly review the role definitions and have a process to modify roles to segregate duties. If not, role creep can occur. Role creep is when an individual is transferred to another job/group and their access from their previous job stays with them. Figure 2 – https://www.docops.ca.com/ca-identity-governance/12-6-02-cr1/EN/getting-started/access-governance-and-rbac Mandatory Access Control (MAC) – Considered the strictest of all levels of access control systems. The design and implementation of MAC is commonly used by the government. It uses a hierarchical approach to control access to files/resources. Under a MAC environment, access to resource objects is controlled by the settings defined by a system administrator. This means access to resource objects is controlled by the operating system based on what the system administrator configured in the settings. It is not possible for users to change access control of a resource. MAC uses “security labels” to assign resource objects on a system. There are two pieces of information connected to these security labels: classification (high, medium, low) and category (specific department or project – provides “need to know”). Each user account is also assigned classification and category properties. This system provides users access to an object if both properties match. If a user has high classification but is not part of the category of the object, then the user cannot access the object. MAC is the most secure access control but requires a considerable amount of planning and requires a high system management due to the constant updating of objects and account labels. Implementation- Other than the government’s implementation of MAC, Windows Vista-8 used a variant of MAC with what they called, Mandatory Integrity Control (MIC). This type of MAC system added integrity levels (IL) to process/files running in the login session. The IL represented the level of trust the object would have. Subjects were assigned an IL level, which was assigned to their access token. IL levels in MIC were: low, medium, high, and system. Under this system, access to an object was prohibited unless the user had the same level of trust, or higher than the object. Windows limited the user to not being able to write or delete files with a higher IL. It first compared IL levels, then moved on to checking the ACLs to make sure the correct permissions are in place. This system took advantage of the Windows DAC system ACLs and combined it with integrity levels to create a MAC environment. Figure 3 – https://www.thewindowsclub.com/mandatory-integrity-control Conclusion – Access controls are used to prevent unauthorized access to system resources. By implementing access control systems that fit your organization, you can better manage your assets. DAC, RBAC, and MAC access control systems are models that have been used to create access control systems that provide reliability and security. Businesses with smaller applications will find DAC to be easier to implement. Others with highly confidential or sensitive information may decide to use RBAC or MAC systems. Sources – https://www.tedsystems.com/3-types-access-control-which-right-building/ https://www.stor-guard.com/article/types-of-access-control-systems-for-effective-personnel-security-43 https://searchsecurity.techtarget.com/feature/CISSP-online-training-Inside-the-access-control-domain https://searchsecurity.techtarget.com/definition/mandatory-access-control-MAC https://resources.infosecinstitute.com/cissp-access-control-domain/#gref https://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control https://searchdatacenter.techtarget.com/answer/DAC-and-MAC-safety http://www.cs.cornell.edu/courses/cs5430/2015sp/notes/dac.php |