Access control is a security technique that regulates who or what can view, use, and alter resources in a IT environment and what circumstances. This ensures that sensitive information doesn't fall into the wrong hands.

So, access control is your way of saying, "You can see this, but you can't see that," ensuring our company's data remains safe and only accessible to the right people. And as a network administrator, you have at your disposal different methods and tools to enforce access control. 

Types and methods of access control

Physical access control

Physical access control focuses on who gets into the actual spaces where your critical tech lives. It's not just about fancy key cards or PIN codes; it ensures that the right people can physically touch your company's assets, like your server rooms. These are the heartbeat of our network, and you can't just let anyone stroll in.

Let’s say you’ve implemented a key card access system for your server room. Only IT staff and authorized personnel get these cards. Each access is logged, so you always know who was there and when. 

On top of that, there are surveillance cameras monitoring the entrances and exits. This helps you deter any potential breaches and review footage if anything goes wrong.

We should also highlight the importance of security guards. They play a crucial role in your physical access control. Most main offices are staffed with security personnel who check IDs and visitor logs. If someone’s not on the list, they don’t get in.

You can also use biometric scanners for sensitive areas. Fingerprint scanners are particularly useful for ensuring that only specific individuals can enter areas with sensitive information. 

For instance, the room housing your financial records may have a fingerprint scanner. This adds an extra layer of security beyond just a key card.

Even your workspace layout contributes to physical security. You should set up dedicated zones within the office, with a general working area accessible to most employees and restricted sections housing your confidential work. Only team members working on specific projects can enter your restricted zones.

These measures may seem like a lot, but they’re necessary. You need to be vigilant about who’s walking around your premises. It’s not just about protecting your equipment but also about safeguarding the data and intellectual property that keeps your business running.

Logical access control

In computers, logical access controls are tools and protocols you use for identification, authentication, authorization, and accountability in computer information systems. 

Logical access is often needed for remote access to hardware. It's different from physical access, which deals with interactions like a lock and key in the physical environment where the equipment is stored.

Logical access controls are used to manage access to systems, programs, processes, and information. These controls can be embedded within operating systems, applications, add-on security packages, or database and telecommunication management systems. 

Sometimes, the line between logical and physical access is blurred. For example, entry to a room controlled by a chip and PIN card and an electronic lock managed by software. Only people with the right card, security level, and PIN can get in.

Logical access controls use various methods like password protocols, devices coupled with protocols and software, encryption, and firewalls. These systems can detect intruders, reduce vulnerabilities, and protect data and systems from threats.

Businesses, organizations, and other entities use a wide range of logical access controls to protect hardware from unauthorized remote access. These can include sophisticated password programs, advanced biometric security features, or setups that identify and screen users at any administrative level.

There is a wide range of biometric security devices and software for different security needs. For large networks requiring airtight security, there are very complex biometric systems. For smaller setups like office buildings, less expensive systems work well.

Discretionary access control (DAC)

In computer security, discretionary access control (DAC) is a way to manage access to resources based on the identity of users or groups. This is different from mandatory access control (MAC), where access decisions are made by a central authority. 

DAC is called "discretionary" because the users with permission can decide and transfer that permission to others. This is why it's called discretionary - it gives users more control.

Imagine you're working on a Unix system. Here, DAC is implemented with file permissions. Every file or directory has an owner, and the owner decides who can read, write, or execute it. 

For instance, in Unix file mode, permissions are set using a series of bits. These bits correspond to the owner, the group, and others, specifying their access rights like read, write, and execute.

Another example of DAC is capability-based security. While this type doesn't rely on the identity of subjects, it still allows users to transfer permissions to others. In these systems, users hold tokens called "capabilities" that grant access to resources. When a user wants to transfer access, they pass the capability to the other user. 

However, this isn't entirely unrestricted. Usually, the user passing the capability must have some form of access to the receiving user, ensuring adherence to the principle of least privilege.

In both examples, DAC gives users flexibility. They can decide how their resources are shared or restricted, which is a fundamentals of discretionary access control.

Mandatory access control (MAC)

Mandatory access control is one of the strictest forms of access control. It doesn't leave much room for flexibility, which can be both a strength and a limitation. 

With MAC, the system decides who gets access to what. It’s not up to individual users or administrators. For example, think about a classified government network. Access to top-secret files is determined by the system based on predefined policies, not by individual discretion.

Let’s say you work in a defense organization. You might have different levels of clearance: confidential, secret, and top secret. Each level of clearance determines what information you can access. Your clearance level is assigned by the system based on your role and need-to-know basis. 

This minimizes the risk of unauthorized access. If you only have secret clearance, you can't access top-secret files, no matter how much you want or need to for your job.

One interesting thing about MAC is the use of security labels. These labels classify both users and data. For instance, a document might be labeled as "top-secret." Only users with the corresponding "top-secret" clearance label can access that document. If your clearance label doesn’t match, you’re not accessing the data.

MAC can also be found in more commercial settings, although less frequently. Consider a highly regulated industry like pharmaceuticals. Research data might be classified as proprietary and only accessible to senior researchers. Even if you’re a junior researcher on the same project, if the system hasn’t granted you access, there’s no way for you to see that data. It’s very black and white.

Using MAC ensures a high level of security, and it’s particularly effective in environments where data sensitivity is paramount. However, it can be a bit rigid and might slow down workflow because changes in access permissions usually require updates to system policies. But when security outweighs convenience, MAC is hard to beat.

Role-based access control (RBAC)

Role-based access control (RBAC) restricts network access based on a person's role within an organization. It's one of the main methods for advanced access control. The roles in RBAC refer to the levels of access that employees have to the network.

Employees only get access to information necessary to effectively perform their job duties. Access can be granted based on authority, responsibility, and job competency. It also limits computer resource access to specific tasks like viewing, creating, or modifying a file.

Lower-level employees usually don't have access to sensitive data if they don’t need it for their job. This is especially helpful if you have many employees and third-parties or contractors. It gets tough to monitor network access closely, but RBAC helps secure sensitive data and important applications.

Through RBAC, you can control what end-users can do at both broad and granular levels. You can designate whether the user is an administrator, a specialist user, or an end-user. Roles and access permissions can be aligned with your employees’ positions in the organization. Permissions are given with just enough access for employees to do their jobs.

If an end-user's job changes, you may need to reassign their role manually. Alternatively, you can assign roles to a role group or use a role assignment policy to add or remove members of a role group. 

For instance, management role scopes limit what objects the role group can manage. Management role groups allow you to add and remove members, while management roles define the types of tasks a specific role group can perform. Management role assignments link a role to a role group.

Adding a user to a role group gives them access to all roles in that group. If they’re removed, access is restricted. Users might also be assigned to multiple groups if they need temporary access to certain data or programs. Once a project is complete, you can remove them from the group.

Other user access designations might include primary, which is the primary contact for a specific account, billing for one end-user to access the billing account, technical for users that perform technical tasks, and administrative for users handling administrative tasks.

By implementing RBAC, you help in securing your company's sensitive data and ensuring only authorized users have access to critical information. This approach can streamline your control process and make your organization more secure and efficient.

Attribute-based access control (ABAC)

Attribute-based access control (ABAC) is a flexible and dynamic authorization strategy. It defines permissions based on various attributes, also known as tags. These tags can be attached to IAM resources like users and roles as well as to AWS resources. 

With ABAC, you can create a set of policies that allow operations when the principal's tag matches the resource tag. This system provides granular access control and dynamic authorization, making it ideal for environments that are rapidly scaling or becoming complex.

ABAC is different from the traditional role-based access control (RBAC) model, which defines permissions based on job functions or roles. In RBAC, if you have three projects—**Heart**, **Star**, and **Lightning**—you would need to create separate IAM roles for each project and attach specific policies. 

Adding new resources requires updating these policies, which can be cumbersome. If someone switches projects, their IAM role assignments need to be updated too.

On the other hand, with ABAC, we just focus on the attributes. It also makes it easy to scale permissions as projects evolve. It is particularly useful when integrating with corporate directories using SAML or OIDC providers. 

For a practical example, consider an engineering team where each member gets a tag corresponding to their project. When a resource is created, it's tagged with the project attribute. Anyone whose tag matches the resource's tag can access it. 

If a new project starts, you just create resources with the new project tag, and assign corresponding tags to the team members. Everything aligns without rewriting policies.

So, ABAC simplifies access control by leveraging tags, making it adaptable for growing and changing environments. The strategy removes the need for constant policy updates and provides finer control over resource access.

Authentication methods used in access control

There are several ways you can ensure only the right people get into your network. Let’s quickly discuss these authentication methods: 

Passwords

Passwords are basic and sometimes a hassle, but they're a fundamental building block. A strong password policy can make a big difference. It’s all about complexity and length. 

Encourage using passphrases instead of single words. Something like “S3cur3P@ssword!” is a good example, but a phrase like "I_Love!MyJob2023" is even better.

Multi-factor authentication (MFA)

With MFA, you don’t just rely on a password. You add another layer. For instance, after entering your password, you might get a code on your phone. Google Authenticator is a popular app for this, or you can use SMS codes. 

The idea is to have something you know (your password) and something you have (your phone). It’s like having two locks on your door. Even if someone cracks one, they still need to get past the second.

Biometrics

Biometrics are the physical characteristics and biological measurements used to identify individuals. These are usually unique to the individual. Think of fingerprints or facial recognition. 

Most of your smartphones already have biometric readers built in. So for example, your phone might recognize you by your face or fingerprint and grant access. It’s not just convenient; it’s secure. Apple’s Face ID and Microsoft’s Windows Hello are prime examples of this tech in action.

Token-based authentication

Picture a small device, like a key fob, that generates a unique code every 30 seconds. RSA SecureID tokens are a classic example. You’ll need this device along with your password to get in. It’s old-school but highly effective.

Single Sign-On (SSO)

SSO streamlines the login process. With SSO, you enter your credentials once and gain access to multiple applications. It’s like having a master key. Services like Okta and Auth0 make this possible. They improve user experience while maintaining high security.

So, these are some of the ways you can lock down your network and ensure only the right people get access. Using a mix of these methods can greatly enhance your security landscape.

‍