3 Types of Access Control: IT Security Models Explained

3 Types of Access Control: IT Security Models Explained

Summary: In this article, we will look at three important types of access control in security. You’ll learn about the different types of access control, how they work, and their pros and cons. By the end of this article, you’ll understand what type of access control will work best for your organization and meet your security needs.

What Is Access Control in Cybersecurity ?

Access control is a security framework that determines who has access to which resources through previously placed authentication and authorization rules. Access controls authenticate users by verifying login credentials, including usernames, passwords, PINs, security tokens, and biometric scans.

Some types of access control systems authenticate through multi-factor authentication (MFA), which requires multiple authentication methods to verify the identity. Once a user is authenticated they are given the appropriate level of access and permissions depending on their identity.

Here are three major types of access control and their advantages.

⚠️ Traditional PAM deployments have gaps. Learn how to protect your databases, the cloud, Kubernetes, and more with our legacy PAM augmentation guide.

3 Types of Access Control

1. Discretionary Access Control (DAC)

DAC provides access rights depending upon the rules already set by the administrators. In this type of access control model, each resource has an owner or admin that decides to whom to give access and at what level.

How does it work?

DAC decentralizes security decisions, allowing administrators and resource owners to give access to users at specified levels. It uses ACLs (access control lists), which define at what level to give users permission to a particular resource.

Pros & Cons

DAC is simple to use, and as long as users and roles are listed correctly, it’s easy to access resources. Since access control is decentralized, administrators or owners can easily add or remove permissions. Owners and users (depending on their privileges) can control access to their data, which gives them the ability to read, make changes, or delete files.

Because of its simplicity and flexibility, DAC can pose a security risk to large organizations, businesses handling sensitive data, or a combination of these. Assigning permissions to individual users is a time-consuming task for large enterprises, and mistakes made by users given improper permissions can be detrimental when dealing with important files.

2. Role-Based Access Control (RBAC)

System administrators use the RBAC (or non-discretionary) access control model to give access based on the organizational roles, rather than considering a single user account within a company. Only people with roles that need to do the particular work are given access to the resource.

How does it work?

With RBAC, administrators define roles and determine the resources that a role needs access to. Each user is then assigned to a role that gives them the appropriate permissions to do their job. Users can join different groups but can only be given one role.

Pros & Cons

RBAC helps to reduce administrative work by enabling admins to assign a user to a role with predefined permissions, as opposed to assigning each permission to a user one at a time. It provides an easy way for administrators to show that all the data and important information is handled according to confidential standards.

It can be challenging for administrators to assign roles in large or growing organizations, where roles may regularly be created or tailored to fit the needs of the organization. Admins need to maintain an up-to-date understanding of roles to properly maintain role categorizations and manage their access requirements. This often requires collaboration between teams to properly implement RBAC in an organization, which impacts the workload of other team members.

3. Attribute-Based Access Control (ABAC)

In contrast to the role-defined access control method of RBAC, ABAC is a complex strategy that applies a multitude of attributes to both users and resources. While it is more complicated than RBAC, it gives admins the flexibility to make decisions according to context and evolving levels of risk.

How does it work?

Users are only able to access resources that have corresponding attributes. Attributes can include user demographics such as job title or security clearance; resource properties such as file type or creation date; and even environmental characteristics such as access location or time.

Pros & Cons

ABAC makes it possible for organizations to implement extremely granular yet flexible security policies that can be implemented across a wide variety of resources. Not only does this make security policies adaptable to changing business requirements, but it keeps security tight with the ability to add or modify policies as needs arise.

The granularity of ABAC policies means that it takes significant time and resources to create and apply attributes to users and resources. Likewise, maintaining that level of detail is also challenging for admins for large, growing, or dynamically changing teams.

How StrongDM Simplifies Access Control

Companies need to use the access control method that best protects their confidential information for their needs. StrongDM combines the power of both RBAC and ABAC for a security boost that eases the burden on administrative teams.

With StrongDM’s access control model, organizations get:

Secure Your Resources With StrongDM

Each type of access control system comes with its own benefits and limitations. DAC will work well for companies with limited resources and limited risk, but organizations that prioritize speed, security, and flexibility — particularly if they work with confidential or sensitive information — should use both RBAC and ABAC access control models.

StrongDM can help. Sign up for our 14-day trial today to see how StrongDM can help your business manage your security needs for the long haul.

About the Author

Schuyler Brown, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.