Thoai1. What is security access control?
Security access control refers to the process of managing who is authorized to access certain data or resources in an organization. It is a fundamental component of data security. For example, when creating a post on Facebook, you can specify who can view your post or you can create a file share in Google Driver to someone else which is read-only.
Access control helps prevent unauthorized access to sensitive information, such as customer data, intellectual property, and other valuable company resources. Access control is typically achieved through a combination of technologies, policies, and procedures, and can be applied to both physical and digital assets.
The goal of access control is to ensure that only authorized individuals or processes are able to gain access to sensitive information or resources, reducing the risk of data breaches, theft, or other security incidents. There are three most common access control models which are being used by the most popular companies, they are:
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Role-Based Access Control (RBAC)
2. Mandatory Access Control (MAC)
Mandatory access control (MAC) is a security model that restricts access to resources based on predefined security policies or classifications determined by a central authority instead of the discretionary access control (DAC) model based on owner-defined access rules. The most famous implementation of this model is Oracle Label Security.
In MAC, the operating system or security system enforces access controls based on the sensitivity of the information, the clearance level of the user, and the classification of the resource in question.
In a MAC system, users do not have any control over access permissions, and access policies are rigidly enforced by the system. This makes MAC an effective security mechanism in environments where the need for confidentiality is paramount, such as military, government, or finance organizations. However, MAC can also be challenging to administer and implement in more flexible, collaborative environments.
For example: the government classification system used to safeguard classified information. The system assigns a security level to each piece of classified information based on its perceived importance, and each individual with access to the information is assigned a clearance level based on their need to know. The higher the security level of the information, the more stringent the clearance requirements for those who may access it.
The operating system or security system enforces these access controls, such that a user without the appropriate clearance level would be unable to access the information, regardless of their job duties or position within the organization.
3. Discretionary Access Control (DAC)
Discretionary access control (DAC) is a type of security access control that grants or restricts object access via an access policy determined by an object’s owner rather than a system administrator. In DAC, access to an object is granted or denied based on the identity of the user, group, or process that requests access and the permissions assigned to that identity.
DAC allows the owner of a resource or file to grant and define access permissions to other users, allowing for greater flexibility and collaboration. However, this approach can also be risky, as it puts sensitive data in the hands of potentially unqualified or malicious users.
It is important to note that DAC is only one aspect of access control and that other types of access control, such as mandatory access control (MAC) and role-based access control (RBAC), are also used to help protect sensitive assets and data.
For example: file permissions in Unix-like operating systems. In this model, each file has an owner, and the owner has the discretion of setting the read, write, and execute permissions for that file to be accessed by themselves, members of their own group or arbitrary users.
For instance, if a file’s owner sets read permissions for a specific group, only members of that group will be able to access that file. This allows for fine-grained control over access to files and directories, giving users more flexibility and control over their data.
4. Role-Based Access Control (RBAC)
The most popular model is Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an organization. Spring security is one of the most famous security frameworks which implements this model.
In RBAC, users are assigned to roles, which have a set of permissions associated with them. These permissions determine what resources a user can access and what actions they are authorized to perform on those resources.
For example: HR system, the HR manager might have privileges to create new user accounts, edit employee data, and view salary information, while an HR assistant might have privileges to view and edit employee data, but not create new user accounts or view salary information.
In an RBAC system, these different levels of access could be set up as distinct roles, and users would be assigned to a role based on their job function and level of responsibility. This approach helps ensure that individual users only have access to the resources necessary to perform their job duties and prevents unauthorized access to sensitive information.