A Comprehensive Guide to Access Control Models

Today's topic? A comprehensive guide to access control models.

In the early days of computing during the 1950s and 1960s, access control was relatively simple, relying on physical security measures to protect mainframe computers from unauthorized physical access. Computers were multi-million dollar devices, were the size of an entire room, and security was more about ensuring their correct usage to prevent a fire from exploding vacuum tubes. Things have changed significantly since that time. Access security is no longer an afterthought primarily concerned with avoiding device ignition or downtime on a scarce resource.

Multics, an early time-sharing operating system developed in the 1960s, introduced the concept of "rings" (a concept that is still part of OS kernel security today) to distinguish between different levels of privileged access, separating system code and user code to prevent unauthorized access to critical parts of the system. The core access control models of today - Discretionary Access Control (DAC) and Mandatory Access Controls (MAC) emerged in the 1970s with Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) following in the 1980s and 1990s respectively.

In the modern era, access security is a forefront security concern. Of the “big three” CIA triad priorities: Confidentiality, Integrity, and Availability. Confidentiality and Integrity are primarily concerned with preventing unauthorized access. Highly reliable components and well-architected devices support availability, and low-cost manufacturing means redundancy is more affordable than in the early days of computing. The security risks of broken access controls range from highly destructive wiper and ransomware attacks to stolen corporate secrets, identity theft, and bank fraud. 

Let's review the core fundamental access control models and those that have more recently emerged from the need to implement continuous authentication and granular authorization.

Access Control Models Emerge

Protecting access control is a technically complex issue both because technology itself is complex and because authorization schematics (tying identity to rights)  is also complex. Users are faced with a vast list of credentials to manage, and system architects are faced with the daunting job of designing applications that provision access only when the correct credentials are presented. Even then, cyberattacks mandate the integrity of those credentials to be scrutinized.

Fundamental Access Control Models

The fundamental access control models are as follows:

Discretionary Access Control (DAC)

DAC is an access control model where the owner of a resource has permission to control access to their own resources. The owner can grant or revoke access permissions to other users or groups, providing more flexibility and individual control over resources. DAC is commonly used in consumer-grade operating systems such as the read-write-execute (RWX) permissions in Windows, and Unix-based operating systems.

Mandatory Access Control (MAC)

MAC is a security model where access to resources is determined by the system's security policy, which is set by an administrator. The access is based on labels or clearances assigned to both subjects (users/processes) and objects (files/resources). MAC ensures that data confidentiality and integrity are enforced by restricting the subject's access to objects based on predefined rules and classifications.

On Linux-based systems, "setfacl" command can be used for simple use cases while SELinux (Security-Enhanced Linux) and AppArmor support more complex implementations of MAC, Windows-based systems use a tool named AppLocker, while macOS includes a built-in tool based on TrustedBSD MAC Framework.

Role-Based Access Control (RBAC)

The RBAC model assigns permissions based on job roles or functions within an organization. Users are assigned to specific roles such as "Administrator" or "Guest", and access rights are associated with those roles. RBAC simplifies access management because permissions are granted based on job requirements rather than individual identities, making it easier to manage permissions in large systems with many users while implementing the principle of least privilege (POLP).

Role-Based Access Control (RBAC) is widely implemented in various systems and applications.  For example, within the operating system design as users are assigned a role such as administrator (root) user, or guest account types. Another example is an education web application that uses roles for controlling access to actions and resources.

Attribute-Based Access Control (ABAC)

ABAC is a highly flexible access control model where access decisions are made at runtime and are based on complex attributes and environmental conditions. ABAC considers a wide range of contexts, such as user identity, job title, location, time of access, and resource sensitivity in a decision-making algorithm or decision matrix. ABAC provides more fine-grained control and dynamic decision-making compared to DAC, MAC, or RBAC. For example, while MAC and ABAC both include a subject/object model, ABAC uses dynamic contextual conditions rather than static ones such as time of access or resource sensitivity allowing more dynamic access control decisions.

One popular application that enables ABAC on Linux is XACML (eXtensible Access Control Markup Language), while on Windows ABAC can be implemented using Azure ABAC, Active Directory with Claims-based authentication, and Authorization Manager (AzMan).

Other Access Control Models

• History-Based Access Control (HBAC): HBAC is a model that considers the historical behavior of programs to make access decisions. Access requests are evaluated based on the past actions of the user or the resource, and anomaly detection is used to identify when a current action or authorization request differs from past behavior and contexts. HBAC may be used in the context of analyzing CPU stack instructions or network traffic analysis to identify when specific actions or applications are anomalies and adjust access control decisions. While the term HBAC is not commonly used to describe the security capabilities of any particular software solutions, the principle is employed by many forms of applications that require email-based 2nd-factor authentication when a user has not logged in for a long time, or in Network Intrusion Prevention Systems that use time-based heuristics for detection. 

• Context-Based Access Control (CBAC): CBAC is a model that considers various contextual factors when determining access rights such as the user's location, device, network conditions, and other environmental parameters. CBAC enables dynamic access control based on the current situation, to enhance security, availability, and adaptability. Cisco firewalls specifically employ a feature known as Context-Based Access Control.

• Task-Based Access Control (TBAC): The TBAC model was first considered in the late 1990s and focuses on granting access based on specific tasks or operations being performed. It is beneficial for securing systems where additional authentication should be required for specific actions, or when users perform different functions at different times or need to access resources based on the tasks they are assigned.

• Relationship-Based Access Control (ReBAC): ReBAC is a model that considers the relationships between users and resources to determine access rights. For example, access decisions might be based on user-to-resource relationships such as ownership, membership in a group, or hierarchical associations. The ReBAC concept is mostly a response to social networking applications where a user’s access rights are determined by their relationship status (friend, family, group member) with other users or groups.

• Attribute-Based Encryption (ABE): ABE is a cryptographic access control model where the power to decrypt encrypted data is granted based on the attributes of the user or resource. Users are assigned attributes, and data is encrypted with different private keys based on specific access policies. Users possessing the matching attributes can decrypt and access the data.

• Usage Control (UCON): The concept of Usage Control started gaining attention in the early 2000s as researchers and practitioners sought to address the limitations of traditional access control models in dynamically changing environments.  UCON is an access control model that focuses on continuous and ongoing access control decisions based on changing conditions and emphasizes monitoring and adapting access rights based on the usage behavior and context of users and resources. Some things that are considered in the UCON model include the current state of the system or resource, and environmental status such as network status, and time of day.

• Zero Trust: Zero Trust is modern access control architecture that emphasizes a "never trust, always verify" approach to security. It challenges the traditional perimeter-based security model, assuming that no user or device should be inherently trusted, even if they are within the organization's network. Instead, Zero Trust advocates for continuous verification of users, devices, and applications before granting access to resources.

• Policy-Based Access Control (PBAC): While the term PBAC is not as commonly used, some claim PBAC is a distinct access control model that uses a set of rules or policies to determine access to resources. These policies are usually defined using domain-specific language and can be quite expressive. PBAC is often used in complex systems where access control requirements are subject to change or need to be easily auditable.

Conclusion

Access security has come a long way since the inception of computing, and although the core access security models in use today have been around for decades, new access security models have emerged to suit more complex use cases. Discretionary Access Control (DAC) and Mandatory Access Control (MAC) laid the foundation in the 1970s, followed by Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) in subsequent decades.

Today, access control is by far the most critical concern in cybersecurity and unauthorized access is a priority above most other security concerns. The potential ramifications of inadequate access controls include costly ransomware attacks, intellectual property theft, and other data-loss concerns such as brand reputational damage, identity theft, fraud, and even national security. Therefore, it is crucial to understand all the existing theories and conceptual models in the evolving access control landscape.

Looking to learn more about how our team wields access control as part of our 95% manual penetration testing methodology? Download our complimentary Buyer's Guide today.