Access Control Models: MAC, DAC, RBAC, & PAM Explained
Nobody in an organization should have free rein to access any resource. Access control is the combination of policies and technologies that decide which authenticated users may access which resources. Security requirements, infrastructure, and other considerations lead companies to choose among the four most common access control models:
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Role-Based Access Control (RBAC)
- Privileged Access Management (PAM)
We will review the advantages and disadvantages of each model. Then we will explore how, given the shift to remote and blended workforces, security professionals want more dynamic approaches to access control.
Mandatory access control uses a centrally managed model to provide the highest level of security. A non-discretionary system, MAC reserves control over access policies to a centralized security administration.
MAC works by applying security labels to resources and individuals. These security labels consist of two elements:
- Classification and clearance — MAC relies on a classification system (restricted, secret, top-secret, etc.) that describes a resource’s sensitivity. Users’ security clearances determine what kinds of resources they may access.
- Compartment — A resource’s compartment describes the group of people (department, project team, etc.) allowed access. A user’s compartment defines the group or groups they participate in.
A user may only access a resource if their security label matches the resource’s security label.
MAC originated in the military and intelligence community. Beyond the national security world, MAC implementations protect some companies’ most sensitive resources. Banks and insurers, for example, may use MAC to control access to customer account data.
- Enforceability — MAC administrators set organization-wide policies that users cannot override, making enforcement easier.
- Compartmentalization — Security labels limit the exposure of each resource to a subset of the user base.
- Collaboration — MAC achieves security by constraining communication. Highly collaborative organizations may need a less restrictive approach.
- Management burden — A dedicated organizational structure must manage the creation and maintenance of security labels.
Discretionary access control decentralizes security decisions to resource owners. The owner could be a document’s creator or a department’s system administrator. DAC systems use access control lists (ACLs) to determine who can access that resource. These tables pair individual and group identifiers with their access privileges.
The sharing option in most operating systems is a form of DAC. For each document you own, you can set read/write privileges and password requirements within a table of individuals and user groups. System administrators can use similar techniques to secure access to network resources.
- Conceptual simplicity — ACLs pair a user with their access privileges. As long as the user is in the table and has the appropriate privileges, they may access the resource.
- Responsiveness to business needs — Since policy change requests do not need to go through a security administration, decision-making is more nimble and aligned with business needs.
- Over/underprivileged users — A user can be a member of multiple, nested workgroups. Conflicting permissions may over- or under privilege the user.
- Limited control — Security administrators cannot easily see how resources are shared within the organization. And although viewing a resource’s ACL is straightforward, seeing one user’s privileges requires searching every ACL.
- Compromised security — By giving users discretion over access policies, the resulting inconsistencies and missing oversight could undermine the organization’s security posture.
Role-based access control grants access privileges based on the work that individual users do. A popular way of implementing “least privilege” policies, RBAC limits access to just the resources users need to do their jobs.
Implementing RBAC requires defining the different roles within the organization and determining whether and to what degree those roles should have access to each resource.
Accounts payable administrators and their supervisor, for example, can access the company’s payment system. The administrators’ role limits them to creating payments without approval authority. Supervisors, on the other hand, can approve payments but may not create them.
- Flexibility — Administrators can optimize an RBAC system by assigning users to multiple roles, creating hierarchies to account for levels of responsibility, constraining privileges to reflect business rules, and defining relationships between roles.
- Ease of maintenance — With well-defined roles, the day-to-day management is the routine on-boarding, off-boarding, and cross-boarding of users’ roles.
- Centralized, non-discretionary policies — Security professionals can set consistent RBAC policies across the organization.
- Lower risk exposure — Under RBAC, users only have access to the resources their roles justify, greatly limiting potential threat vectors.
- Complex deployment — The web of responsibilities and relationships in larger enterprises makes defining roles so challenging that it spawned its own subfield: role engineering.
- Balancing security with simplicity — More roles and more granular roles provide greater security, but administering a system where users have dozens of overlapping roles becomes more difficult.
- Layered roles and permissions — Assigning too many roles to users also increases the risk of over-privileging users.
A recent ThycoticCentrify study found that 53% of organizations experienced theft of privileged credentials and 85% of those thefts resulted in breaches of critical systems. Privileged access management is a type of role-based access control specifically designed to defend against these attacks.
Based on least-privilege access principles, PAM gives administrators limited, ephemeral access privileges on an as-needed basis. These systems enforce network security best practices such as eliminating shared passwords and manual processes.
- Reduced threat surface — Common passwords, shared credentials, and manual processes are commonplace even in the best-run IT departments. Imposing access control best practices eliminates these security risks.
- Minimizing permission creep — PAM systems make it easier to revoke privileges when users no longer need them, thus preventing users from “collecting” access privileges.
- Auditable logging — Monitoring privileged users for unusual behavior becomes easier with a PAM solution.
- Internal resistance — Just as doctors make the worst patients, IT professionals can be resistant to tighter security measures.
- Complexity and cost — Implementing PAM requires investments in time and money within already-constrained IT departments.
In fact, today’s complex IT environment is the reason companies want more dynamic access control solutions. Even before the pandemic, workplace transformation was driving technology to a more heterogeneous, less centralized ecosystem characterized by:
- Device diversity — Bring-your-own-device policies and the Industrial Internet of Things create a diverse array of devices with different security profiles connecting to company resources.
- Cloud and hybrid architectures — IT began leaving the premises decades ago. Getting business done now requires a mix of in-house, hybrid cloud, and X-as-a-Service resources.
- Remote workforces — Remote working is no longer just for salespeople. Accelerated by the pandemic just about any employee may access sensitive resources from their home network.
- Blended, dynamic teams — Security administrators must manage a constantly shifting workforce comprising employees, contractors, consultants, suppliers, and other third parties.
Given these complexities, modern approaches to access control require more dynamic systems that can evaluate:
- Device posture and trust — An evaluation of device security factors such as operating system, application, and antivirus updates should inform access decisions.
- Location — Likewise, access privileges should reflect the nature of the device’s network connection whether from an on-prem LAN connection or an unsecured café hotspot.
- Behavioral patterns — Real-time evaluation of access behaviors can identify and block threats before security is compromised.
These and other variables should contribute to a per-device, per-user, per-context risk assessment with every connection attempt. That assessment determines whether or to what degree users can access sensitive resources.
Every day brings headlines of large organizations falling victim to ransomware attacks. But cybercriminals will target companies of any size if the payoff is worth it — and especially if lax access control policies make network penetration easy.
Deciding what access control model to deploy is not straightforward. A small defense subcontractor may have to use mandatory access control systems for its entire business. A prime contractor, on the other hand, can afford more nuanced approaches with MAC systems reserved for its most sensitive operations.
National restaurant chains can design sophisticated role-based systems that accommodate employees, suppliers, and franchise owners while protecting sensitive records. Yet regional chains also must protect customer credit card numbers and employee records with more limited resources. They need a system they can deploy and manage easily.
A company’s security professionals can choose between the strict, centralized security afforded by mandatory access control, the more collaborative benefits of discretionary access control, or the flexibility of role-based access control to give authenticated users access to company resources.
Running on top of whichever system they choose, a privileged access management system provides an added layer of essential protection from the targeted attacks of cybercriminals.
But these systems must have the flexibility and scalability needed to handle heterogeneous devices and networks, blended user populations, and increasingly remote workforces.
Twingate offers a modern approach to securing remote work. Based on principles of Zero Trust Networking, our access control solution provides a more performant and manageable alternative to traditional VPN technology that dynamically ties access controls to user identities, group memberships, device characteristics, and rich contextual information. Twingate wraps your resources in a software-based perimeter, rendering them invisible to the internet. Easy-to-use management tools and integrations with third-party identity providers (IdP) let Twingate’s remote access solution fit within any company’s access control strategy.
Contact us to learn more about how Twingate can be your access control partner.