One of the most important aspects of information security is access control. I am going to review the most common access control models, and give (very general) examples of where they are often utilized. Anyone looking to start off in information security should become very familiar with each of these models.
Role Based Access Control (RBAC)
The Role Based Access Control model is most commonly seen in corporate environments. With this model each user is assigned a role (or roles) based on their responsibilities, and is granted access based on the needs of that role. For example, a company may have roles for HR, Finance, and IT, and Security. The employees in HR would have that role assigned to them, and would be granted access to any data permitted by that role (personnel training records, perspective employee information, employee benefit information, etc.). Similarly, Finance employees would be granted access to company financial data, but would be restricted from accessing the HR data. Security employees would likely be granted access to security cameras, electronic door locks, and alarm systems, but not have access to HR or Finance. IT is often granted the “keys to the kingdom” because they are responsible for maintaining and updating all the systems within a corporation. As such, they may have access to all of the systems listed above, though perhaps not to the data contained in the systems.
The benefit to this model is that it allows very fine tuning of access permissions for individual employees, without the burden of individually managing them. This is accomplished by initially assigning each employee the appropriate role, then managing the roles themselves. In this way dozens or hundreds of employees can have their access managed by editing a single role. Employees with multiple roles (perhaps an employee in charge of payroll would be given HR and Finance access) do not have to be edited individually for every change, as the changes to the roles themselves will determine the access that user has.
Mandatory Access Control (MAC)
The Mandatory Access Control model is most commonly seen in Military and Government systems. This model establishes “classifications” of access, in which anyone with authorization for one classification is able to access all the information at that level and everything below it. It is also common practice to restrict systems at one level of classification from writing to a lower classification level in order to prevent potential information leakage.
Common classifications for the MAC model include unclassified, confidential, secret, and top secret. The US Electric Industry is subject the the NERC CIP Standards which require utilities to implement the MAC model when dealing with information that could threaten the Bulk Electric System. The most common levels of classification for these utilities includes (from top to bottom): BES Cyber System Information (BCSI), Critical Energy Infrastructure Information (CEII), Business Confidential, and Public.
Discretionary Access Control (DAC)
The Discretionary Access Control model is often considered the opposite of the MAC model. In the MAC model all access is defined by a central system, and no exceptions are permitted. In the DAC model, users are trusted to exercise their discretion when determining whether another person or system should have access to information they control. For example, in a DAC model an IT administrator can make the decision to share sensitive system access with a third party vendor for troubleshooting. This would not be permitted in a MAC model unless the vendor was cleared for access to everything else with the same classification.