Access management is an essential part of every cloud infrastructure. You cannot have an efficient cloud infrastructure without compartmentalizing access to cloud resources. Good access management is also the key element to good information security.
There are several approaches to adopt when it comes to data access control specifically. In this article, we are going to review some of the approaches that can be implemented as well as the challenges with each method.
DAC & MAC
The two basic data access control methods are Discretionary Access Control (DAC) and Mandatory Access Control (MAC). DAC is very straightforward; the owner of the data decides which users get access to the data. In this model, the owner of the data can specify how data access control rules are defined.
MAC is the opposite of DAC. In the MAC model, a central figure is responsible for determining how data can be accessed. This means that access to data is based on rules that apply to everyone, regardless of the owner of the data. This centralized model, however, is often the source of bottlenecks in access management.
Role Based Access Control (RBAC)
A transformation of the two previous methods is Role Based Access Control. As the name suggests, access to data is granted based on privileges given to roles. Only the roles that require access to data is given access, and the process happens automatically.
RBAC allows for principles such as separation of privilege and “least required privilege” to be implemented across the organization. Users can have multiple roles that grant them access to different layers of data, providing maximum flexibility.
For instance, someone with an Admin role can have access to data creation and modification, while another person with Operations role can only have access to things like adding comments or tagging certain data points.
It is also worth noting that RBAC allows for role hierarchy to be used to manage access to data. The only challenge is that roles must be defined and assigned meticulously to prevent unauthorized access.
Attribute Based Access Control (ABAC)
Attribute Based Access Control or ABAC expands RBAC by taking more attributes into account. ABAC can still use roles as one of the attributes for controlling data access, but it is also capable of adopting other attributes such as users, environment attributes, resource attributes, and more.
A data access control engine determines if the attributes attached to a user allows that person to access specific parts of the data. When you compare RBAC vs. ABAC, it is clear that ABAC offers extra flexibility. ABAC can also limit access to specific resources through inversed attribute rules.
Is ABAC the perfect data access control method? The approach is certainly granular and very flexible, but it is not perfect yet. ABAC requires immense attention to details. Some organizations are starting to incorporate Entity Based Access Control or EBAC to bridge the gap between RBAC and ABAC.
It is safe to say that data access control is still evolving. As organizations face bigger, more complex challenges, new models and approaches will be adopted to solve them.