Introduction
The concept of access control is confusing to many people. Some consider it as the act of preventing external sources from accessing information stored in a system. They are unable to differentiate between access control and identity verification or authentication. Sicuranza, Esposito, and Ciampi (2015) define access control as “the regulation over access to system resources after a user’s account credentials, and identity has been authenticated and entry to the system granted” (p. 745). For instance, a particular group of employees may be limited to accessing specific files once they log into a system. The various access management approaches include mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC). This paper will review the aforementioned methods and outline their positive and negative aspects. It will also evaluate their application and give recommendations on the most appropriate access control method for medium-sized organizations.
Mandatory Access Control
It is the most improved method of data access, which is commonly used in government institutions. The access technique utilizes a hierarchical approach to restricting admission to information (Younis, Kifayat, & Merabti, 2014). The systems administrators define the rules for accessing resources such as data files. Hence, it is difficult for users to alter the access control of specific resources. In MAC, all resource objects are allocated unique security tags. The tags contain information regarding the category (department, management level, or project) and classification (confidential or top secret) of the data (Younis et al., 2014). Similarly, every user account is linked to resources based on the level of access given to individuals by the system administrator.
Discretionary Access Control
DAC permits users to regulate their admittance to information. Gajanayake, Iannella, and Sahama (2014) allege that DAC is commonly used in the majority of personal computer operating systems. Unlike in MAC, where resources are assigned security labels, the DAC system uses an access control list to regulate the use of data. Gajanayake et al. (2014) claim, “An access control list contains the names of users and groups to which the user has permitted access together with the level of access for each person or group” (p. 8). Users can only set admission restrictions to data that they already possess.
Role-Based Access Control
RBAC is also referred to as non-discretionary access control. The control method uses a real-world approach to regulate access to information. Individuals access data based on their roles in an organization. Kumar (2013) emphasizes that RBAC allocates authorization to specific functions within an institution. Employees are then assigned to those responsibilities. For instance, a human resource manager is assigned to human resources roles, allowing him or her to access all information assigned to the human resource department. While a user may belong to numerous groups, he/she can only be attributed to one role within an organization. RBAC makes it hard for users to assign to themselves additional permissions beyond what is described in their job functions.
Strengths and Weaknesses of Access Control Methods
The primary advantage of MAC is that it is the most secure mode of data protection. A user cannot access information unless his/her category and classification matches with the security label of the data that they seek to acquire. The primary objective of MAC is to safeguard the confidentiality of data. Mohammed and Said (2014) maintain that MAC does not allow flexible allocation of data security. Conversely, DAC enables individuals to create customized access regulations for different users. Thus, the method is more elastic regarding data security. The use of MAC comes at a price. An organization incurs costs attributed to system management due to “the need to constantly update object and account labels to accommodate new data, new users and changes in the categorization and classification of existing users” (Mohammed & Said, 2014, p. 411). Additionally, it is difficult for an organization to implement the control method without proper planning.
DAC exposes data to the risk of unauthorized use. Kumar (2013) argues that RBAC is flexible and secure than DAC. The method offers different means of managing and regulating users’ access rights. The primary challenge of RBAC lies in determining and assigning users to different privileges. It becomes difficult for some users to execute specific critical tasks due to limited access to information. For instance, a chief accountant may not perform some essential duties because he/she can only access information available to all accountants.
Ways to Mitigate Negative Aspects
The inflexibility associated with MAC can be mitigated by giving some individuals the authority to grant access to information to other users. It would make it easy for a system to accommodate new users and information. Moreover, it would be easy for an organization to implement changes to users’ classification and categorization. On the other hand, institutions can introduce “access control measures that do not rely solely on the possession of a certificate for access to reinforce the security of discretionary access control” (Mohammed & Said, 2014, p. 415). Breaking roles into sub-roles may help to minimize the challenges associated with assigning privileges to different users in RBAC.
Applications of the Access Control Methods
MAC is commonly used in military and government institutions. The method is extremely secured, hence suitable for controlling access to sensitive information. Organizations can use this method to protect top-secret information. DAC is flexible, and it allows all users to access information (Zhou, Varadharajan & Hitchens, 2014). The method can be used to safeguard data that is meant for general use within an organization. RBAC makes sure that users do not access information that does not concern their areas of operations within an organization. Corporations use RBAC to minimize the challenges of system privilege administration (Zhou et al., 2014). It is suitable for institutions with distinct departments that run particular tasks. RBAC is the best method for a medium-sized organization. It would facilitate flexible and secure access to information.
Foreseen Challenge
The inability to accord users additional privileges may hinder individuals’ ability to discharge their duties efficiently. Employees require a level of empowerment to perform effectively. Thus, the use of RBAC to regulate the access and use of information in the organization may demotivate some workers. The challenge can be resolved through the use of hierarchical privilege and role assignments. The move would give individuals such as information security managers the power to access additional information beyond what is within their job description, thus being able to make informed decisions and assist those who work under them.
Conclusion
Organizations require granting different privileges to information users to guarantee the security of institutional data. MAC may be used in protecting top classified information. On the other hand, DAC can be used to grant access to general information whose unauthorized use may have limited impacts on an organization. RBAC is suitable for regulating the use of information that governs the daily operations of an organization. It is the most suitable mode of data management as it allows flexible access and use of information.
References
Gajanayake, R., Iannella, R., & Sahama, T. (2014). Privacy oriented access control for electronic health records. e-Journal of Health Informatics, 8(2), 1-11.
Kumar, A. (2013). Designing role-based access control using formal concept analysis. Security and Communication Networks, 6(3), 373-383.
Mohammed, E., & Said E. H. (2014). SWOT analysis of access control methods. International Journal of Security and Its Applications, 8(3), 407-424.
Sicuranza, M., Esposito, A., & Ciampi, M. (2015). An access control model to minimize the data exchange in the information retrieval. Journal of Ambient Intelligence and Humanized Computing, 6(6), 741-752.
Younis, Y. A., Kifayat, K., & Merabti, M. (2014). An access control model for cloud computing. Journal of Information Security and Applications, 19(1), 45-60.
Zhou, L., Varadharajan, V., & Hitchens, M. (2014). Secure administration of cryptographic role-based access control for large-scale cloud storage systems. Journal of Computer and System Sciences, 80(8), 1518-1533.