Access control is an important means of network security, which restricts the access or operation of users to resources or functions, in order to protect the information and system. Access control requires dividing the permissions according to the roles and responsibilities of users, and only granting users the minimum permissions required to complete the work. Different access control strategies such as DAC, MAC and UBAC are suitable for different scenarios and needs. HKCNSA will introduce the concepts and characteristics of these access control methods, and propose the most suitable access control methods and suggestions for large and small enterprises respectively.
The principles of access control
Access control is an important means of network security, which restricts users' access or operation of resources or functions to protect information and systems. The principles of access control require that permissions be divided according to users' roles and responsibilities, and only grant users the minimum permissions required to complete their work. The definition of access control includes the following principles:
Separation of duties: Divide permissions according to users' roles and responsibilities, and avoid excessive concentration of power or conflicts of interest.
Least privilege: Only grant users the minimum permissions required to complete their work, and reduce the risk of abuse or penetration of permissions.
Demand-oriented: Set permissions according to users' actual needs, rather than users' identity or status.
Dynamic adjustment: Adjust permissions according to users' work changes or environmental changes, to adapt to different situations.
Examples of different types of access control
Access control can be divided into three types: physical access control, logical access control and administrative access control, which respectively protect and manage different resources and functions. Here are some examples of different types of access control:
Physical access control: It means to restrict access or operation of a physical location or device by physical means, such as using locks and keys, password-protected doors, security tokens, biometric scans and other tools. The purpose of physical access control is to prevent unauthorized personnel from entering or using sensitive or important places or devices, such as data centers, offices, warehouses, servers, computers, mobile phones, etc.
Logical access control: It means to restrict access or operation of data or functions by logical means, such as using usernames and passwords, digital certificates, encryption, firewalls, permission tables and other tools. The purpose of logical access control is to prevent unauthorized personnel from reading or modifying sensitive or important data or functions, such as files, databases, websites, applications, services, etc.
Administrative access control: It means to restrict access or operation of resources or functions by administrative means, such as using policies, rules, procedures, training, auditing and other tools. The purpose of administrative access control is to regulate and supervise users’ legal and reasonable use of resources or functions, such as establishing principles of separation of duties, least privilege, demand-oriented, dynamic adjustment, and regularly checking and evaluating the effects and risks of access control.
Classification of access control
The classification of access control includes the following types:
Discretionary access control (DAC): The owner or manager of the resource decides who can access or operate the resource, and grants permissions directly to users or user groups. The advantage of DAC is flexibility and convenience, the disadvantage is low security, easy to be attacked, and difficult to manage and monitor.
Mandatory access control (MAC): The system administrator or security officer uniformly decides who can access or operate the resource, and grants permissions to the labels or levels of the resource and user. The advantage of MAC is high security, which can prevent access or leakage, and can centrally manage and monitor permissions. The disadvantage of MAC is lack of flexibility and convenience, requiring high cost and complexity.
User behavior-based access control (UBAC): It dynamically decides who can access or operate the resource based on users’ behavior characteristics and history records, and grants permissions to users’ roles or contexts. The advantage of UBAC is intelligence and adaptability, which can timely detect and prevent abnormal or malicious behavior. The disadvantage of UBAC is difficult to implement and verify, requiring high technology and algorithm, and may have uncertainty and instability of permissions.
What access control strategies should enterprises of different sizes use?
The access control methods should be chosen according to the different scales and needs of enterprises. The following are the access control suggestions for large enterprises and small and medium-sized enterprises respectively proposed by HKCNSA:
Large enterprises: Large enterprises usually have more users and resources, and have higher requirements for information and system security. Therefore, large enterprises should choose mandatory access control (MAC) as the main access control method, and cooperate with discretionary access control (DAC) and user behavior-based access control (UBAC) as auxiliary access control methods. MAC can ensure the security of information and systems, prevent unauthorized access or leakage, and perform centralized management and monitoring of permissions. DAC can provide some flexibility and convenience, allowing the owner or manager of the resource to set permissions according to users' needs and preferences. UBAC can provide some intelligence and adaptability, allowing permissions to be dynamically adjusted according to users' actual behavior and environmental changes, and timely detect and prevent abnormal or malicious behavior.
Small and medium-sized enterprises: Small and medium-sized enterprises usually have fewer users and resources, and have lower requirements for information and system security. Therefore, small and medium-sized enterprises should choose discretionary access control (DAC) as the main access control method, and cooperate with user behavior-based access control (UBAC) as auxiliary access control methods. DAC can provide sufficient flexibility and convenience, allowing the owner or manager of the resource to set permissions according to users' needs and preferences, and reduce the cost and complexity of access control. UBAC can provide some intelligence and adaptability, allowing permissions to be dynamically adjusted according to users' actual behavior and environmental changes, and timely detect and prevent abnormal or malicious behavior.
In the future, HKCNSA will continue to share information and concepts, assist enterprises to pay attention to the construction and implementation of network