Data access control is a technique used to regulate employees access to files in an organization. It involves leveraging the principle of least privilege (POLP), i.e., managing employees' access rights based on their roles in the organization, and defining and limiting what data they have access to.
Organizations have to select a data access control policy that will best meet their requirements. There are four types of access control systems set apart by how the permissions are assigned to users.
This access model makes use of a central authority to assign access rights to all employees. The administrator classifies system resources and users based on their risk level and access requirements. The access to resources is based on the privileges that the user possesses.
The MAC model provides a high level of data protection and is used by government agencies to secure highly classified information. While it provides a high level of protection, the MAC model is difficult to set up and use, which is why it is usually used along with other access models like discretionary access control (DAC).
In a DAC model, the data owner decides who is eligible to access their data. The owner sets policies that determine who is authorized to access the resource, which gives this model more flexibility and makes it perfect for small to medium-sized organizations. Also, this model is the least restrictive, as the owner has complete control over their files. The lack of a central authority makes this model hard to manage, as the ACL of each file has to be checked in case of any discrepancy.
The RBAC model is the most widely used control mechanism, as it aligns with the role and needs of every individual in the organization. It uses the principle of least privilege (POLP) to assign privileges based on the needs of an individual's role in the organization. Any user attempting to access data outside their scope is restricted.
The attribute-based access control (ABAC) mechanism is a next generation authorization model that provides dynamic access control. In this method, the users and resources are assigned a set of variables, and access is dependent on the value assigned to the variable. The variables differ from time of access to geographical location. For example, if an employee requests access to a file outside of business hours or from an unusual geographic location, then the ABAC model can be configured to restrict access to them.
Access control in data security is crucial to ensure that data does not end up in the wrong hands or leave the organization. Many organizations store personal data related to their clients or customers, documents containing classified information, and much more. It is imperative that these files are protected, and implementing an access control system helps reduce the chance of data leaks.