What is the purpose of access control?
Access control, a fundamental security function, involves access management processes, security mechanisms, and system and data resources within an environment. Organizations use Access Control Policies to document and define how access is managed, with a frequent emphasis on Role-Based Access Control (RBAC) and access provisioning based on the principle of least privilege. There are several access control mechanisms and methods in use today, including cloud-based solutions, on-premises systems, and third-party identity and authentication service providers. Access may encompass authorization to view particular data records and authentication at several layers of the OSI model wherein network, system, and application layer authentication may afford different levels of authorized access. The main goal of access control is to limit the exposure of data and resources to those with appropriate access, we have seen that poorly implemented access control systems have contributed to several publicly disclosed breaches
Identification processes establish user identifiers (IDs) and associate them with specific individuals w
ithin an organization. Authentication involves verification of the user identity before accessing a system or data resource. Authentication factors such as passwords, PINs, and tokens are most common. However, they generally must consist of something you know (example - password), something you have (e.g., token or U2F security key), or something you are (e.g., biometric). For additional assurance, some organizations have migrated to multi-factor authentication (MFA), as single-factor methods such as password-based authentications are frequently targeted by attackers. Authorization is the process of granting or allocating permissions to the identified user. Mechanisms such as Access Control Lists (ACLs) and Microsoft Active Directory are used for managing authorizations for authenticated users.
Access Control Mechanisms & Methods
Typically, when someone is speaking about access control, they are referring to system layer access control. When different nodes or servers in a network require access credentials before granting access to the system resources. Authentication mechanisms may be local to the system itself or rely on a centralized directory-based structure. The system resources may be anything: servers, running services, printers, sensitive data, company secrets, etc. Within a system, access to resources may have varying control levels based on role, such as an administrator’s ability to modify a system configuration.
At the application layer, access control is enforced within the confines of the application. This can operate independently from system-based access control. The application authentication mechanism may rely on a backend database or alternate repository while using application-specific functionality to initiate the authentication request and verify the identity of the requester. Within a web application, an authorized user may only be permitted to view a customer’s name and shipping address, while more senior staff members may have a role that permits access to social security numbers or other sensitive information. Application layer access can support granular restrictions to resources and data elements.
Network layer access control may be enforced for onsite and remote workers using similar role-based access controls. Remote users may authenticate over a VPN connection and access a specific network zone within the organization, based on their role and assigned security groups. For example, production support personnel may have access to a “Production VPN” that provides access to a production network environment, while Developers may be restricted to separate network zones and lower environments within the organization. After authenticating at the network layer, users can Authenticate to available systems and applications within the network zone. In this model, access that is still based on user credentials may be leveraged to pool user groups and relevant resources without relying solely on a system or application-level controls. Some organizations may use Network Access Control (NAC) solutions to control access at the network level, based on user and system-based verification tests. This expands beyond standard user authentication methods and may include compliance checks to validate a system before permitting access to available networks and resources. For reasons such as compliance scope reduction, businesses implement network ACLs to establish network-level boundaries between trusted and untrusted systems and services. Network ACLs and firewall rulesets do not rely on user-based authentication mechanisms and instead focus on approved ports, protocols, and services.
Local vs. Centralized Access Management
When a standalone server system is deployed, the system will only support local user authentication. Authorized users can log on locally to the system console or over a network using methods that include Remote Desktop (RDP) or Secure Shell (SSH). Local access control is managed by the underlying operating system. Microsoft Windows, for example, supports local login system configurations wherein criteria is set and configured by a local administrator. Similarly, Linux-based systems may implement local user databases and authentication controls defined by host-based configurations. Local access control systems can be useful for smaller environments and user populations. However, the local controls at a system level can be less efficient to maintain on an ongoing basis when passwords or keys must be manually configured and updated on a per-machine basis. As an organization’s systems and users grow, centralized mechanisms can provide greater efficiency and consistency across multiple types of devices, operating systems, and services.
Centralized access control is a method in which all components of an environment reference a central node or repository. Central authentication mechanisms may be used to support one or more tiers (system, network, application). User account information (including password hashes and user IDs) is located within one or more central nodes and not manually created on each system component within the environment. This simplifies the management of the environment since password configurations and requirements such as length, complexity, expiration, or lockout are located in a single place and do not require manual changes to settings and configurations at a local node level. Besides, password additions, deletions, or modifications are also centrally handled. One of the common concerns with centralized management of passwords is that when the central node fails or is otherwise unreachable, users can no longer verify their identity and access system resources that could potentially be available through local authentication. As a result, centralized systems are typically built with redundant systems for a system to fail without failing. Also, some authentication systems may support local caching of previously used credentials and fallback to local authentication mechanisms (e.g., local administrator or local network device authentication).
For application authentication, tools such as PAM (Pluggable Authentication Modules Library) on Linux-based systems can simplify the authentication process for local or centralized user accounts by calling PAM libraries to complete the authentication verification checks. PAM can support multiple types of authentication and authentication factors. PAM relies on several components, including /etc/pam.d which contains configuration files such as system-auth and password-auth for available modules. The files include configured settings for password length, complexity, and other criteria. The end-goal of the PAM is to define the system requirements for passwords and then enforce the requirements to anyone attempting to access the systems. PAM may also be configured to pass an authentication request to a central source or server in the case of centralized access deployment. For more information on Linux PAM, please visit their website.
Open LDAP (Lightweight Directory Access Protocol) is vendor-neutral, central access management software where user account information is centrally stored for systems within a directory database. From a usage standpoint, user authentication attempts are submitted to the LDAP controller for verification against the LDAP database. If approval takes place, access is granted to the system resource. LDAP is capable of centrally managing specific password requirements such as complexity and character requirements. For more information on OpenLDAP please visit their website.
Active Directory is a Microsoft product that, among other things, centralizes authentication and access control mechanisms for server and workstation systems connected to the domain. Additional Active Directory functions include central system configuration management via Group Policy Objects (GPOs). GPOs are applied to managed systems within the domain and may include settings such as log retention, password complexity, disabling services, and configurations that only support secure protocols. Active Directory deployments may include multiple domains within a forest hierarchy, supporting multiple versions of Windows at specific domain and forest “functional level”. For environments that leverage cloud services, Azure Active Directory as a Service is available. Within Azure Active Directory as a Service, the centralized nodes and authentication services are hosted in a cloud environment with services and management tools accessible to administrators through a web console. This level of abstraction for Active Directory services can be more ideal for companies and application users that are geographically dispersed, or that prefer to rely on cloud services instead of local data center computing resources. For more information on Azure active directory as a service, you can visit their website.
Some organizations leverage central directory authentication to integrate multiple types of systems and platforms (e.g., network devices, Linux-based systems, Microsoft Windows, and Mac OSX). The RADIUS (Remote Authentication Dial-In User Service) protocol can be used in client/server environments to support authentication services. RADIUS server solutions can use local databases, as well as directory-based integrations for user authentication and authorization. In legacy environments, RADIUS has been used to negotiate access to dial-up services and network devices. Today, RADIUS is integrated by organizations via cloud-based services such as Microsoft Azure AD, JumpCloud, and Okta. This tool allows for integration with several types of systems (e.g., PAM, LDAP, and Active Directory) for central access management. Much like RADIUS, TACACS (Terminal Access Controller Access Control System) allows communication between various system components using a centralized node for verification of user access credentials. It was developed by Cisco Systems in the early 1990s and has been used for device administration and some types of network access. One key difference between TACACS+ and RADIUS is its ability to separate authentication, authorization, and accounting as independent functions. TACACS+ is predominantly used for device administration (individual endpoint device support). For more information on the differences between TACACS+ and RADIUS please refer to this website.
Access control is paramount to the security of your data, whether you are attempting to keep attackers out of your environment or applying data and system access restrictions based on the principle of least privilege. You want to have the right combination of people, processes, and technologies to maintain strong access control systems while addressing your business needs and security requirements. MegaplanIT has partnered with organizations and delivered services to strengthen an organization’s security controls. Our security and compliance consulting services evaluate your current processes and solutions, providing actionable guidance to remediate access control issues and continuously improve controls implementation and security processes. Our Managed Security Services provide peace of mind, as they monitor and triage security events. Our Security Testing Services can proactively conduct penetration testing of your applications, networks, and systems, identifying weaknesses and areas of unmitigated risk.