Access control is one of those topics that often means different things to different people. In its most basic form, it is simply the “restriction of access to a resource.” Unfortunately, as you drill down into what that actually means for your organization, things usually get muddy.

For some people, it is simply selectively granting user access to accounts based on the authenticated user identity; for others, based on user roles; yet for others, based on clearances. For some, it’s about locking down a network based on VLANs – so it’s not about users, but rather about machine-to-machine interactions.

And, there are also many access control techniques that are not concerned with controlling access based on what’s allowed (white-listing), but rather what’s not allowed (black-listing) like web application security tools that filter potential traffic.

If you add it all up across a typical IT organization, access control is practically everywhere, and it’s very different in many places.

Enter “access policy” – most access control approaches rely on a policy to be specified by security professionals. Especially for white-listing approaches, this policy is usually organization-specific.

Black-listing is often easier because unwanted access (e.g. malware) is often unwanted for every user of the access control technology. So, while black-listing forms a great security baseline by keeping some unwanted access out, real access control is usually only achieved with additional white-listing based on the particular security requirements the organization has.

This is where things get difficult. On the one extreme, the access control approach is simple, well-known and manageable, such as:

  • Identity-based access control (IBAC) – the requester authenticates and then gets all-or-nothing access
  • Role-based access control (RBAC) – the requester authenticates and provides a role, and gets access based on the role
  • Multi-level security (MLS) – the requester has a clearance level and only gets into resources that have no higher classification level than the requester’s clearance, etc.

The problem with those approaches is that they are almost always too simplistic to actually enforce the policy that matters to the organization. For example, HIPAA requires that a covered entity make reasonable efforts to limit itself to “the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Such generic (let’s call them “high-level”) policies are human-intuitive, but really not readily implementable using traditional, simple access control approaches like IBAC, RBAC, MLS (or any black-listing).

Instead, they will need to be re-interpreted into something more “low-level” (and complex) that can actually be technically implemented, such as “nurses should only get access to patient records of patients who are registered with the treating physician the nurse is currently working for, and only if the nurse and the patient are in the same building.” Such access policies are often very complex, detailed, dynamic, and contextual.

Many advanced access control approaches have been devised over the last 10-15 years to support such complexities. These include: attribute-based access control (ABAC) – where (in simplistic terms) access is determined based on rules and attributes about requesters, resources and context; risk-adaptive access control, where access changes based on calculated risk; proximity-based access control, business process based access control, history-based access control, etc.

Bridging that “semantic gap” between those human-intuitive “high-level” policies on the one hand, and the technically implementable “low-level” policies usually get challenging. Correctly implementing such (and other) advanced access control policies requires a very good understanding of:

  • Today’s increasingly complex security policy requirements and how they impact technical access control implementation
  • The impact of more and more complex IT environments, such as cloud, Internet of Things, etc. on access policy
  • The available advanced access control approaches with their benefits and (complexity) challenges
  • Approaches and processes to manage advanced access policies despite the complexity and dynamicity (for example using this blog’s topic model-driven security)
  • Understanding of which advanced access controls are most suitable for which use case (e.g. enterprise, big data, cloud, IoT)

In the pursuit of educating practitioners in the access control policy implementation space, I’ll be giving an introduction into what it takes to implement and manage advanced access controls at BSidesSF.

In this quite technical session attendees will learn: why access control policy implementation in 2016 is more complex than you may think, why traditional access control mechanisms are often insufficient, which new approaches are available, and are suitable for what IT/business environment.

(This blog post has also appeared on Tripwire’s “State of Security” blog)