Data is one of the most valuable assets for any business. To protect sensitive information, you need to not only restrict access to data assets that reside across multiple clouds and environments, but also verify the authenticity of the individuals trying to access that data.
Data access control is a fundamental security tool that enables you restrict access based on a set of policies. By implementing robust policies for your data access, you’re helping keep personally identifiable information (PII), intellectual property, and other confidential information from getting into the wrong hands, whether internally or externally.
How does data access control work?
Data access control works by verifying the users’ identity to ensure they are who they claim they are, and ensuring the users have the right to access the data. The two main components of data access control are:
- Authentication: Verifies the user identity, which could be done through a multifactor authentication mechanism
- Authorization: Determines not only the level of access that each user has to the data based on specified policies but also the actions the user can take
For data access control to be effective, authentication and authorization needs to be applied consistently across your entire environment — both on premises and in the cloud.
Data access control models
There are four main models for applying data access control:
Discretionary access control (DAC): The least restrictive data access control model, DAC relies on the owner or administrator of the resource or to decide who has access permission. This model is decentralized, giving users the ability to share access with others, and making it difficult to oversee who is accessing your company’s sensitive information.
With the DAC model, the end user — the person who creates the file or folder, for example — has complete discretion for setting the permission privileges, as well as transferring permissions to other users. This model has some inherent security issues, such as vulnerabilities to Trojan horses and other malware attacks.
Mandatory access control (MAC): In this nondiscretionary model, the end user doesn’t have any control over the permission settings. A central authority, such as an administrator or owner, controls the access, setting, changing, and revoking permissions.
With a MAC model, access is based on data classification and the level of clearance or formal access approval that users have. This approach, which can be difficult to manage, is commonly used in military organizations.
Role-based access control (RBAC): Access in this model is granted based on a set of permissions, which depend on the level of access that user categories need for performing their day-to-day duties. With RBAC, different employees receive different access privileges based on criteria such as job function and responsibilities.
A widely used system, RBAC combines role assignments with authorizations and permissions. It’s designed around predetermined roles, defined by criteria such as cost center, business unit, individual responsibilities, and authority. When a person changes responsibilities, jobs, or functions, the administrator assigns that user a new role that’s predefined in the system.
Attribute-based access control (ABAC): A dynamic data access control model, ABAC grants access based on both attributes and environmental conditions, which include factors such as location and time. These attributes and conditions are assigned both to the users and the data or other resources.
ABAC provides more flexibility, compared to RBAC, because you can modify the attributes and their values without having to change the subject/object relationships. That means that when you make new decisions about access, you can dynamically change the access controls.
Implementing data access controls
To simplify the management of data access control, many organizations implement a platform such as identity and access management (IAM). The benefits of using an IAM solution include:
- Centralized and unified control over data across your organization
- Automated tasks such as provisioning
- Streamlined compliance with regulations such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and the California Consumer Privacy Act (CCPA)
Final thoughts
Data security is as complex as it is critical. As your environment grows more complicated and threats evolve, it’s especially important to consistently enforce your data access policies. Consider a solution that can streamline your data access control processes while boosting security with an additional layer that monitors for malicious or inappropriate access.
SailPoint is an identity leader that provides data visibility and control and helps businesses secure their access to critical data assets. Learn more.