This section focuses on access control methods. To prepare for the exam, you should understand the core methods and the differences between them.
- Role-based access control (RBAC). RBAC is a common access control method. For example, one role might be a desktop technician. The role has rights to workstations, the anti-virus software and a software installation shared folder. For instance, if a new desktop technician starts at your company, you simply add them to the role group and they immediately have the same access as other desktop technicians. RBAC is a non-discretionary access control method because there is no discretion — each role has what it has. RBAC is considered an industrystandard good practice and is in widespread use throughout organizations.
- Rule-based access control. Rule-based access control implements access control based on predefined rules. For example, you might have a rule that permits read access to marketing data for anyone who is in the marketing department, or a rule that permits only managers to print to a high-security printer. Rule-based access control systems are often deployed to automate access management. Many rule-based systems can be used to implement access dynamically. For example, you might have a rule that allows anybody in the New York office to access a file server in New York. If a user tries to access the file server from another city, they will be denied access, but if they travel to the New York office, access will be allowed. Rule-based access control methods simplify access control in some scenarios. For example, imagine a set of rules based on department, title and location. If somebody transfers to a new role or a new office location, their access is updated automatically. In particular, their old access goes away automatically, addressing a major issue that plagues many organizations.
- Mandatory access control (MAC). MAC is a method to restrict access based on a person’s clearance and the data’s classification or label. For example, a person with a Top Secret clearance can read a document classified as Top Secret. The MAC method ensures confidentiality. MAC is not in widespread use but is considered to provide higher security than DAC because individual users cannot change access.
- Discretionary access control (DAC). When you configure a shared folder on a Windows or Linux server, you use DAC. You assign somebody specific rights to a volume, a folder or a file. Rights could include read-only, write, execute, list and more. You have granular control over the rights, including whether the rights are inherited by child objects (such as a folder inside another folder). DAC is flexible and easy. It is in widespread use. However, anybody with rights to change permissions can alter the permissions. It is difficult to reconcile all the various permissions throughout an organization. It can also be hard to determine all the assets that somebody has access to, because DAC is very decentralized.
- Attribute-based access control (ABAC). Many organizations use attributes to store data about users, such as their department, cost center, manager, location, employee number and date of hire. These attributes can be used to automate authorization and to make it more secure. For example, you might configure authorization to allow only users who have “Paris” as their office location to use the wireless network at your Paris office. Or you might strengthen security for your HR folder by checking not only that users are members of a specific group, but also that their department attribute is set to “HR”.