Access Control Methods for Information Systems

Introduction
In the field of information security, access control refers to the selective restriction of access to a resource. It is a security technique that is used to regulate who or what can use or view a resource within a computing environment. Basically, there are two main types of access controls namely logical and physical. Physical access control will limit the physical access to buildings, and IT assets, while logical access will limit connection to computer networks, data, and system files (Younis, Kifayat, & Merabti, 2014). Access control systems are charged with performing identification, authorization, authentication, approval, access, and accountability of the entities by using login credentials. There are three main types of access control that will be discussed in this paper namely mandatory access control, discretionary access control, and role-based access control.
Elements of Access Control
Mandatory access control (MAC) is a security strategy where only the administrator has the ability to determine access control. This means resource owners will be restricted in their ability to deny or grant access to their resource object within a file system (Younis et al., 2014). MAC criteria are strictly enforced by the operating system and cannot be altered by the end users. Discretionary access control (DAC) is a security strategy where the owner of the file or object will determine the subjects or individual who can access the object (Choi, Choi, & Kim, 2014). This access control strategy is referred to as discretionary because control of access is determined at the discretion of the owner. Role-based access control (RBAC) is an access control strategy that is based on the roles of the individual users within an enterprise. The roles are mostly defined according to authority, job competency, and responsibility within the enterprise.
Positive and Negative Aspects of Each Access Control
The advantages of using MAC is it provides tighter security because only the system administrator is able to access and alter the specified controls. This ensures that only the authorized individuals will have access to the resources and an authorized individual can only access the resources that are within their clearance level. Another advantage is that MAC policies reduce security errors. This means that there are few instances of an individual being able to access a file that they are not authorized to access. The disadvantage of MAC is that it is more complex to manage the policy. Only highly experienced systems administrators are able to work with MAC enabled systems. Another disadvantage is that the model reduces the performance of the system because the system has to check accesses and access rule before granting access to an individual.
The advantage of DAC is that is easy to implement. This means that one can have a security policy setup quite easily without the need for much knowledge or understanding of information security. When using DAC, it is possible for a user to transfer ownership of an object to another user (Choi et al., 2014). The disadvantage of DAC is its inherent vulnerabilities to malicious programs. DAC is vulnerable to processes because it can execute malicious programs.
RBAC has the advantage of reducing administrative work. When using RBAC one is able to add and switch roles quickly and have them implemented globally across platforms, operating systems, and applications (Fadhel, Bianculli, & Briand, 2015). There is also a reduced potential for errors when assigning user permissions. RBAC also has the advantage of maximizing operational efficiency in that all the roles can be aligned with the organizational structure of the company. RBAC is prone to role explosion. In most instances, most administrators will add roles to users, but they will not remove the roles when the user’s role changes.
Possible Methods for Mitigate the Negative Aspects of Each Access Control Type
The disadvantage of MAC requiring highly skilled systems administrators can be mitigated by only implementing this access control for highly sensitive files. This would also be a good strategy to use in order to increase the performance of the system. It is for this reason that MAC is mainly used for highly sensitive institutions like the military where confidentiality is of utmost importance (Kerr & Alves-Foss, 2016).
DAC should only be used for personal sharing of files, where only a limited number of people are allowed to access the file or resource for a short time. In larger organizations, DAC would be highly susceptible to malicious programs that can infect the whole network. Since it is the user who determines who will have access, it is vital that the user understands the risks involved when they are determining the access to the file. With proper knowledge, users can mitigate against the risks of using DAC.
The best way to mitigate against RBAC negative aspects is to have a lean role structure that bundles different organizational roles into select groups. There is also need for the administrators to remove user roles for users who have been stripped off their roles. The organizational roles should be structured in a manner that allows for certain roles to only access files within a limited time period or day. This would only be possible if the policy is well maintained and regularly checked to ensure that there are no overlapping roles.
Deploying the Most Optimum Access Control Method
The optimum access control method that could be deployed with a need ensure that resources are on a need-to-know, least privilege, and there is a separation of duties would be MAC. MAC has stringent rules and it does not allow for the rules to be bypassed even if the user attempts to give out their credentials to someone else. MAC places priority on confidentiality and this is what the Chief Security Officer is mostly concerned with. Once the administrator has specified the access restrictions, the computer system is charged with checking and verifying if the user should be granted access. MAC is also the most optimum access control as compared to the other two because it has more detailed auditing capabilities. The administrator is able to tell when a user is trying to gain access to a resource they are not authorized and this would make it easy to prevent risks from occurring.
Challenges to Deploying Each Type of Access Control Method
MAC might be the most secure access control currently available, but one of the challenges of implementing MAC is that there is a need for careful planning and it requires continuous monitoring in order to ensure that all resource objects and classification of users are up to date. This is a challenge in that the organization should have different individuals charged with creating the security policy and others that should be actively monitoring the usage of the policy. Therefore, only organizations that have huge security budgets can be able to implement MAC.
The challenge for implementing DAC is that the organization would not have control over the file permissions and a user can provide access to a user who should not be able to access the specified resource. At the organization level, it is hard to monitor who has access to what resource and who is denied access. Therefore, the possibility of confidential information being leaked is quite high.
RBAC is a neutral access control method that overcomes the challenges of DAC and MAC. However, since most organizations prefer to structure the roles based on the organizational structure, some users might mistakenly access files regarding themselves that they should not have been allowed to access in the first place.


References
Choi, C., Choi, J., & Kim, P. (2014). Ontology-based access control model for security policy reasoning in cloud computing. The Journal of Supercomputing, 67(3), 711-722.
Fadhel, A. B., Bianculli, D., & Briand, L. (2015). A comprehensive modeling framework for role-based access control policies. Journal of Systems and Software, 107, 110-126.
Kerr, L., & Alves-Foss, J. (2016). Combining Mandatory and Attribute-Based Access Control. Paper presented at the System Sciences (HICSS), 2016 49th Hawaii International Conference on.
Younis, Y. A., Kifayat, K., & Merabti, M. (2014). An access control model for cloud computing. Journal of Information Security and Applications, 19(1), 45-60.