• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

What is Access Control? Components and Types

06/22/2021

Digital transformation changes the perimeter. When organizations had all their applications on-premises, the network firewall kept the right users inside the gate and malicious actors outside. However, the move to the cloud changed all that. In today’s hyper-connected ecosystem, understanding the components and types of access control can help you strengthen security.

What is access control?

Access control consists of data and physical access protections that strengthen cybersecurity by managing users’ authentication to systems. Managing access means setting and enforcing appropriate user authorization, authentication, role-based access control policies (RBAC), attribute-based access control policies (ABAC).

An organization supplies every identity – human or digital – with credentials, like a username and password. Then, those credentials are granted permissions to access resources, data, and applications whether on-premises or in the cloud.

What are the types of access control?

Although multiple types of access controls exist, cloud migration has changed the importance of them. Since the National Institute of Standards and Technology (NIST) is a well-known security framework, using NIST Special Publication (SP) 800-53’s definitions offers good insight into the different types of access controls.

Discretionary access controls (DAC)

According to the NIST SP 800-53, DAC is defined as an access control policy enforced over all subjects and objects granting information access that allows the subject to:

  • Pass the information to other subjects or objects
  • Grant its privileges to other subjects
  • Change security attributes of subjects, object, systems, or system components
  • Choose security attributes associated with newly-created or revised objects
  • Change rules governing access control

A good example of DAC would be giving someone Editor privileges for a folder in Google Drive. That person can share information, give the same privileges to others, change other users’ ability to edit/read information, and choose security attributes for any other assets in the folder.

Mandatory access controls (MAC)

NIST SP 800-53 defines MAC as an access control policy uniformly enforced across all subjects and objects, ultimately placing restrictions on DAC. MAC controls limit a subject’s access by preventing:

  • Passing the information to unauthorized subjects or objects
  • Giving its privileges to others
  • Changing security attributes on subjects, object, systems, or system components
  • Changing access control rules

MAC limits users’ ability to share information. This is where traditional Google Drive controls often create problems because they only allow file and folder owners to give Edit, Read, and Comment permissions. While Edit permissions essentially establish DAC, Read, and Comment limit access but do not give a user the right to edit an asset directly.

Role-based access control (RBAC)

RBAC collects all the access permissions a user needs to complete their job function, both explicitly outlined and implicitly needed, and maybe inherited through a hierarchy. A single role may apply to one user or a group of users.

Under RBAC, you assign users access based on their job functions. Therefore, people in the marketing department have access to the networks, systems, and applications they need to do their jobs. This might include your customer relationship management (CRM) application, corporate blog, social media accounts, folders that marketing uses in a shared drive, and your collaboration tool. Additionally, not everyone on the marketing team will have the same access to resources. Your social media manager may be the only person with access to those accounts but does not have access to your corporate blog or CRM.

Additionally, you also need to remember that departments may need to have similar access to resources for different reasons. Your sales team might need access to your CRM and some of the same folders in a shared drive.

As the company’s application ecosystem grows, managing access becomes more challenging.

Attribute-based access control (ABAC)

NIST SP 800-53 does not include ABAC in its definitions section. However, the Access Control family (AC) control “AC-3 Access Enforcement” subsection 13 explains that ABAC is a policy that restricts system access using a combination of:

  • Organizational attributes, like job function
  • Action attributes, like read, write, and delete
  • Environmental attributes, like time of day and geolocation
  • Resource attributes, like data type or application

ABAC enables organizations to set privileges and dynamically grant access, making it useful in dynamic cloud environments.

Why is access control important?

Cloud migration changes how you need to protect information. With on-premises applications and data storage, using firewalls to prevent external connections made sense. However, the cloud changed all that.

Today, most employees use some public internet connection to access data and applications. Each access point is a new potential threat vector. Meanwhile, as organizations use more Internet of Things (IoT) devices from printers and “smart” security protections to sensors, those devices also need to connect to networks, applications, and data.

This is one of the reasons that cybercriminals increasingly engage in credential-based attacks. Every time you assign a human or digital identity a login ID and password, you increase the number of attack vectors.

When considering access control as part of strengthening your cybersecurity posture, you should consider the following risks:

  • Employee access
  • Contractor access
  • Network devices
  • IoT devices
  • Service accounts
  • Serverless functions
  • Robotic process automations (RPAs/bots)

Because each of these human and digital identities interacts with your networks, systems, and applications, you need to make sure that you have robust access controls for each of them.

Credential theft attacks are harder to detect and remediate. Since the malicious actors use real credentials, your systems, networks, and software believe that they are “safe” users. This is why establishing, enforcing, and maintaining strict access controls create a robust security posture.

How do organizations implement access control?

Beyond the different types of access controls, you need to put several levels of control into place.

Authorization

Authorization is the process of giving a user the set of permissions they need to access the resources that help them do their job.

Authentication

Authentication is the process of making sure that the person logging into a resource is who they say they are. Generally, organizations should focus on using multi-factor authentication (MFA), which includes using two or more of the following:

  • Something a person knows (password)
  • Something a person has (token, smartphone)
  • Something a person is (face ID, fingerprint, biometric).

Since many users have a difficult time setting and remembering complex passwords, they tend to use the same ones across personal and professional login IDs. Further, threat actors often use datasets of known weak passwords to engage in dictionary or brute force password attacks, where they use software to run the list of known weak passwords against the organization’s directory. MFA creates a second step that often alerts users to someone attempting to use their password or prevents the malicious actors from successfully exploiting weak passwords.

User access

User access to cloud resources has a lot of moving parts, especially in cloud-based ecosystems.

Principle of least privilege

User access should be limited according to the principle of least privilege, which means setting the most precise privileges possible so that the person can successfully do their job. However, in complex interconnected ecosystems, this is increasingly difficult.

For example, large application deployments like a CRM have many different modules. To limit access according to the principle of least privilege, you need to make sure that your marketing and sales teams can both access what they need without having access to modules that they don’t need.

Limiting excess access

The principle of least privilege is a control that looks to mitigate excess access risk. Excess access, especially for organizations that only use RBAC, becomes a cybersecurity risk for several reasons.

First, if users have too much access, they may be able to view or download nonpublic personal information (NPI). This is a privacy and potential security risk.

Second, excess access is often a way that malicious actors can leverage a standard user’s privileges to gain access to NPI, databases, or other cloud resources.

Third, as users move within an organization, they often take their historic access from one department to another, especially in organizations that use RBAC only.

Segregation of duties (SoD)

SoD controls are generally used to prevent fraud by making sure that no user access creates a conflict of interest that could be leveraged for fraud. A traditional example of SoD is preventing someone with access to your accounts payable from also having access to your accounts receivable applications.

Privileged access

Privileged access is the riskiest access and often the most difficult to manage. Generally associated with system administrators, privileged access is also referred to as “superuser” access because those who have it can access and change anything. They can create new user IDs and have access to root privileges.

A standard practice is for an organization to create a standard and privileged user account for roles that need privileged access and to use time-bound restrictions for privileged access. In other words, only allowing the privileged user or account to use the privileged access for a specific amount of time, tracking activities, and terminating access automatically.

Network access control (NAC)

NAC is an access management strategy that establishes and enforces policies by requiring authentication for both users and devices. With NAC, the organization ensures that users should be accessing the network and that devices comply with security policies, like having up-to-date security patches and anti-virus software installed.

Data access management

Although at first data access management sounds like user access management, it goes beyond how to access the information and applies to what they can do with it as well.

Data access management includes:

  • Classifying data by type
  • Limiting user access to sensitive data
  • Restricting what users can do with sensitive information, including preventing downloads and sharing

Application controls

Application controls focus on how applications interact with data and preventing them from executing in ways that place information at risk. Although organizations often control this access using firewalls, modern applications often interact with databases or have service accounts that automatically connect to devices and storage locations.

When putting application controls in place, you should consider:

  • Completeness and validity checks
  • Identification
  • Authentication
  • Authorization
  • Input controls

Although originally intended to prevent malicious code from executing on devices, application controls can also incorporate limiting how standard and approved applications interact with one another.

SecurityScorecard: Continuous assurance through continuous monitoring

SecurityScorecard’s security ratings platform enables organizations to continuously monitor their environments and ecosystems for greater visibility into their security posture. Our platform provides an easy-to-read score using an A-F rating scale for at-a-glance visibility into your current security posture.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube