The Effectiveness of Access Control Methods on Information Security
The current technological landscape consists of swiftly developing information and communications technologies. This has heightened the issues related to the security of the information stored on such technological devices (Ghazal et al., 2019). As a result, previous studies have debated the most suitable approach for enhancing the security of these systems (Metoui, 2018; Ghazal et al., 2019). One of such security measures is the use of access control methods and infrastructures as solutions for information systems and multi-domain shared de-centralised network infrastructure. Access control systems offer a suitable measure for controlling the communication between diverse systems or users within an organisation (Atlas et al., 2020). According to Ghazal et al. (2019), an efficient information security approach will determine which users can gain access to certain information.
Access control measures could aid in ensuring that only authorised personnel can access an organisation’s information systems and prevent cybersecurity attacks that can result in major adverse impacts on both businesses and individuals (Ghazal et al., 2019). Furthermore, it would prevent unauthorised access to both stored and transmitted information. Particularly, considering dynamic organisational relationships in multi-dimensional settings, such as cloud computing systems, it is significant that users’ privileges and functions are defined. Also, users should be given access privileges based on their roles and the level of access required to conduct their daily tasks (Ghazal et al., 2019). This highlights the significance of access control measures for effective information security. This paper examines the three major access control security measures. It also assesses the effectiveness of these measures for information security.
2. The Features of Access Control Security Measures
2.1 Traditional Access Control Methods
Traditional access control methods use inflexible and programmed guidelines to define access privileges. The inflexible guidelines offer similar decisions, regardless of the specific information system infrastructure or organisational setting. Traditional access control measures were previously effective in diverse organisation settings; however, such measures are intended to support a relationship between the information related to an access control logic and a data or system that needs to be accessed (Atlas et al., 2020). Atlas et al. (2020) add that generally, the deployment of an access control method is often vulnerable to exploitation. For instance, there could an unforeseen condition that would require a change in access privileges, or an organisation could have inadequately prepared access guidelines. Thus, though traditional access control methods offer certain benefits, they also have certain challenges. One of such challenge is that these methods cannot manage unforeseen events, as they are developed using inflexible and predetermined guidelines (Metoui, 2018).
As a result, such inflexible methods are not considered suitable security measures for dynamic and decentralised systems like the Internet of Things and cloud computing applications. Decentralised information systems require flexibility regarding access privileges to system resources. According to Atlam et al. (2020), traditional access control methods are more suitable for other more centralised settings that do not require dynamic access controls. Examples of traditional access control methods include the Mandatory Access Control (MAC) and Discretionary Access Control (DAC) methods. DAC is developed for multiple-user information systems, and it allows access to information systems based on a user’s identity as well as the application of open guidelines. Thus, a system’s owner can enable access to all their users or only a portion of users (Atlam et al., 2020). On the other hand, considering MAC methods, the degree of sensitivity of each device is used to classify information systems into various sensitivity classes. Each device is allocated a label that determines how sensitive it is, and each device has a label that defines which users can access it (Bugiel et al., 2013).
A more developed traditional access control method is the role-based access control method. The notion of role-based access control (RBAC) started with the introduction of multiple users and multiple applications on computer systems during the 1970s (Sandhu et al., 1996). Particularly, RBAC enables the distribution of privileges that are related to users’ roles. This aids in streamlining the management of privileges and authorisations. Recently, there has been an increase in the use of RBAS for information systems and networked computer systems. According to Rhodes and Caelli (2016), this is because of users’ interest in role-specific authorisation measures, and the reduced interest in the more conventional DAC and MAC methods.
There are three major features of an RBAC method, which include the users, their roles (sets of authorisations), and activities (actions conducted on specific systems) (Bijon et al., 2013). Thus, RBAC relies on users’ roles, whereby each role is supplemented by a collection of access authorisations. An organisation could have numerous roles, such as customers, managers, and IT experts. Users can belong to one or more roles and their access privileges are dependent on their specific roles and tasks. This aids in reducing the potential of unauthorised access to an organisation’s information systems (Atlam et al., 2020). For instance, in a healthcare organisation, doctors can have access to patients’ healthcare records based on their role as medical practitioners, while the receptionists or secretaries might only have access to certain information about patients and not their medical records.
2.2. Dynamic Access Control Methods
Dynamic access control methods do not consider just the access guidelines; rather, other dynamic and related elements that are gathered during an access request are considered when making decisions about access privileges (Wang and Jin, 2011). Rather than using fixed and inflexible guidelines, these methods use real-time and dynamic factors to determine the level of access for users. Examples of such dynamic factors include the situation, level of trust, previous access rights, potential risks, and operational requirements (Atlam et al., 2020). These dynamic approaches can also adjust to diverse circumstances and conditions when determining access privileges.
This offers more flexibility, as these methods can easily adapt to diverse settings and conditions, while also determining suitable access privileges. According to Atlam et al. (2020), dynamic access control methods are beneficial for numerous applications, including military systems or healthcare infrastructures, where careful consideration of unique access requests could result in saving various patients’ lives.
2.3 Risk-Based Access Control Method
Elky (2006) defines ‘risk’ as the potential damage that could occur from a current procedure or a certain future event. Considering the risk related to information technology, security risk refers to the damage that could be created due to unforeseen events and has an adverse impact on an organisation’s processes or its information systems (Atlam et al., 2020). Security risks could also result in major breaches of information confidentiality, integrity, or availability, which could have adverse impacts on an organisation’s brand. Risk-based access control methods use potential security risks as a measure for determining access decisions for any access demand. A risk-based access control system assesses the security risk related to each demand dynamically, and subsequently uses the projected risk value to determine if access to an information will be allowed or denied (Atlam et al., 2020).
Traditional access control methods, such as MAC and DAC, have been extensively applied for information systems security. Role-based access methods are also considered effective as they provide access based on users’ specific roles, which reduces the vulnerability of unauthorised access to information. Nonetheless, considering the current dynamic landscape of industries and organisations, it is essential to apply more dynamic access methods. This would aid in tailoring each access request to the specific situation and the users’ level of authorisation. Overall, it can be concluded that access control methods offer a significant level of security for information systems and should be a vital tool for both individuals and organisations who use such systems.
Atlam, H. F., Azad, M. A., Alassafi, M. O., Alshdadi, A. A. and Alenezi, A. (2020). Risk-Based Access Control Model: A Systematic Literature Review. Future Internet, 12 (103), pp. 1-23.
Bijon, K. Z., Krishnan, R. and Sandhu, R. (2013), A framework for risk-aware role-based access control. In: Proceedings of the IEEE Conference on Communications and Network Security, National Harbor, MD, 14–16 October, pp. 462–469.
Bugiel, S., Heuser, S. and Sadeghi, A.R. (2013). Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies. In: Proceedings of the 22nd USENIX Security Symposium, Washington, DC, 14–16 August, pp. 131–146.
Elky, S. (2006). An Introduction to Information System Risk Management. Bethesda, MD: Sans Institute.
Ghazal, R., Malik, A. K., Qadeer, N., Raza, B., Shahid, A. R. and Alquhayz, H. (2019). In: Intelligent Role-Based Access Control Model and Framework using Semantic Business Roles in Multi-domain Environments, IEEE, pp. 1-19.
Metoui, N. (2018). Privacy-Aware Risk-Based Access Control Systems. Trento, Italy: University of Trento.
Rhodes, A. and Caelli, W. (2016). Role Based Access Control. [Online]. Available at: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.85.3241&rep=rep1&type=pdf [Accessed 9 October 2021].
Samarati, P. and de Vimercati, S.C. (2000). Access control: Policies, models, and mechanisms. In: International School on Foundations of Security Analysis and Design, pp. 137–196.
Sandhu, R. S., Coyne, E. J., Feinsteink, H. L. and Youman, C. E. (1996). Role-Based Access Control Models. IEEE Computer, 29 (2), pp. 38-47.
Wang, Q. and Jin, H. (2011) Quantified risk-adaptive access control for patient privacy protection in health information systems. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security—ASIACCS ’11, Hong Kong, China, 22–24 March, pp. 406–410.