Based on NIST 800-53 – AC-24, it’s recommended to implement procedures that ensure access control decisions are applied to each access request before access decisions are enforced. Additionally, information systems should securely transmit information relating to access authorisations and where feasible, do not include the identity of the user or process acting on behalf of a user.
How to implement Access Control Decisions
Businesses must first adopt an access control method based on their business case and then apply restrictive controls to only allow what is needed. Below are some common access control methods:
- Role-based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Mandatory Access Control (MAC)
- ACL (Access Control List)
- Discretionary Access Control (DAC)
When implementing access control methods, it’s important to use encrypted channels to communicate access control data. Below are some protocols which support encrypted communications:
- HTTPS (Hypertext Transfer Protocol Secure)
- SSH (Secure Shell)
- FTPS (FTP over SSL)
- SFTP (SSH File Transfer Protocol or FTP over SSH)
How to verify Access Control Decisions is implemented
Below are some ways to check if this control is implemented securely.
- Inspect traffic using a proxy to determine if unnecessary attributes are being transmitted.
- Launch security tests that try to misuse or abuse access control decision data. The tests will highlight security gaps in the implementation that may lead to a compromise.
You can submit a support ticket 24/7, whether it’s a business or personal issue. We support businesses remotely to identify security vulnerabilities across their network, improve their protective processes, train and test their staff.
Why implement Access Control Decisions
Protecting access authorisation data minimises the risk of data being altered, spoofed, or otherwise compromised during transmission.
Before you go
If this guide didn’t quite solve your query, please submit a ticket so we can help you further. Spotted an error above? Please let us know so we can fix it. Stay awesome!
References and resources
Additional resources on this topic:
- https://dinolai.com - Authorization Models
- Imperva - Role-Based Access Control (RBAC)
- Stack Exchange - MAC vs DAC vs RBAC
- Identity Automation - RBAC vs ABAC Access Control Models - IAM Explained
Resources for Security assessors:
- packetlabs.net - Broken Access Control: Hidden Exposure for Sensitive Data
- OWASP - A5-Broken Access Control
- OWASP - Broken_Access_Control
- OWASP - Access Control
- OWASP - Access Control Cheat Sheet