According to Forrester Research, identity management enhances an organization's security by reducing users with excessive or toxic privileges by up to 60 percent.
FREMONT, CA: Identity Management refers to various security measures designed to keep unauthorized users from a computer system or network. These controls are implemented in multiple ways, and the company's data regulations determine their effectiveness.
7 Types of Access Controls:
Mandatory Access Control: This is a system-enforced access control based on the clearance of a subject and the labels on an object. It is frequently used with multiple-level security designations such as Top Secret, Confidential, and Secret.
Discretionary Access Control: This type of access control limits access to objects based on the subjects' and groups' identities. The controls are discretionary because an issue with special access permission can pass that permission on to another topic.
Access Control via Rules: In this model, access rules are defined in advance (for example, via an ACL) and then evaluated to determine access permissions. Access by rule defines the precise and detailed circumstances under which a subject may or may not access an object, as well as the actions that issue may take once access is granted. While the rule-based model is a simple way to manage access control permissions, it becomes highly complex and inefficient when more granular access control is required. In summary, rule-based controls apply rules uniformly to all users, whereas role-based authorities lose their utility in more granular applications.
Physical Access Control: Physical access controls to limit access to an organization's physical space. This type of access control restricts access to specific rooms, buildings, and physical information technology assets. One advantage of implementing these controls is that anyone can track who enters and exits restricted areas. Physical access control can take the form of badge card readers or fob-controlled doors that require a user to present a valid physical credential to enter a room or facility. These readers grant access only to employees who possess the appropriate credentials.
Role-Based Access Control: This type of control restricts access based on a user's role. Custom roles are typically created so that the policy of least privilege is maintained and access is revoked when no longer required.
Attribute-Based Access Control: This is a type of access control in which attributes govern access. These may include features associated with users, resources, or objects and attributes related to the environment.
Policy-Based Access Control: This is a strategy for managing access following the policies that specify the access roles that each person must have.
NIST 800 series publications are a good source for identifying and setting security controls for each control type.
While NIST 800-53 guides developing secure and resilient federal information systems, NIST 800-171 goes over securing the confidentiality of controlled unclassified information (CUI). These 14 control families each have unique security controls that aid in the preservation of system integrity, confidentiality, and availability.
See Also: Top 10 IBM Consulting/Service Companies