Identity and access management (IAM) refers to the combined approaches of identity management and access management.

• Identity management is used to verify and authenticate a user’s identity via usernames, passwords, biometrics, etc.
• Access Management is the allocation of permissions for this verified user based on their role.

Mandatory access control

Mandatory access control (MAC) limits access to resources based on the sensitivity of the information. In this model, the owner of the resource does not decide on access. Instead, permissions are granted based on the user's authorization matching the same security level as the resource.

This means that users are given permission only to those files that match their ‘level’ - this could denote role seniority, such as admins and managers, or be based on department-specific requirements.

MAC offers high-level security and has centralized control, which means that making changes is simple, but that level of access is only available to an administrator.

Discretionary access control

Discretionary access control (DAC) gives the initial owner of the target resource the ability to change access control permissions.

The policy is set based on the common system of grouping resources and then assigning permissions based on user identity and authority. The discretionary element comes from the original owner of the resource having the ability to decide who should be permitted access, and their level of permission (view only, edit, etc.).

While this system is simple to implement, the fact that any file owner can give permission to another means it is not particularly secure. As there is no centralization, it is difficult to monitor data across the organization, which increases the risk of data breaches.

As a result, this system should only be used by companies with a small number (up to 50) of employees, so that it can be closely managed.

Role-based access control

Role-based access control (RBAC) allows permissions based on the user's role and the principle of least privilege (PoLP), which ensures that only the minimum amount of access is provided for a user to complete their job role.

This approach to identity-based access control is established by senior figures in the company, rather than the resource owners, and is decided based on an individual’s role.

Because RBAC follows PoLP principles, it reduces the attack surface, keeping the number of accounts that would be able to access sensitive data to a minimum.

Permissions can be quickly adjusted for new staff, contractors, and existing employees who change roles.

Concerns with RBAC include the challenge of managing a rapidly expanding network. RBAC can be fairly rigid and as the requirements of user roles change, so too will permissions. Over time, or with rapid expansion, this could see temporary fixes and ad-hoc roles added for convenience and to avoid an impact on productivity.

However, this will not only make RBAC harder to manage in the long term, but could also create issues with compliance by inadvertently opening gaps in your security.

Physical access control

Physical access control systems (PACS) grant location access only to those with the correct physical identification. This would typically be some form of ID card, making it easy to identify every person who enters a building.

This is particularly useful to protect against theft and trespassing by limiting access to physical devices.

To establish PACS, the following components are required:

• Access points: Barriers, electronic locks, and security gates
• Physical credentials: Key and card entry systems, biometrics, PIN codes
• Readers: To collect and send data for authentication
• PACS control panel: Checks with the access control server to authenticate the user and provide access

Traditional systems are considered secure by virtue of being hardwired and offline. They feature a control box connected to the credential reader, minimizing complications in use. 

Modern systems send data to cloud services for verification. The setup and use of this type of system are both affordable and simple to use. It is also scalable and easier to upgrade. However, it can only be as secure as the network it is connected to, and might be more vulnerable to attack.

Rule-based access control

Rule-based control is a method that uses predetermined rules to grant access. This ensures a focus on the context of the user’s permissions. For example, access could be linked to IP address, location, time restrictions, or based on a limited number of times a resource can be accessed.

Additional benefits include the ability to regulate network use by ensuring that tools requiring complex processing or backing up are only permitted at certain times of the day – minimizing the impact on resources during peak business hours.

However, configuring a rule-based system is time-consuming and will still require monitoring to ensure that no loopholes are inadvertently created. Increasing the number of rules that are implemented can result in performance issues if they contradict each other or become obsolete.

Attribute-based access control

The attribute-based access control (ABAC) method looks at attributes such as subject, resource, environment, and action, to determine permissions.

While this approach can be complex to establish due to the highly personalized access controls, it offers more flexible and robust security than popular role-based access controls

If implemented using best practices, this approach provides a granular level of control, with variables allowing for the user’s identity, actions, and access permissions to be applied dynamically, rather than being entirely predefined as it would be through RBAC.

Policy-based access control

Policy-based access control determines access permissions dynamically, based on pre-set policies. For example, access to records containing the personal details of staff members could be set to only be available to managers in the same department and the HR team. Other variables could include time and location. This makes it more flexible than RBAC, which is based on static, predefined roles. Having this level of flexibility means that policies can be as broad or granular as required. They are also simple to amend, add, and remove.

Further contextual controls can also be introduced to restrict access to users outside of a particular location, or at different times.

The challenges come as the organization grows. With such a range of variables, adding more and more new roles over time will make it increasingly difficult to track and manage, potentially leading to gaps in security or issues with productivity.