6 Things to Know about Cloud Access Control

Access control is a broad technique to determine who has access or not to a system, application, or otherwise bounded area. For example, if you were to drive onto a military base, an MP would check your ID. This is done to verify that you are authorized to be on the premises. This is a form of access control.

Another closely related example is whenever a password is typed into a computer. This, too, is a form of access control. When it comes to IT systems, access control determines who is authorized to access resources, write to resources, or consume resources. It is clear that, in a general sense, access control is the bedrock to any system that deems itself secure.

So, if you’re studying for virtually any cloud or security certification, it is critical to understand all the possible access control techniques. With that being said, let's look at the six different forms of access control to enter a cloud system, starting with Role Based Administration.

What is Role-Based Administration?

Role-based administration is when particular roles are assigned to users, and those roles determine which resources they can access. Role-based administration adheres to the principle of least-privileged access by restricting privileges to only assigned roles. In other words, those with no roles have no access. Let's take a look at a couple of examples of role-based administration.

A software developer has recently been hired, so the company gives him the software developer role. This gives him access to GitHub, BitBucket, and allows him to download the IntelliJ IDE. However he is not allowed to access the production environment, CRM software, or anything else not specifically designated in that role.

Let's say the same company hired a new lawyer. She has access to a network attached storage (NAS) location with all relevant records and any other software required for lawyering. However, she has zero access to anything the software developer does, and vice versa. Let's take a look at the next access control technique: mandatory access controls.

What are Mandatory Access Controls?

Mandatory access controls (MAC) do not focus so much on roles, but access is determined by the user's level of authorization. This form of access control is controlled from the operating system level and is assigned by a single security administrator. Oftentimes, MAC is equated with military classification levels. Let's take a look at an example in that vein.

Let's say 100 software developers were writing a top secret application. In fact, it is so top secret, they themselves do not know the objective in totality. This is generally referred to as SCI, or sensitive compartmentalized information.

This means that some of the developers are able to read, write, and execute programs in a given directory because they have top secret clearance. Those with secret clearance, however, can only execute the programs for the purpose of completing some other related task. Remember, neither team knows exactly what the other one is doing, but they are working toward the same goal.

They all have access to the same system, but resource access is determined by their level of clearance, not a particular role. Discretionary access controls work differently, so it's definitely worth discussing as well.

What are Discretionary Access Controls?

Discretionary access control (DAC) is the other side of the coin. DAC is still controlled at the operating system level, but the access control is determined by the user currently logged in. Out of all the access control techniques, Discretionary access control is probably the one most people are familiar with. Let's take a look at a common example.

Say you created a spreadsheet that kept track of your team's budget. The only users who have access to edit it are you and four co-workers. To ensure the five of you are the only ones that have access, click the Excel spreadsheet and go to File —> Info —>  Protect Workbook —> Restrict Permission by People —> Restrict Access. (This will vary by Windows version.) This is DAC because it is at the discretion of the creator who can read or edit a document.

The next form of access control we'll talk about is non-discretionary access controls. You may be thinking, "Isn't that just the opposition of discretionary access controls, which is mandatory access controls? Didn't we already talk about that?" You would be 100% correct, but it's a little broader.

What are Non-Discretionary Access Controls?

Non-discretionary access control (NDAC) is a broader term for any access control that is not doled out by the user currently logged in. The first one we discussed was mandatory access controls, which is based on clearance. Think of MAC as a subset of non-discretionary access controls. Another subset of non-discretionary access controls would be rule-based access controls (RBAC). Let's look at a couple of examples of rule-based access control.

Let's say you have a child who uses the internet on a daily basis. You are happy they find fulfillment online, but don't want them surfing the web all night and never going to sleep. This is a great time to set up rule based access control. The parent can have the WiFi resource blocked from 11:00 PM to 7:00 AM, thereby ensuring their child gets at least a little sleep. As you can see, this is not based on level, but based on a rule.

Another example would be a store only allowing their wifi to be accessed within a given radius of the router. This will prevent folks from loitering outside the store and stealing their WiFi. The next form of access control works differently than the previous three because it is not operating system based. Let's take a look at multi-factor authentication.

What is Multi-factor Authentication?

Multi-factor authentication (MFA) is a mechanism when at least two forms of identification are required to access a resource. MFA was invented back in 1986, but its usage became mainstream with the advent of smartphones. Multi-factor authentication requires at least two of the following three pieces of evidence to determine whether an entity is authorized to access the resource. The three pieces of evidence are what the person is, what the person knows, and what the person possesses. Let's delve into an example of each of these and some common examples of MFA.

What is a Person?

This may sound strange, but it’s a critical element to consider when implementing MFA. When we refer to what a person is, it is referring to some immutable characteristic inherent to that individual. For instance, some Apple MacBook models are built with a fingerprint scanner. That fingerprint will never change. Therefore authentication is leveraging what a person is. Another example would be facial recognition. In order to unlock your phone, it may scan your face to verify your identity because your face never changes.

Examples: Biometrics, Facial Recognition, Fingerprint Scanner

What Does a Person Know?

The most apparent example of this type of authentication is a password. A password is a set of characters memorized to gain access to a particular resource. Another example would be security questions. What's your favorite band? What was the name of your dog when you were eight years old? These are the sort of things that only the individual who is authorized access would know.

This form of access can be vulnerable, because oftentimes folks will choose very simple passwords or simple security questions. That is why it is highly, highly recommended a user creates unique passwords for each account — preferably with a password generator — and relies on some sort of central repository to store the passwords.

Examples: Token, Password

What Does a Person Possess?

What a person possesses is referring to some object or string of information that the authorized user possesses. The most basic example would be the key to your house. When your house is locked, you require the key to access the resource. (i.e, your house.) From an IT standpoint, it is often a randomly generated key.

Apps such as Authy are used in conjunction with a password to create MFA. For example, you log onto a banking app. After entering a password it sends a push notification to an authorized phone number. The user possesses that notification and the string of characters therein, and can use it to access the bank account. The following are commons examples of possession:

• App to generate a unique key.

• Physical RSA key that generates a unique key every N number of seconds.

• Pushing notification codes to an authorized phone.

• Emailing a code to an authorized email.

To wrap up MFA, at least two of these three forms of authorization are required to access the system. The final form of Access Control is Single Sign-On. Single-Sign On. or SSO, is so ubiquitous in work environments you may not even know you are using it.

Examples: Authenticator App, Phone Number Authorization, Email Confirmations, Dongles

What is Single Sign-on?

SSO is a technique in which authorized access to one resource grants implicit access to multiple different resources. Of course the key here is that the other resources require the exact same level of access. At the beginning of the process, a user enters their username and password on a particular website. Then, once they're authenticated, an SSO token is sent to the server validating the request. This token is then carried throughout the browser session, giving the user access to other resources.

Let's say an HR employee logs onto the company HR portal. He uses his username, password, and a generated passcode to log in. After that, a token is stored on a browser signifying his authority to access other resources. That means if he clicks on a link to ADP, Microsoft Dynamics, or a resume database, there is no need to constantly enter the same password.

Another form of SSO, and one specific to Microsoft, is Active Directory Directory Services (ADDS)  ADDS is a directory with authorized employees stored on it. Whenever an employee logs onto their machine, she is authenticated against the directory service. This allows her access to any share drive or system integrated with ADDS.

More broadly speaking SSO can be referred to as Federated Identity Management. It is generally used in conjunction with OAUTH 2.0, SAML, and OpenID Connect.

Final Thoughts

We covered a lot in this article, from the definition of access control to Single Sign-On. Remember that at the end of the day, all of these techniques were created to accomplish that same task: only authorized users have access to the system's resources. Even more important to remember, these are covered on virtually every certification that has anything to do with the cloud and security.

You more than likely already use multiple forms of these access controls a day. Try to conscientiously brand each form used to make them easier to memorize. Oftentimes for cloud technology, access control will fall under Identity Access and Management. So when studying, look in that section as well. After covering the six forms of access control, you are now better prepared to tackle multiple exams and shoring up security holes in your own corporate systems.