Original post written by Steve Jarvis, Principal Engineer at Auth0.
Examining the importance of access controls, models for authorization, and how to implement these core components of security.
What are Access Controls?
Access controls are the mechanisms that manage access to resources. To determine whether someone (or something, like another computer) has access to a resource, an access control system really needs to know two things: 1) who they are, and 2) what they’re allowed to do. These two verifications are generally separate considerations, namely authentication and authorization.
Access controls in the digital world are similar to those in the physical world. For example, before you board an airplane, someone at the airport verifies your identity by examining your passport (authentication) and boarding pass, which demonstrates your permission to be on the plane (authorization).
How Modern Access Control Works
Physical security is important, but for the rest of this article, we’ll focus on digital security.
Authentication
Before a system can make any decisions on access, it must verify a user’s identity. This verification often relies on an identity provider (IdP) that handles the process of authentication. Upon successful authentication, the IdP ultimately issues an assertion of the user’s identity.
For heightened security, there may be additional factors evaluated by the IdP during authentication, like geographic location, device characteristics, whether the request originates from a trusted network, or a second factor presented by the user.
With the help of a dedicated IdP, the application doesn’t need to worry about any of the authentication details, including the enforcement of multiple factors (MFA). The applications let the IdP do all the work and simply verify the final assertion—typically SAML or a JWT—to know the identity has been verified.
Authorization
Once a user’s identity is established, the access control system evaluates what that user can or cannot do. This can be modeled with different types of access controls, but best practices today include role-based access control (RBAC), attribute-based access control (ABAC), and relationship-based access control (ReBAC). One thing all mature models have in common is a way to enforce least privilege, the set of permissions that allows the user to do what they need to do, but nothing more.
RBAC
RBAC assigns users to roles and roles to resource permissions. The system starts out simple and easy to establish, but as a system grows in scale and complexity, maintaining the right role assignments and permissions becomes more challenging.
This is because, as resources and levels of privilege are added to the model, an organization is faced with difficult tradeoffs between an explosion in the number of roles and assignments on one hand and too few, coarse, overly-permissive roles on the other.
ABAC
ABAC can be thought of as the next step beyond RBAC, once an organization has outgrown role-based access. In ABAC, all users and resources in the system are assigned attributes, and a set of rules defines the authorization policies between those attributes.
Defining attributes and the rules evaluating them requires a greater initial investment, but once established it can grow efficiently. Incorporating additional resources or new sets of permissions involves simply adding new attributes and rules, without the direct couplings that exist from user to role and role to resource, as in RBAC. That’s not to imply this growth is without challenges of its own, though, as correlating users, resources, and their attributes often requires data from multiple sources, and there still is overhead to manage the attributes.
ReBAC
ReBAC is authorization based on the relationships between a user, a resource, and that resource’s relationship to other resources. You can think of ReBAC as a superset of both RBAC and ABAC (as long as the attributes can be expressed as relationships), as you can also implement both in ReBAC.
ReBAC is an extremely powerful model, offering great granularity of control, but that granularity often comes at the cost of maintaining many objects and rules, as well as needing to do frequent authorization checks, which can result in a frustratingly slow user experience. Okta’s Fine Grained Authorization (FGA) addresses these challenges by making authorization changes fully programmable and scaling seamlessly to ensure low-latency, even at tens of thousands of authorizations per second across millions of resources.
Why Implement Access Controls?
Access controls are how we can ensure that only the right people have the expected access to protected resources. They’re the means to knowing who is allowed to perform which actions on what resources, with the end of knowing that your customer data, sensitive systems, and intellectual property are secure. Malicious actors are an ever-lurking threat in today’s world, constantly watching for opportunities to gain access to other systems. Strong access controls not only minimize the possibility that an untrusted, ill-intentioned user gains access, they also offer preparedness if such an event does happen. Additionally, access controls provide guardrails to help your employees and customers work confidently, demonstrate adherence to critical compliance frameworks, and the ability to respond efficiently in an audit.
Limit the Likelihood and Impact of Malicious Actors
In some of the worst cases, an untrusted user could gain access to the system. How do access controls help if a malicious user finds a foothold? Whether via a software vulnerability or a session takeover of a trusted user, the malicious user ends up operating behind some other identity in the system, with all the rights and privileges they have granted. The more tightly the authorization controls map to a minimal set of permissions, the greater chance the malicious user’s impact is also minimal.
Limit the Scope of Innocent Mistakes
It’s not all about blocking malicious use, though. We’ve probably all experienced a moment of panic when we’ve accidentally deleted a document, hit “send” on an email before we meant to, or had a cat jump on the keyboard while you were writing a DM to your boss. Without a mature access model focused on enforcing the least amount of privilege required, there’s the unnecessary risk that such an innocent mistake has an outsized impact.
Compliance and Audit
Many compliance frameworks include provisions about how to maintain access to resources. It’s important to demonstrate that access to resources is well-controlled, documented, and adheres to principles of least privilege.
Since our world is always changing, it’s also common to need regular updates to a system’s users and resources. A well-designed model can pay dividends in efficiency and accuracy in the long term, as additions, deletions, and changes need to be continually applied.
Implement Access Controls Now
A modern access control model is paramount for a modern business’ security, efficiency, and trustworthiness. The factors to consider in authentication and the ideal authorization model will vary for different organizations, but the need to implement a system that can grow and evolve is universal.
Okta can help establish mature access controls for your customers and workforce. If you’re building an access control solution for your workforce or business partners, learn more at Workforce Identity. If you’re building access controls for your customers, learn more at Customer Identity.
FAQ
Can Okta provide industry-leading ReBAC?
A: Check out Okta Fine Grained Authorization
Can Okta Workforce do both RBAC and ABAC?
A: Yes, it can.
Can these access models be maintained as infrastructure as code
A: Workforce Identity Cloud and Customer Identity Cloud offer Terraform providers:
- https://auth0.com/docs/deploy-monitor/auth0-terraform-provider
- https://developer.okta.com/docs/guides/terraform-landing-page/main
What about the other authorization models, like Hierarchical, Discretionary Access Control, and Mandatory Access Control?
A: These models may work well in some contexts (for example, Mandatory Access Control is very popular in government environments). But for most use cases, they end up not meeting the principle of least privilege (with either too much or too little access permitted), being too complex to maintain, or are supplemental to one of the above primary models.
If you want to learn more about Access Control, just continue reading the post on the Auth0 Blog.
Top comments (0)