Access control and identity

management
Access Control and Identity Management (ACIM)
represents a fundamental security framework that
governs how digital identities are established,
authenticated, and authorized to access
organizational resources. This comprehensive
approach ensures that legitimate users gain
appropriate access while preventing unauthorized
individuals from compromising sensitive systems
and data.

IAM: Identity and Access Management

It is a system or process that helps an organization
control who can access what in a network or
system. It makes sure the right person gets access
to the right resources. There are four steps in a
digital identity lifecycle – creation, verification,
maintenance and deactivation.
Identity Attributes:
 Static Attributes: unchanging characteristic
like employee ID, department affiliation.
  Dynamic Attributes: frequently changing
elements such as role assignments, clearance
levels.
 Contextual Attributes: situational factors
including location, time of access, device type.

AUTHENTICATION MECHANISMS
Single Factor:
Password based
Pin system


Security tokens


Biometric systems


Multi Factor:
Two factor authentication
Three factor authentication


Adaptive authentication


Risk-based authentication



Single Sign ON (SSO)

It is an authentication method in which the user
needs to enter their credentials only once. After
that, they don’t have to enter their credentials
again to access applications or networks
horizontally.
HOW TOKENS WORK?
The first step is to login to the application or the
network. The next step is token creation. There
are two types of token creation – by network
(blockchain) and by application (authentication)
[here we are concerned with authentication
tokens]
Once the token is created, it is saved within the
umbrella application. This enables the fact that
whenever we will try to enter another application
inside that umbrella, we won’t have to enter our
credentials again for authentication. Instead, the
application will read our token and verify
automatically behind the scene.

AUTHENTICATION METHODS:
Password based: It is a common method of
verifying a user’s identity using the username


and password. It’s a simple and cost efficient

process but vulnerable to brute force and
phishing. During registration, a user creates a
unique username and password. To log in, the
user enters their credentials. The system
compares the entered information to the
 stored, hashed version of the password. If the
credentials match, access is granted;
otherwise, it is denied.
MFA: A cybersecurity method that requires
users to provide two or more verification


factors to log in, significantly increasing

security beyond a simple password. It works
by combining “something you know”
(password), “something you have” (location
token) and “something you are” (fingerprint).
Its common factors are knowledge, possession
and inherence. It can be of multiple types like
2-factor, 3-factor, etc.
Biometric based: A cybersecurity method that
verifies a user's identity using unique


biological traits like fingerprints, facial

features, or voice patterns, rather than
passwords. It works by comparing a live scan
against a stored template in a database, and
its security advantage comes from using
"something you are" for verification, making it
difficult to steal or forget compared to
traditional passwords. However, it's often
recommended to use biometric authentication
in combination with other security measures,
as biometric data can't be easily changed if
compromised.
 Token based: A cybersecurity method that
verifies a user's identity by issuing a


temporary, unique token after they first log in

with credentials, such as a password. This
token acts as a digital pass, allowing the user
to access resources for a set period without re-
entering their login information for each
request. This enhances security by minimizing
the exposure of the user's original credentials
and is often used for APIs, web applications,
and in multi-factor authentication (MFA).

{While writing answers token based authentication

and SSO go hand-in-hand as examples of each
other.}

AUTHORIZATION / ACCESS CONTROL MODELS

1.DAC (Discretionary Access Control)
It works on the principle that every file or
application or network has an owner and only that
owner has the power to decide which individual
user has what permissions.
Advantages:
  With DAC users can get permission for
individual objects. Object owners can divide
users into groups, creating fine-grained
controls over access settings. This is not
possible with mandatory access control
systems.
 Discretionary controls let information flow
freely through networks which thus results in
speed and efficiency.
Challenges:
 DAC is recognized as less secure than
mandatory access control. Discretionary
access can allow attackers to implant malware
on target access points.
 Decentralization can lead to confusion and
poor administrative visibility. Security teams
need to know who is accessing sensitive
resources.

2.MAC (Mandatory Access Control)

Here, the SYSTEM acts the parental control of the
users of your network or application. It has
authority even above Administrator. MAC is a
system enforced model where access is
determined by central authority based on a user’s
security clearance and an objects classification
label, rather than resource owner. Users cannot
alter these, thus, they are secure, as access is
granted on a need-to-know basis.
Advantages:
 Users cannot override policies to share
credentials or grant access, preventing
unauthorized sharing of sensitive information.
 Every access attempt, granted or denied, is
logged, creating a comprehensive audit trail
for analysis and accountability.
Challenges:
 Implementing and managing MAC is a
complex and time-consuming process that
requires significant expertise.
 The rigid, non-discretionary nature of MAC
makes it inflexible. It does not allow for user-
based adjustments to access rights, which can
hinder productivity.

3.RBAC (Role-Based Access Control)

A cybersecurity model that restricts system access
based on a user's predefined job role, rather than
assigning permissions individually. In this system,
a user is assigned one or more roles, and each role
has a specific set of permissions to access
resources like data, applications, or systems. This
method simplifies access management, improves
security by ensuring users only have the necessary
privileges for their duties. In other words, it
follows the PoLP or Principle of Least Privilege.
Advantages:
 Restricts users to only the resources necessary
for their job function, limiting the impact of a
breach and mitigating insider threats.
 New hires are automatically granted the
correct access for their role, and access is
promptly revoked when an employee leaves.
Challenges:
 In large organizations, the number of roles can
become unmanageable as the need for
customization grows.
 Over time, users can accumulate excessive
permissions, which requires regular audits to
correct.

4.ABAC (Attribute-based Access Control)

a model that grants access to resources based on
the attributes of the user, resource, and
environment, rather than just their role. This
approach provides more detailed and dynamic
security by evaluating factors like a user's
department, the time of day, the device they are
using, or the sensitivity of the resource. ABAC
allows for more complex and flexible policies,
enabling organizations to create fine-detailed
access controls that are context-aware.
Advantages:
 By using a wider range of criteria, it reduces
the risk of unauthorized access and helps
mitigate privilege creep, as access is granted
on a "need-to-know" basis.
 Simplifies onboarding and reduces
administrative burden by making it easier to
manage access for a growing user
base. Operational Efficiency in simple words.
Challenges:
 Designing and managing a large number of
attributes and policies can become complex,
leading to potential misconfigurations.
 The system's effectiveness relies on having
accurate and up-to-date attribute data, which
requires robust and constant synchronization
across all systems.