Many organizations have yet to invest in a PAM solution because they can be expensive and complex. While this is true for some legacy PAM solutions,
Authorization plays an important role in Identity Access Management (IAM). IAM is a security framework of business policies and processes designed to ensure that authorized users have the necessary access to perform their jobs. Choosing the correct authorization model for your organization is important to protect sensitive resources from unauthorized access. The five primary authorization models are role-based access control, attribute-based access control, relationship-based access control, discretionary access control and mandatory access control.
Continue reading to learn more about the five different types of authorization models, how to pick the right authorization model for your organization and how to implement it.
What Is Authorization?
Authorization is the process after authentication that determines the level of access a user has to system resources such as data, applications and networks. To gain access to an organization’s network, users must prove their identity through a process known as authentication. After a user or machine has been authenticated, an administrator or system will determine what permissions the authorized user has to certain resources within the organization. Authorization limits access to an organization’s resources based on the settings established by the organization. Organizations will determine a user’s access level according to the resource sensitivity and the user’s needs.
5 Types of Authorization Models
Authorization models help enhance an organization’s productivity and prevent data breaches. However, the authorization models organizations leverage vary depending on how complex and secure the organization needs them to be. Here are the five different types of authorization models.
Role-based access control
Role-Based Access Control (RBAC) defines roles and privileges to restrict systems access to only authorized users. With RBAC, organizations need to determine permissions to sensitive data; who should be accessing it, how much access the user needs and how long they need access for. Then, organizations need to define what role each member has and what permissions they need based on their role. The roles are determined by the user’s authority, responsibility and job competency.
RBAC authorizes users’ limited access to specific data and systems based on their roles within the organization. Users should only be granted access to specific data and systems they need to do their jobs. They should not be able to access any resources outside of their job area. RBAC also limits what users can do with the resources they can access.
Attribute-based access control
Attributed-Based Access Control (ABAC) is a more granular authorization model of RBAC. ABAC grants users access to an organization’s specific data and systems based on particular attributes associated with the user. It goes beyond the user’s role within the organization and looks for other factors to authorize access. The attributes that ABAC looks for include the characteristics of the user, device, environment and resource the user is trying to access.
Relationship-based access control
Relationship-Based Access Control (ReBAC) is an authorization model that grants access to an organization’s specific resources based on the relationship between the user and the resource. For example, the creator of a resource may have full access and control over it. However, a colleague of the creator from the same team might only be able to view the resource, but not edit it. A colleague of the creator who is not on the same team may not be permitted to access the resource at all.
Mandatory access control
Mandatory Access Control (MAC) restricts access based on the level of sensitivity of the resources. MAC will set security labels and categories to control which users or systems have access to specific resources. It tries to limit access as much as possible to only those who truly need access, such as administrators.
Users in the security labels are limited in what they can do with those resources. They cannot edit the resources or share access to them. Only the organization’s administrators can make changes to privileges. Anyone below clearance level cannot access the resources. MAC is primarily used for organizations such as government agencies that have highly confidential information.
Discretionary access control
Discretionary Access Control (DAC) is the opposite of MAC as it assigns privileges based on the user and the access group. Instead of the organization determining access based on the sensitivity of the data, the owner of the resource and those who can access it grant access to other users as needed. Users with higher privileges can determine how other users can use the resources.
How To Pick The Right Authorization Model
Each authorization model is different and will fit the different needs of each organization. Organizations need to find the authorization model that is right for them. Here are the factors to consider when picking an authorization model for your organization.
Security requirement
Organizations need to consider the security requirements of their sensitive data. They need to assess the sensitivity of their data and the level of security required. Some authorization models such as MAC have stricter levels of access than others and might be a better fit when dealing with highly confidential data. Other authorization models like DAC have more lenient levels of access and would be a better fit for less sensitive data.
User experience
Organizations need to consider the user experience for employees. Authorization models that are too complex for the employees to use can make it confusing and counterproductive. It can even cause security issues as employees try to bypass authorization protocols to make it easier to use. Organizations need to pick an authorization model that is easy for users to understand but also provides the required level of security.
Complexity
Organizations need to consider the complexity of the authorization model they want to implement. Organizations should look into the level of security and user experience they require to determine how complex their authorization model should be. If an organization can handle a more complex and dynamic authorization model, it should pick an authorization model that can handle intricate scenarios such as ABAC or ReBAC. Organizations that need a more straightforward authorization model should pick RBAC.
Scalability
Organizations should consider the scalability of their authorization model. They need to think about how much their organization will grow and if the authorization model they pick can handle their level of growth. An authorization model needs to fit the size of the current organization and be able to scale to a potentially larger organization in the future. ABAC is often highly scalable and dynamic to adapt to growing organizations.
Use Keeper® To Implement an Authorization Model
The best way to implement an authorization model is with a Privileged Access Management (PAM) solution. PAM refers to securing and managing accounts with access to an organization’s highly sensitive systems and data. With a PAM solution, organizations have full visibility into who is accessing their network, applications, servers and devices. They have total control over who can access their resources, how much access each user has and the password security of privileged accounts. A PAM solution helps organizations determine privileges based on their authorization model.
KeeperPAM™ is a privileged access management solution that combines Keeper Enterprise Password Manager (EPM), Keeper Secrets Manager® (KSM) and Keeper Connection Manager® (KCM). It allows organizations to achieve full visibility, security and control across every privileged user on every device in the organization, ensuring the right levels of authorization are in place.
Request a demo of KeeperPAM to see how it can protect your organization’s sensitive data.