Access control is a set of techniques, strategies and policies that allow people access to a company's computer, network and data resources. Rule-based access control, or RBAC (sometimes also called RuBAC), allows or restricts access based on rules, ensuring that the people who can get into a company's computing infrastructure have access to exactly the resources they need, no more and no less.
If that sounds a touch vague, it's because the concept is broad. This guide will shed light on the concept of RBAC and explain when businesses might employ this method of cybersecurity.
What is RBAC?
An important step in understanding RBAC, or any form of access control, is to distinguish it from another important step in company cybersecurity: authentication. Authentication is the determination of who is allowed into computing infrastructure at all.
Editor's note: Looking for the right access control system for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
The simplest version of authentication is the user ID and password. More complex mechanisms involve sophisticated encryption and decryption systems. However, authentication is not enough for a company's security. Not everyone can or should have access to all resources, like the company's human resources, accounting, marketing, strategic planning, inventory control or purchasing data.
Access control picks up where authentication leaves off. It allows your employees to use the software, data, and equipment they need for their jobs and keeps them from prying in areas that might be inappropriate, a breach of your company's compliance with government regulations, or even a complete disaster.
For example, the inner workings of databases are generally off limits to most personnel because it would be too easy for someone to alter or damage vital information. All of the best access control companies offer some sort of rule-based setup, but it's important to ensure coverage of all your entrances or mantraps.
How does RBAC work?
Under RBAC, an IT department sets high-level rules based on the specifics of what, how, where and when someone tries to gain access. Each resource has an associated access control list, or ACL. Every time someone tries to use a given resource, the operating system checks the ACL, determining whether the attempt follows all the rules for access to the resource.
The "rule" part of RBAC refers to the restrictions on when, how and where access will be granted. Here are some examples:
- Everyone using a network has an IP address, which is how the network identifies locations. A rule might be that only someone with an IP address within a specific geographical range – perhaps the region where the accounting team works – can use the corporate accounting system. It could be even more finely controlled, like that people at certain addresses can use accounts payable while another set can only access accounts receivable.
- The allowances and restrictions can be tied to ports, which are like specific doors into the network. Only requests at the right ports would be considered potentially valid. For example, one port might be tied to a facility that accepts uploads of documents from external locations. In that case, a request to upload into some other part of the network might be disallowed.
- Certain types of access might be allowed only at certain times, such as within standard business hours. Outside of those time slots, no one would be able to access those computing resources. Time restrictions help prevent criminals from infiltrating systems during off hours, when there are fewer security experts available and on guard.
- Someone who needs access to sensitive records might receive additional credentials that would apply in any of their access attempts. Alternatively, they might have a limit on how many times they can use a certain resource in a week, or even a timeout so that permission is only temporary.
- As much as RBAC can allow access, a company can also use it to prevent access, whether within the business's infrastructure or to outside resources. The company might not want any employees to have access to video-streaming applications during work hours, for instance, or perhaps block all email (unlikely, but a user can dream).
The overall thing to remember is that RBAC governs context of access. While the focus is on employees of a company, the same concepts can apply to a company providing controlled access of some resources to customers or business partners.
Rule-based access control vs. role-based access control
Remember how RBAC can also stand for "role-based access control"?
In role-based access control, rather than focusing on the context of access, security is built around a person's job or role in an organization. Everyone needs certain resources to do their job, and the resources require permissions.
Each permission is like a key that can unlock a resource. In this analogy, role-based access control gives every user a ring of keys based on the business and their job. People with extensive access to one set of resources might find themselves blocked when they try to access ones they don't need. Your HR manager could access personnel records, for instance, and create security cards for the building that are unique to each employee.
Taking it from there, rule-based access control ensures that people have access in the right context of use – from a certain computer, during certain hours, on the day of the week when they must perform a specific task, or within any other parameters you need to set.
Rule- and role-based access control complement one another because they use different methods to serve the same purpose. Access based on roles is one sensible approach to security, making sure that only the right people can use specific resources, while rule-based access ensures that those employees use those resources the way the company has decided is best.
Benefits of rule-based access control
There are multiple benefits of rule-based access control for a business:
- By standardizing and controlling the context of resource access, you can better regulate legal compliance issues.
- RBAC improves security by enforcing necessary limitations on resource usage. That can make it more difficult for outside criminal actors to attack your business's computing infrastructure.
- Proper design of an RBAC system not only improves security but also regulates network use. You could limit the use of resource-intensive processes and software to days and times of lighter demand. For example, you may set complex management reports or marketing analytics to run only in the middle of the night, when processing power is available.
- RBAC can implement necessary restrictions automatically, without involving IT and support personnel. You can automate changes and set additional permissions for a limited time in unusual circumstances, rather than requiring your IT staff to manually track the usage and remember to revoke privileges later.
- You can be as detailed as you want in how you control access, rather than providing overly broad access for too many people.
- Only administrators can change the rules, reducing potential slip-ups.
Drawbacks of rule-based access control
Like all things, RBAC has some limitations.
- Configuring detailed rules at multiple levels is time-consuming and requires some upfront work from your IT staff. You'll also need some form of ongoing monitoring to ensure that rules work as intended and don't become obsolete.
- Your employees may find the access control system unwieldy and obstructive to their work. The moment it's necessary to work outside of the usual patterns, you or another administrator will have to modify a rule or provide a workaround.
- A need for regular changes can become a burden for your IT staff when they must reprogram a specific rule for an unusual circumstance and then switch it back.
- By nature of its reliance on rules, RBAC doesn't consider specific relationships between resources, people, operations, and other aspects of operations or infrastructure. Without additional control mechanisms, the necessary structure of rules can become extremely complex.
Depending on your company's needs, a rule-based access control system can provide important additional security. But it may not be enough on its own. Your company will also need the expertise to set up and maintain the rules, adapting or changing them as needed.