Exploring Access Control Models: Building a Secure Future -

The management and control of access to resources is a fundamental part of any architecture in order to achieve a level of security corresponding to the importance of services and information within each company. The most common is to have a control matrix that allows you to easily identify who has access to specific resources according to roles, rules, attributes, etc.

Implementing effective access models not only protects sensitive information, but also ensures that the right users have access to the right resources at the right time. Among the methodologies highlighted are RBAC, DAC, ABAC, PDAC, MAC, CAS and constraints such as Time of Day Restriction. Let’s elaborate on each of these concepts, their importance, and how they drive safer, more efficient environments.

Contents

1 The use of access control models is crucial to ensure security in today’s world due to several fundamental factors:
2 Use of Matrices
3 The Power of Ranking! Getting to Know Access Control Models
4 Why Are These Models Crucial? Protecting What Matters Most
5 Where and When to Implement Them: Find Your Perfect Timing
6 Use Cases: Real-World Success Stories

The use of access control models is crucial to ensure security in today’s world due to several fundamental factors:

1. Reduced Security Risks

Implementing these models ensures that only authorized users access specific data or systems, reducing the chance of:

Insider attacks: such as disgruntled employees accessing sensitive information.
External breaches: by limiting the possibilities of privilege escalation in the event of an attack.

2. Regulatory Compliance

Privacy and security regulations, such as GDPR, HIPAA, and PCI-DSS, demand clear and effective controls over who has access to what. Models such as RBAC or ABAC help comply with these regulations by providing traceable and auditable mechanisms.

3. Adapting to Digital Transformation

In dynamic environments, such as hybrid clouds, the proliferation of IoT devices, and microservices-based architectures, models such as CAS and ABAC enable granular, context-aware control, which is essential to ensure security without compromising productivity.

4. Improved Productivity

By assigning each user only the permissions they need to perform their work:

Unnecessary access overload is avoided.
Errors and accidental malicious activities are minimized.

5. Modern Threat Response

Threats like ransomware or advanced phishing are best dealt with when there are robust controls in place. For example:

MAC protects classified data, ensuring that even administrators don’t have access if they don’t meet classification levels.
CAS can detect and respond to suspicious behavior patterns.

6. Scalability and Efficient Management

Models like RBAC allow permissions to be managed in large organizations with multiple departments and hierarchies, making access management more manageable as the business grows.

7. Off-the-Clock Threat Mitigation

With tools such as Time of Day Restriction, the exposure of systems to unauthorized access outside of working hours is minimized, when response teams are usually less available.

In short, these models are not only critical to protecting digital assets, but also enable organizations to remain resilient in the face of modern threats and regulations. Implementing them correctly is a strategic investment that benefits both safety and operational efficiency.

Use of Matrices

Models such as RBAC, MAC and to a lesser extent DACs, are usually managed through an access control matrix. Below, I tell you a little about the purpose of each model and how it relates to access control matrices:

RBAC (Role-Based Access Control)

Theory: Assign permissions to roles instead of individual users. This allows permissions to be managed at the group level, which is efficient in environments with multiple users and roles.
Use of Arrays: A matrix is used that relates roles with specific permissions for resources, for example:

Role	Resource	Permission
Administrator	Servers	Reading/Writing
Regular User	Shared documents	Read Only

Pros: Scalable and easy to manage in large organizations.
Example of use: In business systems with clear hierarchies, such as banks or educational institutions.

MAC (Mandatory Access Control)

Theory: It is based on a centralized policy that defines permissions according to classification levels and security labels (confidential, secret, etc.). Users have no control over who accesses.
Use of Arrays: The matrix links classification levels with permissions, ensuring that data is accessible only by users with equal or higher security levels. Example:

Security Level	Resource	Permission
Confidential	Database X	Reading/Writing
Public	Documents and	Reading

Advantages: It offers the highest security in critical environments such as governments or defense.
Example of use: On military bases where access to information is strictly restricted.

DAC (Discretionary Access Control)

Theory: The owner of a resource has control over who can access and what operations they can perform.
Using Arrays: A basic array can be used that associates users with owner-defined permissions. For example:

Owner	Authorized user	Resource	Permission
Juan Pérez	Maria Lopez	File A	Reading

Advantages: Flexible for small or collaborative environments.
Example of use: In small offices or personal systems where control is more decentralized.

The Power of Ranking! Getting to Know Access Control Models

RBAC (Role-Based Access Control): This model grants permissions based on predefined roles. For example, an “Administrator” will have access to critical resources while a “Regular User” will be restricted to basic operations.

Example in Azure AD:

Create a custom role for a specific team:

az role definition create --role-definition '{

  "Name": "EquipoApoyo",

  "Description": "Permissions limited to the support team",

  "Actions": ["Microsoft.Support/*"],

  "AssignableScopes": ["/subscriptions/{subscription-id}"]

}'

Example in GCP:

In GCP, RBAC is implemented using IAM (Identity and Access Management) using predefined or custom roles.

Example: Create a custom role in GCP for a specific team.

gcloud iam roles create teamSupport --project=[PROJECT_ID] \

--title="Support Team" \

--description="Limited permissions to the support team" \

--permissions="compute.instances.get,compute.instances.list" \

--stage="GA"

Assign the role to a user:

gcloud projects add-iam-policy-binding [PROJECT_ID] \

--member="user:usuario@example.com" \

--role="projects/[PROJECT_ID]/roles/teamSupport"

DAC (Discretionary Access Control): In this model, the owner of a resource decides who can access and what operations they can perform. It is popular in personal systems where owners manage their own files.

Example in Azure AD:

Grant read permissions to a specific user for a resource:

az role assignment create --assignee user@example.com --role Reader --scope /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}

Example in GCP:

In GCP, while there is no DAC in its most traditional sense, you can grant granular permissions at the resource level using IAM.

Example: Assign read permissions to a specific user for a virtual machine.

gCloud Compute Instances Add-IAM-Policy-Binding [INSTANCE_NAME] \

--zone=[ZONE] \

--member="user:usuario@example.com" \

--role="roles/compute.viewer"

ABAC (Attribute-Based Access Control): More advanced, this model uses attributes such as geographic position, device used, and user role to determine access.

Example in Azure AD:

Create an attribute-based condition to access only from approved locations:

az ad conditionalaccess policy create --display-name "PolicyUbicacion" --conditions '{

  "locations": {

    "includeLocations": ["SecureIDUlocation"]

  }

}'

Example in GCP:

GCP supports ABAC to a limited extent through condition-based IAM policies, such as IP or tag restrictions.

Example: Create a conditional policy based on tags.


gcloud projects set-iam-policy [PROJECT_ID] policy.json

File contents policy.json:

{

  "bindings": [

    {

      "role": "roles/storage.objectViewer",

      "members": ["user:usuario@example.com"],

      "condition": {

        "title": "SafeLabel",

        "description": "Access allowed only with secure tag",

        "expression": "resource.matchTag('123456789012/environment', 'secure')"

      }

    }

  ]

}

PDAC (Policy-Driven Access Control): Focused on predefined policies, this model allows for centralized, rules-based management.

Example in Azure AD:

Create a policy that limits access to a specific group:

az ad conditionalaccess policy create --display-name "PolicyGrupo" --conditions '{

  "users": {

    "includeGroups": ["IDGorcoloSpecific"]

  }

}'

Example in GCP:

In GCP, you can deploy PDAC using organizational policies that apply global rules to all resources.

Example: Restrict the use of SSH keys on all VMs.

gcloud resource-manager org-policies enable-enforce \

compute.requireOsLogin --project=[PROJECT_ID]

MAC (Mandatory Access Control): Ideal for military and government environments, in this model permissions are determined by security classification.

Example in Azure AD:

Configure roles with classification labels for sensitive data:

az role assignment create --assignee user@example.com --role "ConfidentialAccess" --scope /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}

Example in GCP:

Although GCP doesn’t offer MAC natively, you can emulate it by combining tags and organizational policies.

Example: Configure policies based on data security levels.

gcloud resource-manager tags bindings create \

--tag-value="123456789012/confidential" \

--resource="projects/[PROJECT_ID]"

CAS (Context-Aware Security): A modern evolution that adapts controls based on context, such as user behavior or unusual access patterns.

Example in Azure AD:

Implement behavior-based risk detection:

az ad conditionalaccess policy create --display-name "PolicyRiesgo" --conditions '{

  "signInRiskLevels": ["high"]

}'

Example in GCP:

CAS is deployed on GCP using Context-Aware Access, part of BeyondCorp.

Example: Set up access based on the user's location.

gcloud access-context-manager levels create securelocation \

--title="Safe Location" \

--basic-level-spec='ipSubnetworks: ["192.168.0.0/24"]' \

--policy=[POLICY_ID]

Time of Day Restriction: A tool that limits access according to time slots, minimizing risks outside of working hours.

Example in Azure AD:

Restrict access to business hours (8:00 a.m. - 6:00 p.m.):

az ad conditionalaccess policy create --display-name "PolicyHora" --conditions '{

  "signInHours": {

    "startTime": "08:00",

    "endTime": "18:00"

  }

}'

Example in GCP:

While there’s no direct functionality for restricting by schedule, you can integrate external tools or use Cloud Functions with conditional policies.

Example: Create a feature that enables/disables permissions based on the schedule.

gcloud functions deploy restrictAccess \

--runtime=nodejs14\

--trigger-http\

--allow-unauthenticated

File contents index.js:

exports.restrictAccess = (req, res) => {

  const currentHour = new Date().getHours();

  if (currentHour >= 8 && currentHour <= 18) {

    beef.status(200).send("Access enabled");

  } else {

    beef.status(403).send("After-hours access");

  }

};

Why Are These Models Crucial? Protecting What Matters Most

The importance of access management and control lies in its ability to:

Prevent security breaches: Limiting access to sensitive data reduces the risk of internal and external attacks.
Ensure regulatory compliance: Many regulations such as GDPR, HIPAA, and PCI-DSS require strict access controls.
Optimize productivity: Users only interact with the resources needed for their roles, eliminating distractions and potential errors.
Adapt to modern environments: Models such as ABAC and CAS enable dynamic integration with cloud-based systems and IoT devices.

Where and When to Implement Them: Find Your Perfect Timing

Enterprise environments: RBAC is common in organizations where roles and hierarchies are well-defined.
Personal systems: DAC is ideal for networks and systems where owners manage permissions directly.
Critical systems: MAC is the choice for infrastructures with high security requirements such as defense and banking.
Modern applications: ABAC and CAS fit seamlessly into microservices-based architectures and hybrid clouds.
Time restrictions: Companies that want to minimise risks outside working hours.

Use Cases: Real-World Success Stories

Banking: Using MAC to protect financial data and ensure that only authorized users access sensitive accounts.
E-commerce: ABAC applied to personalize access according to the customer’s location and device, improving the experience.
Education: Implementation of RBAC in universities so that students, professors and administrators have segmented access.
Manufacturing: Time of Day Restriction to prevent unauthorized access outside of work shifts.
Governance: Use of CAS to detect suspicious access and adapt to threats in real time.

Access management and control are indispensable tools for any cybersecurity strategy. While each model has its advantages and limitations, choosing the right one for your organization or personal environment can make the difference between vulnerability and resilience. By understanding and applying these approaches, you’ll be one step closer to building a safer and more efficient digital ecosystem.

Thanks for reading me!!!

Happy New Year!!!!