Authorization is a critical aspect of any security orchestration, automation and response framework, and this article looks at the various ways organizations can incorporate secure authorization best practices into their cybersecurity strategy.
A Security orchestration, automation and response (SOAR) platform is designed to help security operations (SecOps) teams automatically execute repetitive tasks, such as responding to phishing alerts, SIEM or EDR alert triage and is typically used within the context of the Security Operations Center (SOC).
Related Content: SOAR Orchestration: All You Need to Know
Types of Authorization
There are a number of ways network administrators can set up authorization and authentication for various parts of the network.
Role-based access control
First is role-based access control or authorization (RBAC). In RBAC, users are granted access to resources and actions based on their assigned roles, which are defined by a set of permissions or privileges. This approach simplifies the process of granting and revoking access rights, as it allows administrators to manage access based on roles rather than individual users.
An example could be a network administrator having access to network configuration settings, while a regular user may only have access to basic file sharing and printing functions. This helps with the segmentation of data, and allows for more targeted analysis if a breach occurs. The system can identity what level of access the user originally had, and how it became compromised.
Attribute-based access control
Attribute based access control (ABAC) is more focused on how network users are identified or tagged within the system. In ABAC, a policy is defined based on attributes such as user identity, role, location, device, time of day, and other factors, and this policy is used to evaluate access requests. ABAC provides a more fine-grained access control mechanism than traditional RBAC because it allows for a more complex set of attributes to be used to determine access.
For example, in an ABAC system, a user may only be granted access to a resource if they are accessing it from a particular location, using a specific device, and within a certain time period. Another example of ABAC would be allowing only users who are type=employees and have department=HR to access the HR/Payroll system and only during business hours within the same timezone as the company.
Discretionary access control (DAC)
Discretionary access control (DAC) s a type of access control where the owner or creator of a resource has full control over who is granted access to it. In DAC, the owner of a resource decides who can access it and what level of access they are granted, without interference or oversight from a central authority.
This approach is different from RBAC and ABAC, which use predefined policies to determine access, as DAC allows users to make access control decisions based on their own discretion. For example, in a DAC system, a user who creates a file can decide which other users or groups are allowed to access it and what level of access they are granted (read, write, or delete).
Mandatory access control
Mandatory access control (MAC) estricts access to resources based on security labels or levels assigned to users and resources. MAC is often used in high-security environments, such as government or military systems, where strict control over access to sensitive information is required.
In a MAC system, access decisions are made based on the sensitivity of the data and the clearance level of the user. The clearance level is determined by an administrator and is based on the user's job function, level of security clearance, and other factors. Each resource or file is also assigned a security label based on its sensitivity.
Related Content: What is Multi-Factor Authentication (MFA)?
Authorization in Practice
So, how is authorization implemented in different systems and technologies? There are a variety of ways that the different levels of authorization can interact within a cybersecurity strategy.
In web applications, access control can be implemented through authentication and session management. Once a user is authenticated, they can be authorized to access certain pages or features based on their role, permissions, or attributes. For example, an e-commerce website may allow a registered user to access their account information, while a guest user can only browse the products.
Operating systems tend to use the whole suite of authorization controls, to manage user access to files and system resources. Administrators can assign permissions to users and groups based on their roles or clearance level. Databases do the same. For example, in Oracle databases, access control can be implemented using roles, privileges, and profiles, which can be assigned to users or groups.
When it comes to implementing your authorization, it makes sense to speak with a manage cybersecurity services provider to help you determine that right level of security for each segment of your network. You want to be sure that information is flowing without making yourself vulnerable to a cybersecurity breach. Authorization and orchestration can work together to help your organization maximize your cybersecurity team’s bandwidth to target the most vulnerable points of authorization and authentication.
