Logical access controls govern access to computer systems. They stand in contrast to physical access controls, which pertain to physical locations, files, and devices. Because logical access controls structure who can access all computer systems, it’s one of the principal security concerns of many IT departments.
Nearly everyone interacts with logical access controls every day, whether or not they’re aware of it. Logical access controls are built into all kinds of devices, from computers to smartphones to routers, as well as in web services such as Facebook and Google Drive. Below, we’ll dig into how logical access controls work.
Subjects, Objects, and Access Control Lists
Logical access control systems govern access in terms of subjects and objects. A subject is a person or application attempting to act on an object, which can be a file, database, or device. An object can even be another application – in cases where an application accesses another application, the subject is the one taking action on the object.
When a subject requests access, a logical access control system checks them against an access control list (ACL), which details what permissions a given user has. Common permissions include the following:
- Read access, which allows a user to view a file
- Write access, which allows a user to modify a file
- Execute access, which allows a user to run a program
- Administrative access, which grants a user broad powers to modify, delete, or create files.
An access control list might dictate that Emily has administrative privileges, Marcos has Read and Write priviliges, and Bob has Read privileges, for instance. If a user is not listed, the system will not grant them any access to the object.
But before a system grants access, it first must identify and authenticate them.
Identification, Authentication, and Authorization
Whether physical or logical, access control systems allow or deny access based on a three-step process.
In the first step, identification, a subject identifies themselves. Under most logical access control systems, this entails entering a username or email address. This step is pretty straightforward.
In the next step, authentication, the subject provides some form of proof they are who they say they are, such as a password. Authentication factors can take three forms:
- Something you know, such as a password or PIN
- Something you have, such as a key or keycard
- Something you are, which includes biometrics such as fingerprints.’
When it comes to logical access controls, “something you know” factors such as passwords are by far the most common.
But other factors have become more popular in recent years. To strengthen security, more and more organizations now require multi-factor authentication, in which a user inputs more than one proof of their identity. You might enter a password (something you know) and then enter a one-time code sent to your phone (something you have). It’s easy enough for a password to get compromised in a data breach or phishing attack. It’s considerably harder for a hacker to steal both your password and a physical device.
Biometrics have also become increasingly common, and many devices now include fingerprint scanners or facial recognition software to make it more convenient to gain access.
Once a subject has been identified and authenticated, the third and final step follows: authorization. Now that the system knows who you are, it grants certain rights based on your identity by comparing against the object’s access control list, as detailed above.
For more information, see our guide to authentication and authorization.
Access Control Models
Many systems and organizations rely on an established access control model to govern access. Discretionary access control (DAC) is the most common model. Under DAC, every object has an owner who can assign permissions at their discretion. If Bob creates a file, under a typical DAC model he would become its owner. He could then allow Emily to read and write the file, or grant her broader administrative privileges.
Many organizations use role-based access control (RBAC) to make it easier to manage large groups. Under role-based access control, each user is given a role, such as “Sales”, and then permissions are granted on a role-by-role basis.
Some high-security organizations, such as the Department of Defense, use mandatory access control (MAC). Under this strict system, each subject and object has a security label, such as the “top secret,” “secret,” and “confidential” labels you may have seen in spy movies.
To access a given file or object, a user would need a security label matching or exceeding that object’s security label. Mandatory access control offers tighter security than other access control models, but generally demands more bureaucracy as well.
Many systems use a combination of access control models. Windows operates on a foundation of discretionary access control, while offering organizations the option to implement role-based access controls by assigning permissions based on user groups.
In 2008, Microsoft even added a layer of mandatory access control to shore up a major vulnerability in Windows. Before 2008, it was unfortunately common for users to install malware to the computer. When a user ran a program, the program would inherit the user’s access – which, most of the time, included high level administrative privileges.
To protect against this vulnerability, Microsoft added a layer of mandatory access control. Now, every user has an integrity level – set to medium by default, which allows a user to modify files, but not tamper with the core of the operating system itself.
When you run an application in Windows, it inherits your medium integrity level. You can always bypass it by running an application as an administrator, granting it high-level authority over your computer. Because these administrative privileges can enable a program to make serious changes to your operating system, you should take great care when you run any application as an administrator.
Discretionary, role-based, and mandatory access controls are three of the most common access control models. There are several others, which you can read about in our complete guide to access control models.