What is an access control list?

An Access Control List (ACL) is a list of rules that determine which users or systems are allowed access to specific network resources, in addition to what actions they can perform while using those resources.

This is a core principle under the Identity and Access Management (IAM) framework of policies, ensuring that authorized users can only access resources they have permission for.

How do access control lists work?

Access control lists verify a user’s credentials by evaluating their permissions and other factors, depending on the type of access control list an organization has implemented. After this evaluation and verification, the ACL will either grant or deny access to the requested resource.

Types of access control lists

Access control lists can be classified into two main categories:

Standard ACL

A standard access control list is the most common type of ACL. It filters traffic solely based on the source IP address. Standard ACLs do not consider other factors of the user’s packet.

Extended ACL

An extended access control list is a more precise method that allows filtering based on numerous criteria such as the port numbers, protocol types, source and destination IP addresses of the user.

Types of access controls

There are several types of access controls tailored to fit an organization’s needs. Here are the four most common types of access controls.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a widely used method of managing resource access. It manages a user's authorizations and restrictions within a system based on their role inside the organization. Certain privileges and permissions are set up and associated with the user’s role. This security model follows the Principle of Least Privilege (PoLP), ensuring that users are granted network access to only systems that are necessary for their job functions. For example, an operations analyst will have a distinct resource than a sales executive, due to their differing tasks.

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is a method where resource owners are responsible for either granting or denying access to specific users. It is based on the owner's discretion to ultimately make a decision. This model offers greater flexibility as it allows owners to adjust permissions quickly and easily, but can pose threats if the resource owner makes a bad judgment or is inconsistent in their decisions.

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is a method where resource access is based on system policies, which are typically set up by a central authority or an administrator. This can be visualized as a tier system where different groups of users are granted varying levels of access based on their clearance level. Mandatory access control is widely used in government and military systems where strict regulations are essential for security reasons.

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is a method of access control involving the inspection of attributes associated with the users. Rather than just focusing on their role, this security model looks at other characteristics such as the subject, environment, job title, location and time of access. Attribute-based access control defines certain policies based on attributes and follows them thoroughly.

The components of an access control list

There are several components of an access control list, each of which represents a crucial piece of information that can play a factor in determining the user's permissions.

Sequence number: A sequence number is the code used to identify the ACL entry.
ACL name: The ACL name is also used to identify the ACL entry but it uses a name rather than a sequence of numbers. In some cases, a mix of letters and numbers is used.
Network protocol: Admins can either grant or deny entry based on the user's network protocols such as Internet Protocol (IP), Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
Source: The source defines the IP address of the requested origin.

Advantages of using an access control list

One advantage of using an access control list is that it provides granular control, enabling organizations to set and establish permissions tailored for specific groups. This gives organizations flexibility and concise management of resources while protecting the confidentiality of systems.

Additionally, access control lists mitigate the risks of security breaches, unauthorized access and most other malicious activities. Not only can ACLs block unauthorized traffic from entering, but they also block spoofing and Denial-of-Service (DoS) attacks. Since ACLs are designed to filter the IP addresses of the source, they will explicitly allow trusted sources to enter while blocking out untrusted sources. ACLs also mitigate DoS attacks by filtering out malicious traffic and limiting the amount of incoming data packets, preventing an overwhelming volume of traffic.

How to implement access control lists

To implement an access control list, it’s important to first identify the pain points and figure out which areas need improvement within an organization. After this evaluation, organizations must choose a good IAM solution that best matches the organization’s security and compliance needs while addressing potential risks.

Once an organization has chosen an IAM solution, it can set up the appropriate permissions to ensure users have the right level of access to their needed resources while still maintaining security standards.