Access Control Methodologies

Access control systems work by using two basic methods of operation: centralized and decentralized access control. Most organizations actually end up using both methods in different situations, as both offer specific benefits to the overall access control system. This section examines each method and how it works.

Centralized

A centralized access control system is based on the concept of all access control queries being directed to a central point of authentication. The central authentication system performs the authentication and forwards the authorization data back to the requesting system. This type of system allows for a single point of administration for the entire access control system. This decreases the administrative effort, but also raises costs as each computer system using the centralized access control system must be able to communicate with the central administration point at all times.

Implementing a centralized access control system is more difficult than implementing a decentralized system, but the benefits are typically worth the extra effort. Some examples of a centralized access control system are Kerberos, RADIUS, and TACACS, which were discussed earlier in this chapter. Using a centralized access control system is usually a requirement for handling the access control needs of large enterprise systems due to the decreased administrative effort required for ongoing maintenance tasks. Making a change within the centralized system allows for that change to be reflected on all computer systems using the access control system almost immediately.

Decentralized

It is not always possible or desirable to have a single reference point for all access control requests. When an access control system is configured so that multiple authentication systems are responsible for the access control requests for a small group of computer systems, it is considered to be a decentralized access control system. This basically means that the access control system is not centralized to a single computer system or group of systems. Some examples of this are a Windows workgroup where every member of the workgroup handles access control, or a database system that handles its own authentication. These systems do not rely on any other system to perform access control for them.

When working with decentralized access control systems, the individual computer systems performing access control will typically keep a local database of accounts, passwords, and permissions. All access control decisions are made based on this data. This offers the advantage of providing for access control system functionality in cases where connectivity to a centralized access control system may be impossible or intermittent.

It takes a great deal more administrative effort to work with and maintain a decentralized access control system compared to a centralized access control system. If there is a requirement for users to be able to authenticate against multiple computer systems in a decentralized access control system, the user will have to have an account on each computer system. This can easily cause an administrative nightmare when trying to perform password resets or access control troubleshooting.