What is Dynamic Access Control? Ties to Authorization

Introduced as part of Windows Server 2012, Dynamic Access Control (DAC) enables administrators to regulate network access based on a number of dynamic variables. For instance, dynamic access control can grant a user access to network resources while on a private internet connection, but restrict their access if they’re on a public wi-fi network. This makes dynamic access control well-suited to meeting the demands of modern access management. Financial service providers can use dynamic access control to enhance their data governance in a way that doesn’t interfere with the user experience.

Let’s take a closer look at dynamic access control and what makes it different from more traditional methods of access control.

Dynamic access control, also known as dynamic access management, enables network administrators to exert more granular control over user privileges. Typically, access control only looks at who is and is not allowed to use network resources. This is determined by a set of static user credentials, such as a password or biometrics. But these credentials can be intercepted, stolen, or spoofed by malicious actors. Once that happens, they gain the same network access as the authorized user and are free to wreak havoc until caught.

Dynamic access control provides an extra layer of security by enabling flexible data governance. A user’s credentials no longer function as a skeleton key to the entire network and its resources. The degree of access becomes conditional, based on a set of variables that the administrator defines and controls in real-time. These variables can include user location, time of access, and even the user’s device type. Not only does this dynamic authorization increase security, but it also makes compliance much easier. Network administrators can adjust data governance parameters to meet the demands of local regulations, instead of applying a blanket policy.

Dynamic access control is particularly applicable to companies in the financial services industry. Apart from making it easier to protect the sensitive financial data that is passed around on their network, financial services can use dynamic access control to meet various data protection regulations and requirements. This is particularly important for multinational finance institutions that are subject to differing regulations from various governments.

Use Cases in Financial Services

Administrators working in the financial service sector can use dynamic access control to more fully prevent and respond to malicious activity. Many hackers take advantage of public or compromised network devices to facilitate account takeover (ATO) fraud. However, dynamic access control can restrict the privileges of users while they are working in unsecured locations. That means that, even if an authorized security token were to be intercepted from a user on a public network, it would not grant the malicious actor full access to sensitive data. Furthermore, administrators who are alerted to fraud attempts from a specific account can adjust that account’s authorization in real-time.

Benefits for Financial Institutions

Dynamic access control enhances the ability of banks and other financial institutions to achieve precision access management. It takes the context of user actions and data attributes into consideration, offering much more granular access control. This has the knock-on effect of increasing customer trust for institutions who implement dynamic access control.

Challenges and Considerations

Dynamic access control, while useful, is not without potential drawbacks. Administrators must carefully consider how security requirements can negatively affect their ability to meet employee and customer needs. Access control that adds considerable friction to the customer experience, for example, can negatively impact overall customer satisfaction and trust.

Integrating dynamic access control with a financial institution’s existing systems and processes can also prevent a challenge, especially if those systems and processes are already behind current best-practices. Dynamic access control was rolled out with the 2012 Windows Server update and may not be available if using older operating systems.

As we’ve seen, the key advantages of dynamic access control include:

• Meeting complex access control requirements and regulations

• Enforcing access control based on real-time context

• Improving risk management by addressing insider threats

   

Now let’s take a look at dynamic access control in action. Multiple case studies have been done on the successful implementation of dynamic access control by financial services and institutions.

Fraud Detection and Response

A financial institution was faced with a common problem: detecting and responding to anomalous user behaviors that could indicate fraud attempts. Dynamic access control enabled them to do this in real-time by implementing control policies that would restrict access once these anomalous behaviors were detected. This context-awareness allowed the institution to reduce financial losses by stopping fraud before it happens.

Regulation Compliance

A European bank was struggling to meet regulations that required them to prevent a “conflict of interest” for employees who could potentially service friends and family members. Using dynamic access control, the bank was able to implement access policies based on relationships that flagged the “conflict of interest” concern. Not only did this allow the bank to prevent customer data from being shared with employees who knew the customers personally, it also provided evidence of compliance that the bank could use during audits.

International Payment Transactions

This online transaction service was able to reduce operational costs by implementing dynamic access control in their payment applications. Payments could be quickly authorized and completed once they met the company’s set of predetermined authorization conditions. Centralization also made it easier for them to prepare for compliance audits.

Dynamic access control implements a three-pronged approach to data governance: claims, classification, and policy. Each of these components come together to provide contextual access control that can be adjusted and updated in real-time.

Claims

Claims are Active Directory attributes that define levels of user access. They can be further broken down into user claims, device claims, and resource attributes. User claims are directly associated with a specific user and can be any piece of unique information, such as an employee’s department, user behavior, or general security clearance. Device claims are tied to the device being used for access, and can indicate device health, location, time of access, and network utilization. Finally, resource attributes are tied directly to network resources and can be used globally for authorization decisions.

Classification

Dynamic access control allows network administrators to classify data with custom taxonomy tags. These tags enable computers to draw connections between data that otherwise wouldn’t be apparent and are crucial for dynamic access control’s context awareness.

Central Access Policy

This is where claims and classification come together. Administrators can define authorization policies based on dynamic combinations of user/device claims, resource attributes, and classification tags. For instance, access to data tagged as personally identifiable information can be restricted to HR employees (user claim) working in-office (device claim). This policy can then be implemented company-wide so long as the claims and classifications exist on all servers.

Identity and Access Management (IAM) Integration

Dynamic access control can be used to supplement and enhance an organization’s IAM systems. These are centralized hubs used to manage data access across an entire organization. By integrating dynamic access control data, the IAM system can implement dynamic variables and context awareness across all network APIs.

Dynamic Access Control vs. Traditional Access Control

Dynamic access control is not the only approach to access control out there. How does it compare to some traditional methods, such as Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)?

The main difference is that RBAC and ABAC are static control models. RBAC assigns degrees of access to specific user roles and grants that access to anyone with that role. ABAC expands this approach, basing access on the attributes of a user, the resource they’re trying to access, the action the user wants to take with that resource, and the environment (device, encryption, communication protocol) in which the access is taking place. Unlike dynamic access control, these models cannot respond dynamically to variables such as anomalous user behavior or taxonomy classifications.

Finally, let’s take a look at dynamic access control and how it compares to two forms of access control: Privileged Access Management (PAM) and Identity and Access Management (IAM). 

Privileged Access Management

PAM takes a narrower approach to access management by focusing on types of users. It differentiates standard user accounts from “privileged” ones, such as domain administrators, local administrators, and IT system administrators (also known as “super users”). PAM regulates data access based on the privileges given to each type of account. The main flaw with PAM is the exploitation of privileged accounts. Anyone with access to a nonstandard user account can use it to carry out cyber attacks. 

Identity and Access Management

IAM, conversely, has a broader scope. These systems monitor, record, and manage all user identities, from employees to customers. Access management is regulated using a combination of tools, such as multi-factor authentication (MFA), single sign-on (SSO) solutions, and centralized directories of users and devices. The complexity of IAM systems, while effective, can also be a bottleneck for organizations wanting to implement broad access control.

Which One is Best For You?

Knowing which access management system best fits your organization’s needs is key to an effective security policy. Dynamic access control can complement both PAM and IAM systems by providing dynamic policies and enabling administrators to react in real-time to anomalous user behavior and fraud attempts. For instance, a malicious actor with control of a privileged user account might be able to circumvent PAM systems. With dynamic access control, however, the system can react to anomalous behavior and cut off access, even if it’s coming from a privileged user.

Dynamic access control takes a dynamic approach to data access control. The ability to implement multiple flexible policies makes it particularly valuable for financial services, both in terms of preventing fraud and complying with multiple regulations and requirements. Learn more about dynamic access control solutions with Ping Identity to see how we can help you meet the demands of a rapidly evolving digital landscape.