Alert Enterprise Presents: The SIA 2024 Security Convergence Report – read more HERE.

Evaluating access control systems: From DAC to PBAC

In today’s rapidly evolving cyber-physical landscape, securing access to sensitive information and resources is vital to the health of just about any organization. One crucial aspect of securing systems is implementing effective access control mechanisms. Discretionary Access Control (DAC) is an access control model that enables organizations to define and enforce permissions based on individual user discretion. But what is it and how does it differ from Policy-Based Access Control (PBAC)? Don’t worry—you’ll know more in minutes.

Understanding Discretionary Access Control (DAC)

In the context of physical security, DAC plays a vital role in safeguarding cyber-physical systems. By implementing DAC, organizations can regulate access to critical infrastructure, ensuring that only authorized personnel can interact with these systems. For instance, in an industrial facility, DAC can be applied to control access to sensitive machinery or operational control systems, preventing unauthorized individuals from tampering with or disrupting crucial processes.

The principle of least privilege is a fundamental concept in DAC that promotes the idea of granting users only the minimum level of access necessary to perform their tasks. By adhering to this principle, organizations can minimize the potential damage caused by accidental or intentional misuse of privileges. In a cyber-physical environment, this ensures that individuals can access only the specific components they need for their job, reducing the attack surface and preventing unauthorized alterations.

Enhancing access control with Policy-Based Access Control (PBAC)

While DAC provides a flexible framework for access control, it may not always suffice for complex security requirements. This is where PBAC comes into play. PBAC is an access control model that uses policies to define access rights based on various attributes and conditions. By leveraging PBAC, organizations can implement more sophisticated access control mechanisms that align with their specific security needs.

In a PBAC system, security policies define the conditions under which access is granted or denied. These policies take into account attributes such as user roles, time of access, location and the sensitivity of the resource being accessed. PBAC can complement DAC by enabling organizations to enforce granular access control policies that align with their specific security requirements.

In a cyber-physical environment, PBAC helps establish comprehensive security policies by considering not only the users and their permissions but also the contextual factors that may impact access decisions. For example, in a high-security facility, a PBAC policy might dictate that access to certain areas is restricted to specific individuals during certain times, even if they possess the necessary DAC permissions. PBAC adds an extra layer of security and ensures that access control decisions align with the organization’s overall security objectives.

PBAC also facilitates dynamic access control, allowing organizations to adapt access permissions in real-time based on changing conditions or evolving threats. This capability is particularly crucial in cyber-physical systems, where the physical environment and associated risks can fluctuate rapidly. By combining DAC with PBAC, organizations can establish a robust and adaptive access control system that addresses the complex security challenges presented by cyber-physical environments.

Putting it all together

Implementing robust access control mechanisms is a must for maintaining the security of cyber-physical systems. Discretionary Access Control (DAC) provides individuals with control over their resources, allowing them to determine access permissions through Access Control Lists (ACLs). In physical security, DAC plays a critical role in granting authorized personnel access to sensitive infrastructure while preventing unauthorized access. Plus, the integration of Policy-Based Access Control (PBAC) further enhances access control mechanisms by enabling organizations to define security policies based on contextual factors. By leveraging DAC and PBAC, organizations can establish a comprehensive access control system that balances individual discretion, centralized administration and dynamic security policies, ensuring the protection of cyber-physical systems and minimizing vulnerabilities.

Contact Alert Enterprise and we’ll show you how to control access according to individual schedules and specifications with the first-ever Policy-Based Access Control cloud service.

Let's chat.

A black and white headshot of David Cassady.

David Cassady

Chief Strategy Officer

David Cassady has been selling and leading teams in Silicon Valley for more than 30 years. During that time, he’s led a mix of established software players and startups. Cassady has also been involved with five IPOs — and at least as many acquisitions. 

As Chief Strategy Officer, David leverages his extensive experience helping software businesses drive growth through deep and impactful partnerships with the world’s most successful SaaS providers like ServiceNow, Microsoft and SAP. 

A black and white headshot of Mark

Mark Weatherford

Chief Security Officer
Senior Vice President, Regulated Industries

Mark Weatherford brings years of high-level cyber-physical expertise to Alert Enterprise, and as Chief Security Officer (CSO), he guides the strategy of data management and protection by advising cyber-physical security policies and procedures within the company. Weatherford also works in liaison with businesses and executive professionals in the cyber and physical security industries to further accelerate security convergence adoption.

Mark has held numerous high-level cyber-centric positions, including Vice President and Chief Security Officer at the North American Electric Reliability Corporation (NERC), the Department of Homeland Security’s first Deputy Under Secretary for Cybersecurity under the Obama administration, California’s first Chief Security Officer, and the first CISO for the state of Colorado.

A black and white headshot of Harsh Chauhan

Harsh Chauhan

Chief Technology Officer

As Chief Technology Officer (CTO) of Alert Enterprise, Harsh Chauhan is responsible for the company’s engineering technology innovation and solution delivery. A 20-year technology veteran and leader, Chauhan is focused on the growth of the company’s 3D Governance Risk Compliance (GRC) hyperscale cloud platform.

He also continues to develop integrated solutions with leading technology partners like SAP, SAP NS2, and ServiceNow. Before Alert Enterprise, Mr. Chauhan held multiple CTO positions, as well as Product Owner and Head of Development at SAP GRC 10.0, delivering targeted solutions to high-profile SAP clients.

Ruby Deal headshot

Ruby Deol

Chief Operations Officer

Ruby Deol oversees all business units at Alert Enterprise. With more than 20 years of experience in global sales and support services, Deol nurtures existing client relationships with a customer-first approach. As Alert Enterprise continues to grow in industry recognition and stature, Deol is charged with developing and implementing methods to meet organization goals and facilitate the company’s ongoing transformation.
A black and white headshot of Kaval

Kaval Kaur

CFO and Co-Founder

As Chief Financial Officer (CFO) and Co-Founder of Alert Enterprise, Kaval Kaur leads all finance and administrative back-office operations. Kaur is a member of the national professional organization American Institute of Certified Public Accountants (AICPA) and the California State CPA Society.

Prior to joining Alert Enterprise, she was the CFO and Co-Founder of Virsa Systems, a position she held until its acquisition by SAP.

Kaur is a philanthropist at heart, embracing the diversity of the San Francisco Bay area by assisting with and promoting special cultural events. She recently sponsored 2,000 public schools in rural India to advance computer literacy skills for children and is a foster mother to a 10 year old.

Jasvir Gill

Founder and CEO

Leading the charge of digital transformation and security convergence is Jasvir Gill, Founder and CEO of Alert Enterprise, Inc. An accomplished engineer by trade, Gill is driving the long-overdue digital transformation of the physical security industry.

Prior to launching Alert Enterprise, Gill was the founder and CEO of Virsa Systems, where he grew the company into a global leader of application security software. An early pioneer in establishing governance, risk and compliance as a software market segment, he drove exponential growth at Virsa, facilitating its acquisition by SAP in 2006.

In his free time, Jasvir helps drive social and economic empowerment in the community. He’s also a trustee at the American India Foundation.