Should I Be Using Coarse- Or Fine-Grained Access Control?
Every business, from sole traders to the largest organisations, has to deal with data.
Internet users generate about 2.5 quintillion bytes of data every day: customer data, sales data, financial data, website statistics, and dozens of other types of business data likely sit bundled together on your servers. With all this information to manage, how can you make sure that each resource is only being accessed by the people who are supposed to be viewing it?
That’s where Identity and Access Management (IAM) comes in. Organisations can grant different levels of access to each individual within or connected to the company, depending on their role or other features about them. Considering that almost half of all UK-based IT professionals worry that their entire corporate networks are prone to unauthorised access, IAM should be a staple of every IT security toolkit.
When implementing access control in this way, the big question a business needs to ask is: “How stringent should our access management be?” Will considering a single factor, like job role or location, be sufficient for granting access? Or should multiple attributes be considered, including personal, contextual and risk factors, in order to decide whether to grant access and what level of access to grant?
This is a question of implementing coarse-grained access control vs fine-grained access control. Here we’ll walk through the differences between the two, and discuss if one is preferable to the other in every instance - or whether a blend of the two is needed.
Coarse-grained vs fine-grained access control
Both coarse-grained and fine-grained access control are aimed at the same goal: to grant different individuals different levels of access to company resources, based on a set of rules defined by the business.
What’s the difference between them, then? The clue is in the name: fine-grained access control allows for a lot more detail when it comes to setting those access policies than the coarse-grained alternative. Let’s explore them both in more detail:
Coarse-grained access control
When an IAM solution offers coarse-grained access control, it means that user access can be determined by a single property. In theory, this could be any factor, such as:
- Job role
- Geographic location
- IP address
- Risk level
- And more…
In practice, when businesses deploy coarse-grained access control the most common factor used is role.
Each role in a company is defined and assigned specific permissions. These permissions allow individuals to either read, edit or share information from different data sets, or in some cases deal with finances to varying levels.
Each user is assigned one or more roles: the job roles a user has determines what resources they can access and the limit to which they can access that information.
With coarse-grained access control like this, an organisation can set rules such as “a user can view file ‘X’ if they have role ‘Y’ assigned to them” and “a user can edit file ‘X’ if they have role ‘Z’.” For instance, junior members of the finance department can view all the relevant financial information to them across the company network but they are not permitted to edit that information - but senior members are given that edit permission.
Fine-grained access control
In contrast to its coarse-grained equivalent, fine-grained access control gives organisations the ability to manage access based on more than one attribute. Consider all the factors above: instead of granting or denying access based on just one of these, companies can set multiple conditions that a user has to meet in order to gain access.
For instance, with fine-grained control you can set the access policy “a user can access file ‘X’ if they have role ‘Y’, they are currently in country ‘Z’, the time is between 8.30am and 6pm, and the login attempt is deemed ‘low risk’.”
With greater control over who can look at and edit confidential information, and in what circumstances they can do so, the level of security naturally increases. Sign in attempts at unusual times or from suspicious IP addresses can be blocked in a way that can’t be achieved with coarse-grained access control. Fine-grained policies can even be used to determine how much information is visible to users in different contexts: for instance, some data could be restricted if the user is currently logged in via mobile device.
Examples of fine-grained access control are:
Attribute-based access control - which determines access by evaluating attributes such as the user’s job role, the resource’s file type and data sensitivity, the broader environmental context of the access request and what action the user wants to take (‘read’, ‘write’, ‘edit’, ‘copy’ etc.)
Policy-based access control - which uses flexible policies to determine whether or not a user can access data, and the extent to which they can do so.
Coarse- or fine-grained control: which should I use?
When deciding whether to embrace a coarse-grained or fine-grained access control solution, it’s important to consider your business structure and needs first.
Fewer factors lead to quicker start-up
Coarse-grained access control is easier and quicker to set up: great for a small business looking for a quick and easy answer to their IAM needs. Issues arise as businesses expand and more roles (in the case of role-based access control) are added to handle the increasing requirements for granularity, leading to “role explosions”.
What’s more, imagine somebody needs temporary access to a resource that isn’t covered by their assigned roles or that someone from a partner organisation needs to be able to view some of your assets (a common situation particularly in B2B environments). These cases can’t be covered by simply creating new ‘roles’ to suit without weakening your security posture as known and unknown actors gain more and more permissions.
More granularity = more control
On the other hand, fine-grained access control is much better equipped to deal with any situation that might crop up. Administrators can set policies that incorporate several variables, meaning they have a lot more control over company assets and access is more easily managed at scale - even when dealing with third-party users.
The downside is that the initial set-up - defining the variables you want to consider and creating rules that cater to every circumstance - requires significant time investment that not every business can spare. Plus, a degree of expertise and care is required when implementing fine-grained policies. Incorrect implementation can cause more confusion and cost you more time further down the road.
Different granularity for different situations
Both coarse- and fine-grained access control have strengths and weaknesses. In a nutshell, coarse-grained access control benefits:
- Smaller companies
- Workgroups with simple structures
- Cases where the number of roles you need to define is relatively few
Fine-grained access control suits larger, more complex structures. Organisations that might:
- Be geographically diverse, with employees based around the world
- Be time-defined, with resources that should only be accessed within certain hours of the day
- Have access needs that change depending on the files and resources in question
- Be a combination of the above
Combine fine- and coarse-grained access control with Okta
In most cases, however, there is no clear-cut answer to which level of granularity suits your organisation best. Plenty of businesses use a hybrid approach, granting high-level access with coarse-grained policies (e.g. when onboarding new employees, giving them access to all entry- and company-level resources). Or they introduce finer controls down the line (e.g. granting access to specific documents to the specific individuals who need them).
With Okta’s Advanced Server Access, you can manage access dynamically and with varying levels of granularity. Create coarse-grained and fine-grained access policies to build a secure authorisation environment throughout your corporate network.
Discover how Okta can help identify, protect and enable your employees, contractors, and partners by clicking here.