What is an Access Control List?
An access control list (ACL) is designed to do exactly what it says, control access to some resource. ACLs can be applied to various systems within an organization’s environment, including the network, specific computers, or even applications and files stored on these computers.
How Do Access Control Lists Work?
The goal of an ACL is to define who can and can’t access a particular resource. In general, these lists are defined as either an allowlist or a blocklist.
An allowlist specifies the users, applications, etc. that are permitted to access a particular resource. This type of access control list makes sense in an environment where the organization knows who all of the authorized users would be. An exclusive party is a perfect example of where an allowlist could be used. The host of the party knows exactly who they want to allow inside, and the security staff is responsible for permitting those people to enter and turning everyone else away.
The other option for an ACL is a blocklist. This type of ACL specifies what is not allowed in a particular environment. One common example of a blocklist is the list of known malware variants used by an antivirus. Any program that matches the signatures stored in the AV’s library of known malware is automatically removed from the computer.
Allowlist or Blocklist?
In general, the “right” choice of ACL depends on the application and the creator’s knowledge of the environment. For cases where the organization knows who all authorized users are or highly-secure areas where a breach is very damaging, then an allowlist makes sense. For situations where usability is more important than security or the list of authorized users is less clear, a blocklist may be a better choice. In some situations, an organization may even use both.
Common Applications of ACLs
ACLs are ubiquitous in modern computing. Some common use cases for ACLs include:
- File Permissions: Files and directories on computers commonly have ACLs specifying the users or group members that have read, write, and execute permissions.
- Firewall Rules: Firewalls and other network security solutions commonly implement ACLs. These can block traffic based on known-bad IP addresses, types of traffic, geographic locations, and various other factors.
- Database Security: Databases can use ACLs to define which users have access to database tables and their rights regarding them. For example, only certain high-level administrators may have the right to drop (delete) database tables).
- Content Filtering: Content filters may define which websites, types of content, etc. are permitted on the network and which are not.
- Virtual Private Networks (VPNs): A VPN may use an ACL to determine the types of traffic that can pass through the VPN. This is especially true if the VPN is running in split-tunnel mode where only traffic to the corporate network is supposed to pass through the VPN.
These are only some examples of applications of ACLs for network security. Any situation where an organization needs to define who can and can’t do something is a potential use case for an ACL.
Access control lists specify who should be allowed to access a resource and who should not. Generally, they’re implemented either as allowlists (specifying permitted users) or blocklists (specifying those users who should not be allowed access). Both approaches have their pros and cons, and the right choice depends on the situation and an organization’s ability to define these groups.