Skip to content

Fined grained access control

What is Fine-Grained Access Control?

Fine-grained access control refers to the process of limiting who has access to certain data. Fine-grained access control employs more subtle and changeable ways for authorizing access than generic data access control, also known as coarse-grained access control. Fine-grained access control is most commonly employed in cloud computing, where a large number of endpoints are kept simultaneously. Each item has its own set of access policies. These requirements might be based on a variety of variables, such as the job of the person/process requesting access and the planned use of the entity. One person/process may be permitted to edit and alter it, while another is just permitted to view it.

Why is Fine-Grained Access Control Important?

The capacity to store vast volumes of data collectively is a significant competitive advantage in cloud computing. However, when it comes to data security compliance rules and regulations pertaining to customer data or financial information, this data might vary in nature, source, and security level.

When data types may be stored independently and certain data types can simply be assigned based on storage location (e.g., Process A can access X folder, Process B can access Y folder, etc.) as in on-premises setups, coarse-grained access control may function. Fine-grained access control is critical when data is stored together in the cloud because it allows data with varied access needs to 'live' in the same storage area without causing security or compliance difficulties.

How AccuKnox provide Fine-Grained Access Controls?

Accuknox provides fine-grained access control for workloads at runtime allowing SecOps to control what resources, files, networks, and processes a workload can access. With AccuKnox the SecOps can create runtime policies to make sure an always verify, never trust, zero trust model can be created. AccuKnox allows SecOps to restrict the following types of behavior on the cloud workloads: - File access - A typical file access by a process or a network can be allowed or denied on specific paths

  • Process execution - The ability to allow or deny a Process execution or forking can be achieved for specific processes or all the processes on a directory

  • Network connection - It is easy to allow or deny any network-based communication from a workload using AccuKnox. The requests can be TCP, UDP, or even ICMP packets can be denied or allowed.

  • Capabilities - A workload can share the capabilities of the host if and when allowed. Such capabilities can enable additional types of malicious behavior. With AccuKnox we can allow or deny workloads to request other capabilities with the host os.

Back to top