What is access control?
Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization.
There are two main types of access control: physical and logical. Physical access control limits access to buildings, campuses, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data.
To secure a facility, organizations use electronic access control systems that rely on keys, access card readers, personal identification number (PIN) pads, auditing and reports to track employee access to restricted business locations and proprietary areas, such as data centers. Some of these systems incorporate access control panels to restrict entry to rooms and buildings, as well as alarms and lockdown capabilities to prevent unauthorized access or operations.
Logical access control systems perform authentication and authorization of users and entities. They evaluate required login credentials that can include passwords, PINs, biometric scans, security tokens or other authentication factors. Multifactor authentication (MFA), which requires two or more authentication factors, is often an important part of a layered access control system.
This article is part of
What is data security? The ultimate guide
Access control is part of identity and access management (IAM). It is required in most security frameworks, including NIST Cybersecurity Framework and PCI DSS.
Why is access control important?
The goal of access control is to minimize the security risk of unauthorized access to physical and logical systems. Access control is a fundamental component of security compliance programs that protect confidential information, such as customer data. Most organizations have infrastructure and procedures that limit access to networks, computer systems, applications, files and sensitive data - such as personally identifiable information (PII) and intellectual property. It is important to protect against both unauthorized exfiltration and modification of sensitive data.
Access control systems are complex and can be challenging to manage in dynamic IT environments that involve on-premises systems and cloud services. After high-profile breaches, technology vendors have shifted away from single sign-on systems to unified access management, which offers access controls for on-premises and cloud environments.
How access control works
Access controls identify an individual or entity, verify the person or application is who or what it claims to be, and authorizes the access level and set of actions associated with the identity. Directory services and protocols, including Lightweight Directory Access Protocol and Security Assertion Markup Language, provide access controls to authenticate and authorize users and entities and let them connect to computer resources, such as distributed applications and web servers.
Organizations use different access control models depending on their compliance requirements and the security levels of IT they are trying to protect.
Types of access control
The main models of access control are the following:
- Mandatory access control. The MAC security model regulates access rights through a central authority based on multiple levels of security. Often used in government and military environments, classifications are assigned to system resources and the operating system or security kernel. MAC grants or denies access to resource objects based on the information security clearance of the user or device. For example, Security-Enhanced Linux is an implementation of MAC on a Linux filesystem.
- Discretionary access control. DAC is an access control method in which owners or administrators of the protected object set the policies defining who or what is authorized to access the resource. Many of these systems let administrators limit the propagation of access rights. A common criticism of DAC systems is a lack of centralized control.
- Role-based access control. RBAC is a widely used access control system that restricts access to computer resources based on individuals or groups with defined business functions -- executive level and engineer level 1, for example -- rather than the identities of individual users. The role-based security model relies on a complex structure of role assignments, role authorizations and role permissions developed using role engineering to regulate employee access to systems. RBAC systems can be used to enforce MAC and DAC frameworks.
- Rule-based access control. This is a security model in which the system administrator defines the rules governing access to resource objects. These rules are often based on conditions, such as time of day or location. It is not uncommon to use some form of both rule-based access control and RBAC to enforce access policies and procedures.
- Attribute-based access control. This is a methodology that manages access rights by evaluating a set of rules, policies and relationships using the attributes of users, systems and environmental conditions.
Implementing access control
Access control is integrated into an organization's IT environment. It can involve identity management and access management systems. These systems provide access control software, a user database and management tools for access control policies, auditing and enforcement.
When a user is added to an access management system, system administrators often use an automated provisioning system to set up permissions based on access control frameworks, job responsibilities and workflows.
The principal of least privilege is the best practice when assigning rights in an access control system. The entity is only given access to the resources it requires to perform its immediate job functions.
Challenges of access control
Many of the challenges of access control stem from the highly distributed nature of modern IT. It is difficult to keep track of constantly evolving assets because they are spread out both physically and logically. Specific examples of challenges include the following:
- Dynamically managing distributed IT environments.
- Password fatigue.
- Compliance visibility through consistent reporting.
- Centralizing user directories and avoiding application-specific silos.
- Data governance and visibility through consistent reporting.
Many traditional access control strategies -- which worked well in static environments where a company's computing assets were held on premises -- are ineffective in today's dispersed IT environments. Modern IT environments consist of multiple cloud-based and hybrid implementations, which spread assets over physical locations and a variety of unique devices and require dynamic access control strategies. Users might be on premises, remote or even external to the organization, such as an outside partner.
One area of confusion is that organizations might struggle to understand the difference between authentication and authorization. Authentication is the process of verifying that individuals are who they say they are by using things like passphrases, biometric identification and MFA. The distributed nature of assets gives organizations many ways to authenticate an individual.
Authorization is the act of giving individuals the correct data access based on their authenticated identity. An access control list (ACL) is used to assign the correct authorization to each identity.
One example of where authorization often falls short is if an individual leaves a job but still has access to company assets. This creates security holes because the asset the individual used for work -- a smartphone with company software on it, for example -- is still connected to the company's internal infrastructure but is no longer monitored because the individual has left the company. Left unchecked, this can cause major security problems for an organization. If an ex-employee's device were to be hacked, for example, an attacker could gain access to sensitive company data, change passwords or sell an employee's credentials or company data.
One solution to this problem is strict monitoring and reporting on who has access to protected resources. If a change occurs, the company can be notified immediately and permissions updated to reflect the change. Automation of permission removal is another important safeguard.
Zero trust is a modern approach to access control. In a zero-trust architecture, each resource must authenticate all access requests. No access is granted solely on a device's location in relation to a trust perimeter.
Cloud services also present unique access control challenges as they often exist out of a trust boundary and might be used in a public facing web application. If they are not properly secured, they might accidentally allow public read access to secret information. For example, improper Amazon S3 bucket configuration can quickly lead to organizational data being hacked.
Another often overlooked challenge of access control is user experience. If an access management technology is difficult to use, employees might use it incorrectly or circumvent it entirely, creating security holes and compliance gaps. If a reporting or monitoring application is difficult to use, the reporting might be compromised due to an employee mistake, resulting in a security gap because an important permissions change or security vulnerability went unreported.
Access control software
Many types of access control software and technology exist, and multiple components are often used together as part of a larger IAM strategy. Software tools might be deployed on premises, in the cloud or both. They might focus primarily on a company's internal access management or outwardly on access management for customers. Types of access management software tools include the following:
- Reporting and monitoring applications.
- Password management tools.
- Provisioning tools.
- Identity repositories.
- Security policy enforcement tools.
Microsoft Active Directory is one example of software that includes most of the tools listed above in a single offering. Other IAM vendors with popular products include IBM, Idaptive and Okta.
Authentication and identity management differ, but both are intrinsic to an IAM framework. Learn the differences between identity management and authentication. Also, explore IT security frameworks and standards.