Article

Types of access control systems

Access Management
Time to read: 6 minutes

When we refer to access control systems, we’re talking about providing access to restricted areas of the enterprise. But familiarity and correctly utilising access control systems to protect proprietary information are two completely different levels of understanding. For example, who gets access to what? What are the rules? How is access tracked?

The user must first be identified and authenticated before being granted access to private information—which means the basics of an access control system include criteria and records for every time someone “enters” the system.

Depending on the type of organisation, the enterprise should consider a couple of broad ideas—what level of ownership it will have over the system, and how to decide which employees get access to what. There are many models, each with different benefits.

The most common types of access control systems

Mandatory access control (MAC)

The mandatory access control system provides the most restrictive protections, where the power to permit access falls entirely on system administrators. That means users cannot change permissions that deny or allow them entry into different areas, creating formidable security around sensitive information.

It even restricts the resource owner’s ability to grant access to anything listed in the system. Once an employee enters the system, they're tagged with a unique connection of variable “tags”—like a digital security profile—that speaks to what level of access they have. So depending on what tags a user has, they will have limited access to resources based on the sensitivity of the information contained in it. This system is so shrewd, in fact, that it’s commonly used by government entities because of its commitment to confidentiality.

Discretionary access control (DAC)

A discretionary access control system, on the other hand, puts a little more control back into leadership's hands. They determine who can access which resources, even if the system administrator created a hierarchy of files with certain permissions. All it takes is the right credentials to gain access.

The only disadvantage, of course, is giving the end-user control of security levels requires oversight. And since the system requires a more active role in managing permissions, it’s easy to let actions fall through the cracks. Where the MAC approach is rigid and low-effort, a DAC system is flexible and high-effort.

Role-based access control (RBAC)

Role-based access control attributes permissions to a user based on their business responsibilities. As the most common access control system, it determines access based on the user's role in the company—ensuring lower-level employees aren’t gaining access to high-level information.

Access rights in this method are designed around a collection of variables that map back to the business—such as resources, needs, environment, job, location, and more. Many executives like this approach because it’s simple to group employees based on the kind of resources to which they need access. For example, someone in human resources does not need access to private marketing materials, and marketing employees don’t need access to employee salaries. RBAC provides a flexible model that increases visibility while maintaining protection against breaches and data leaks.

More detailed, hands-on access control

While there are some established practices in access control, technology has given us the opportunity for more customised approaches. Depending on how “hands-on” the enterprise wants to be, there are many ways to think about it.

Rule-based access control

As you might have guessed, this system grants permissions based on structured rules and policies. Largely context-based, when a user attempts to access a resource, the operating system checks the rules decided on in the “access control list” for that specific resource. Creating the rules, policies, and context adds some effort to the rollout. Additionally, this system will often be blended with the role-based approach we discussed earlier.

Attribute-based access control

Drilling down a level deeper, this type of system provides different dynamic and risk-intelligent control based on attributes given to a specific user. Think of these attributes as components of a user profile; together they define the user's access. Once policies are set, they can use these attributes to read whether or not a user should have control. These attributes can also be obtained and imported from a separate database—like Salesforce, for example.

"Smarter,” more intuitive control systems

Some control systems transcend technology all together. These are the systems that operate on a deeper, more intuitive level.

Identity-based access control

The most simple, yet the most complex—identity-based control dictates whether a user is permitted access to a resource based on their individual visual or biometric identity. The user will then be denied or permitted access based on whether or not their identity can be matched with a name appearing on the access control list. One of the main benefits of this approach is providing more granular access to individuals in the system, as opposed to grouping employees manually. This is a very detailed, technology-driven approach that gives an abundance of control to the business owner.

History-based access control

Another “smart” solution is a history-based access control system. Based on past security actions, the system determines whether or not the user gains access to the resource they’re requesting. The system will then scrape that user’s history of activities—time between requests, content requested, which doors have been recently opened, etc. For example, if a user has a long history of working exclusively with secured accounting materials, a request to access next year’s marketing roadmap might be flagged in the system.

The future: AI-driven Identity Management

As access control moves into the future, the responsibility of managing the systems will continue to shift away from people and towards technology. Artificial Intelligence (AI) not only allows us to evaluate access permissions for users in real-time, but it’s also able to forecast the entire lifecycle of an employee. These solutions not only protect us from the “now,” they’re able to identify risks and compliance issues before they become serious. The enterprise no longer has to tightly monitor the complicated web of policies and access control lists, because AI simplifies visibility at a high level.

Wrapping Up

While access control has evolved from protecting physical documents in real buildings to cloud-based systems, the idea of protecting the enterprise's resources is never going out of style. The smarter we get with technology, the more options we’re going to have. Understanding the variables that matter—things like organisation size, resource needs, employee locations—will help inform your decision.

Want to learn more about how we use technology and AI to recommend the right access model for you? Read more here.

KuppingerCole Leadership Compass for Access Governance - Report

KuppingerCole Leadership Compass for Access Governance - Report

See why SailPoint’s IAG capabilities received a “Strong Positive” rating, indicating our ability to provide a comprehensive and well-rounded IAG solution.

Download the report
KuppingerCole Executive View on SailPoint Atlas

KuppingerCole Executive View on SailPoint Atlas

Read an overview of SailPoint Atlas, identity security that combines modern technologies such as AI and machine learning, in this KuppingerCole report.

Download the white paper
SailPoint corporate brochure

State of identity, Report from the frontline

Practical and actionable advice for identity specialists and busy business executives wanting to understand more about the issue and the opportunities.

Download the white paper