What is access control?
Access control is a fundamental security concept used to regulate who can view or use resources in a computing environment. It ensures that only authorized individuals or systems have access to data or systems, thereby safeguarding sensitive information and maintaining the confidentiality, integrity, and availability of critical resources within an organization.
At its core, access control involves the identification, authentication, and authorization of users, guaranteeing that access permissions align with organizational policies and user roles. In its simplest form, access control can be seen as a combination of passwords and user permissions; however, modern access control systems incorporate advanced technologies such as biometric verification, multi-factor authentication, and dynamic policy-based frameworks. These systems are essential for managing security in diverse environments, ranging from large enterprises to small businesses, and are crucial in adhering to regulatory compliance standards while protecting against data breaches and unauthorized access attempts.
What are access control systems?
Access control is a type of security system that restricts access to spaces or systems to users who have been granted permission and given tools to gain access, such as keys or keycards for physical spaces and login credentials for digital assets. This article will focus on user access controls, which provide access to restricted areas of the enterprise (e.g., systems and applications).
User access controls operate on the principles of identity verification and permissions management to enforce security policies. When an individual or a system requests access to a resource, the user access controls verify the requestor's identity and authenticate it.
With these digital access controls, the user must first be identified and authenticated before being granted access to private information—which means the basics of an access control system include criteria and records for every time someone "enters" the system. Depending on the type of organization, the enterprise should consider a couple of broad ideas—what level of ownership it will have over the system, and how to decide which employees get access to what. There are many models, each with different benefits.
What are the three main types of access control systems?
There are a number of types of access control systems, but the three main ones are:
- Mandatory access control systems (MAC)
- Discretionary access control systems (DAC)
- Role-based access control systems (RBAC)
Mandatory access control (MAC)
The mandatory access control system provides the most restrictive security protections, where the power to permit access falls entirely on system administrators. That means users cannot change permissions that deny or allow them entry into different areas, creating formidable security around sensitive information. It even restricts the resource owner's ability to grant access to anything listed in the system.
Once an employee enters the system, they're tagged with a unique connection of variable "tags"—like a digital security profile—that speaks to what level of access they have. So, depending on what tags a user has, they will have limited access to resources based on the sensitivity of the information contained in it. This security system is so shrewd, in fact, that it's commonly used by government entities because of its commitment to confidentiality.
Discretionary access control (DAC)
A discretionary access control system, on the other hand, puts a little more control back into security leadership's hands. They determine who can access which resources, even if the system administrator created a hierarchy of files with certain permissions. All it takes is the right credentials to gain access.
The only disadvantage, of course, is giving the end-user control of security levels requires oversight. And since the system requires a more active role in managing permissions, it's easy to let actions fall through the cracks. Where the MAC approach is rigid and low-effort, a DAC system is flexible and high-effort.
Role-based access control (RBAC)
Role-based access control attributes permissions to a user based on their business responsibilities. As the most common access control system, it determines access based on the user's role in the company—helping ensure lower-level employees aren't gaining access to high-level information.
Access rights in this method are designed around a collection of variables that map back to the business—such as resources, needs, environment, job, location, and more. Many executives like this approach because it's simple to group employees based on the kind of resources to which they need access.
For example, someone in human resources does not need access to private marketing materials, and marketing employees don't need access to employee salaries. RBAC provides a flexible model that increases visibility while maintaining protection against security breaches and data leaks.
What are the four main access control models?
There are four main access control models, which are broken out into two general types. The more detailed, hands-on access control models offer an opportunity for more customized approaches. Depending on how "hands-on" the enterprise wants to be, there are many ways to think about it. The two most common types of access controls are rule-based access controls and attribute-based access controls.
"Smarter," more intuitive access control systems transcend technology altogether. These are the systems that operate on a deeper, more intuitive level. Examples of this type of access control are identity-based access controls and history-based access controls.
Rule-based access control
As you might have guessed, this system grants permissions based on structured rules and policies. Largely context-based, when a user attempts to access a resource, the operating system checks the rules decided on in the "access control list" for that specific resource. Creating the rules, policies, and context adds some effort to the rollout. Additionally, this system will often be blended with the role-based approach we discussed earlier.
Attribute-based access control
Drilling down a level deeper, this type of system provides different dynamic and risk-intelligent control based on attributes given to a specific user. Think of these attributes as components of a user profile; together they define the user's access.
Once policies are set, they can use these attributes to read whether or not a user should have control. These attributes can also be obtained and imported from a separate database—like Salesforce, for example.
Identity-based access control
The most simple, yet the most complex—identity-based control dictates whether a user is permitted access to a resource based on their individual visual or biometric identity. The user will then be denied or permitted access based on whether or not their identity can be matched with a name appearing on the access control list.
One of the main benefits of this approach is providing more granular access to individuals in the system, as opposed to grouping employees manually. This is a very detailed, technology-driven approach that gives an abundance of control to the business owner.
History-based access control
Another "smart" solution is a history-based access control system. Based on past security actions, the system determines whether or not the user gains access to the resource they're requesting.
The system will then scrape that user's history of activities—time between requests, content requested, which doors have been recently opened, etc. For example, if a user has a long history of working exclusively with secured accounting materials, a request to access next year's marketing roadmap might be flagged in the system.
Key components of access control systems
Access control systems are based on three core components—identification, authentication, and authorization. Each step must be successfully executed before users are granted access to resources.
Administrators issue a unique identity to each user when they are onboarded to systems or applications. In the case of the user access controls discussed here, these are used for identification as well as to track users' activities.
Authentication vs. authorization
Before users can gain access to systems or applications, they must be authenticated. Authentication is a security process for proving that the identity presented by a user is legitimate. The main types of authentication factors are:
- Something you know—The most common example of this is username/password credentials.
- Something you have—This is often a mobile device where verification codes are sent. It can also be a hardware token or app that generates one-time passwords.
- Something you are—This is biometrics, such as fingerprints, iris scans, or facial recognition.
Once users have been validated, they are granted access to resources based on their authorization. Authorization establishes what an authenticated user can do once they are granted access to a system or application.
For instance, a user with broad authorization could be allowed full access to resources and have the ability not just to create but also to edit, share, or delete existing files and other resources. Administrators also set this up in a number of ways, as explained in the sections above (e.g., role-based access controls and attribute-based access control).
Best practices for implementing access control systems
Apply the principle of least privilege (PoLP)
All access should be granted on the basis of least privilege. This means giving users the minimum access privileges needed to do their jobs. It also requires that privileges be revoked when access is no longer needed.
Automate user provisioning
Automating user provisioning and deprovisioning improves access controls by removing the risks that come with manual processes, such as lags between when a user leaves an organization and when their access privileges are revoked. It also helps enforce access policies consistently.
Conduct regular access audits
Processes should be put in place to ensure that audits of access control systems are conducted on a regular basis. This helps enforce the principle of least privilege by identifying users who are overprivileged and identifying user accounts that are inactive.
Ensure integration with existing applications
Choose an access control system that supports integration with the applications and systems used across the organization, including other security systems. This not only facilitates management but also avoids cumbersome processes that hinder users' productivity or, worse, drive them to find workarounds to circumvent tedious access control systems.
Implement a zero trust network architecture (ZTNA)
Use a zero trust architecture to manage devices, networks, applications, services, workloads, and data. Then enforce the core principles of zero trust, including:
- Continuously monitor and validate users with ongoing verification of users' identities and privileges after initial access has been granted.
- Set access policies according to the principle of least privilege, regularly assessing and updating privileges as users' requirements change.
- Use microsegmentation to subdivide networks, reducing the attack surface by limiting access to small areas and resources.
- Require multi-factor authentication to bolster user access controls.
- Validate all endpoint devices, extending access controls to physical systems in addition to human users.
Prohibit the use of shared accounts
It is strongly recommended that users never be permitted to share accounts for access systems or applications. This creates security risks by making it difficult to track account activity and hold users accountable for their actions or trace root causes in the event of a security incident related to a shared account.
Use separation of duties
This refers to the separation of duties, tasks, and responsibilities is divided among multiple users to ensure that no one person has enough privileges to misuse resources. A classic example of this is disallowing the person who writes checks to sign them as well. Separation of duties is applied to the broad user base, with exceptions made for privileged users, such as administrators.
Require strong passwords
Users should be required to use strong passwords. The Cybersecurity and Infrastructure Security Agency (CISA)'s password security guidance on strong passwords is to:
- Make them long—at least 16 characters
- Make them random with a string of mixed-case letters, numbers, and symbols, such as cXmnZK65rf*&DaaD, or use a string of unrelated words to create a paraphrase, such as LibraryBeachBananaFlower
- Make them unique
- Use different passwords for each account
Use multi-factor authentication (MFA)
Require users to provide more than one verification factor to gain access, such as user credentials and a biometric factor or one-time password created from a token or authentication code-generating app.
Maintain access privilege logs
Use access privilege logs to track which users have access to what resources and track changes to users' access.
Train employees on access control protocols
Add access controls to cybersecurity training and awareness programs to ensure that users understand what systems are in place, why they are being used, and the risks of failing to follow usage policies.
Access control and regulatory compliance
The use of access control systems is mandated in a number of regulatory statutes. For example:
- The Federal Information Security Management Act (FISMA) requires federal agencies to implement access controls to protect government information and information systems.
- General Data Protection Regulation (GDPR) requires that organizations that handle EU citizens' personal data must use access controls to ensure that only authorized personnel can access sensitive information.
- The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to implement access controls to protect customers' personal financial information.
- The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to implement access controls to protect protected health information (PHI).
- The Payment Card Industry Data Security Standard (PCI DSS) requires organizations that handle credit card information to implement strong access control measures to protect cardholder data.
- The Sarbanes-Oxley Act (SOX) requires access controls to prevent unauthorized access to financial data to ensure the accuracy and integrity of financial reporting.
The future: AI-driven identity management
As access control moves into the future, many predict that the responsibility of managing the systems will continue to shift away from people and towards technology. Artificial intelligence (AI) not only allows us to evaluate access permissions for users in real-time, but it's also able to forecast the entire lifecycle of an employee. These solutions not only protect us from the "now" - they're able to identify risks and compliance issues before they become serious. The enterprise no longer has to tightly monitor the complicated web of policies and access control lists, because AI simplifies visibility at a high level.
Wrapping up
While access control has evolved from protecting physical documents in real buildings to cloud-based systems, the idea of protecting the enterprise's resources is never going out of style. The smarter we get with technology, the more options we're going to have. Understanding the variables that matter—things like organization size, resource needs, employee locations—will help inform the decision.
