What is Access Control?

Why is access control important?

The goal of access control is to minimize the security risk of unauthorized access to physical and logical systems. Access control is a fundamental component of security compliance programs that ensures security technology and access control policies are in place to protect confidential information, such as customer data. Most organizations have infrastructure and procedures that limit access to networks, computer systems, applications, files and sensitive data, such as personally identifiable information and intellectual property.

Access control systems are complex and can be challenging to manage in dynamic IT environments that involve on-premises systems and cloud services. After high-profile breaches, technology vendors have shifted away from single sign-on systems to unified access management, which offers access controls for on-premises and cloud environments.

How access control works

Access controls identify an individual or entity, verify the person or application is who or what it claims to be, and authorizes the access level and set of actions associated with the username or IP address. Directory services and protocols, including Lightweight Directory Access Protocol and Security Assertion Markup Language, provide access controls for authenticating and authorizing users and entities and enabling them to connect to computer resources, such as distributed applications and web servers.

Organizations use different access control models depending on their compliance requirements and the security levels of IT they are trying to protect.

Types of access control

The main models of access control are the following:

• Mandatory access control (MAC). This is a security model in which access rights are regulated by a central authority based on multiple levels of security. Often used in government and military environments, classifications are assigned to system resources and the operating system or security kernel. MAC grants or denies access to resource objects based on the information security clearance of the user or device. For example, Security-Enhanced Linux is an implementation of MAC on Linux.
• Discretionary access control (DAC). This is an access control method in which owners or administrators of the protected system, data or resource set the policies defining who or what is authorized to access the resource. Many of these systems enable administrators to limit the propagation of access rights. A common criticism of DAC systems is a lack of centralized control.
• Role-based access control (RBAC). This is a widely used access control mechanism that restricts access to computer resources based on individuals or groups with defined business functions -- e.g., executive level, engineer level 1, etc. -- rather than the identities of individual users. The role-based security model relies on a complex structure of role assignments, role authorizations and role permissions developed using role engineering to regulate employee access to systems. RBAC systems can be used to enforce MAC and DAC frameworks.
• Rule-based access control. This is a security model in which the system administrator defines the rules that govern access to resource objects. These rules are often based on conditions, such as time of day or location. It is not uncommon to use some form of both rule-based access control and RBAC to enforce access policies and procedures.
• Attribute-based access control. This is a methodology that manages access rights by evaluating a set of rules, policies and relationships using the attributes of users, systems and environmental conditions.

Implementing access control

Access control is integrated into an organization's IT environment. It can involve identity management and access management systems. These systems provide access control software, a user database and management tools for access control policies, auditing and enforcement.

When a user is added to an access management system, system administrators use an automated provisioning system to set up permissions based on access control frameworks, job responsibilities and workflows.

The best practice of least privilege restricts access to only resources that employees require to perform their immediate job functions.

Challenges of access control

Many of the challenges of access control stem from the highly distributed nature of modern IT. It is difficult to keep track of constantly evolving assets because they are spread out both physically and logically. Specific examples of challenges include the following:

• dynamically managing distributed IT environments;
• password fatigue;
• compliance visibility through consistent reporting;
• centralizing user directories and avoiding application-specific silos; and
• data governance and visibility through consistent reporting.

Many traditional access control strategies -- which worked well in static environments where a company's computing assets were help on premises -- are ineffective in today's dispersed IT environments. Modern IT environments consist of multiple cloud-based and hybrid implementations, which spreads assets out over physical locations and over a variety of unique devices, and require dynamic access control strategies.

Organizations often struggle to understand the difference between authentication and authorization. Authentication is the process of verifying individuals are who they say they are using biometric identification and MFA. The distributed nature of assets gives organizations many avenues for authenticating an individual.

Authorization is the act of giving individuals the correct data access based on their authenticated identity. One example of where authorization often falls short is if an individual leaves a job but still has access to that company's assets. This creates security holes because the asset the individual used for work -- a smartphone with company software on it, for example -- is still connected to the company's internal infrastructure but is no longer monitored because the individual is no longer with the company. Left unchecked, this can cause major security problems for an organization. If the ex-employee's device were to be hacked, for example, the attacker could gain access to sensitive company data, change passwords or sell the employee's credentials or the company's data.

One solution to this problem is strict monitoring and reporting on who has access to protected resources so, when a change occurs, it can be immediately identified and access control lists and permissions can be updated to reflect the change.

Another often overlooked challenge of access control is user experience. If an access management technology is difficult to use, employees may use it incorrectly or circumvent it entirely, creating security holes and compliance gaps. If a reporting or monitoring application is difficult to use, the reporting may be compromised due to an employee mistake, which would result in a security gap because an important permissions change or security vulnerability went unreported.

Access control software

Many types of access control software and technology exist, and multiple components are often used together as part of a larger identity and access management (IAM) strategy. Software tools may be deployed on premises, in the cloud or both. They may focus primarily on a company's internal access management or outwardly on access management for customers. Types of access management software tools include the following:

• reporting and monitoring applications
• password management tools
• provisioning tools
• identity repositories
• security policy enforcement tools

Microsoft Active Directory is one example of software that includes most of the tools listed above in a single offering. Other IAM vendors with popular products include IBM, Idaptive and Okta.

When we refer to access control systems, we’re talking about providing access to restricted areas of the enterprise. But familiarity and correctly utilizing access control systems to protect proprietary information are two completely different levels of understanding. For example, who gets access to what? What are the rules? How is access tracked?

The user must first be identified and authenticated before being granted access to private information—which means the basics of an access control system include criteria and records for every time someone “enters” the system.

Depending on the type of organization, the enterprise should consider a couple of broad ideas—what level of ownership it will have over the system, and how to decide which employees get access to what. There are many models, each with different benefits.

The most common types of access control systems

Mandatory access control (MAC)

The mandatory access control system provides the most restrictive protections, where the power to permit access falls entirely on system administrators. That means users cannot change permissions that deny or allow them entry into different areas, creating formidable security around sensitive information.

It even restricts the resource owner’s ability to grant access to anything listed in the system. Once an employee enters the system, they’re tagged with a unique connection of variable “tags”—like a digital security profile—that speaks to what level of access they have. So depending on what tags a user has, they will have limited access to resources based on the sensitivity of the information contained in it. This system is so shrewd, in fact, that it’s commonly used by government entities because of its commitment to confidentiality.

Discretionary access control (DAC)

A discretionary access control system, on the other hand, puts a little more control back into leadership’s hands. They determine who can access which resources, even if the system administrator created a hierarchy of files with certain permissions. All it takes is the right credentials to gain access.

The only disadvantage, of course, is giving the end-user control of security levels requires oversight. And since the system requires a more active role in managing permissions, it’s easy to let actions fall through the cracks. Where the MAC approach is rigid and low-effort, a DAC system is flexible and high-effort.

Role-based access control (RBAC)

Role-based access control attributes permissions to a user based on their business responsibilities. As the most common access control system, it determines access based on the user’s role in the company—ensuring lower-level employees aren’t gaining access to high-level information.

Access rights in this method are designed around a collection of variables that map back to the business—such as resources, needs, environment, job, location, and more. Many executives like this approach because it’s simple to group employees based on the kind of resources to which they need access. For example, someone in human resources does not need access to private marketing materials, and marketing employees don’t need access to employee salaries. RBAC provides a flexible model that increases visibility while maintaining protection against breaches and data leaks.

More detailed, hands-on access control

While there are some established practices in access control, technology has given us the opportunity for more customized approaches. Depending on how “hands-on” the enterprise wants to be, there are many ways to think about it.

Rule-based access control

As you might have guessed, this system grants permissions based on structured rules and policies. Largely context-based, when a user attempts to access a resource, the operating system checks the rules decided on in the “access control list” for that specific resource. Creating the rules, policies, and context adds some effort to the rollout. Additionally, this system will often be blended with the role-based approach we discussed earlier.

Attribute-based access control

Drilling down a level deeper, this type of system provides different dynamic and risk-intelligent control based on attributes given to a specific user. Think of these attributes as components of a user profile; together they define the user’s access. Once policies are set, they can use these attributes to read whether or not a user should have control. These attributes can also be obtained and imported from a separate database—like Salesforce, for example.

“Smarter,” more intuitive control systems

Some control systems transcend technology all together. These are the systems that operate on a deeper, more intuitive level.

Identity-based access control

The most simple, yet the most complex—identity-based control dictates whether a user is permitted access to a resource based on their individual visual or biometric identity. The user will then be denied or permitted access based on whether or not their identity can be matched with a name appearing on the access control list. One of the main benefits of this approach is providing more granular access to individuals in the system, as opposed to grouping employees manually. This is a very detailed, technology-driven approach that gives an abundance of control to the business owner.

History-based access control

Another “smart” solution is a history-based access control system. Based on past security actions, the system determines whether or not the user gains access to the resource they’re requesting. The system will then scrape that user’s history of activities—time between requests, content requested, which doors have been recently opened, etc. For example, if a user has a long history of working exclusively with secured accounting materials, a request to access next year’s marketing roadmap might be flagged in the system.

The future: AI-driven Identity Management

As access control moves into the future, the responsibility of managing the systems will continue to shift away from people and towards technology. Artificial Intelligence (AI) not only allows us to evaluate access permissions for users in real-time, but it’s also able to forecast the entire lifecycle of an employee. These solutions not only protect us from the “now,” they’re able to identify risks and compliance issues before they become serious. The enterprise no longer has to tightly monitor the complicated web of policies and access control lists, because AI simplifies visibility at a high level.

Wrapping Up

While access control has evolved from protecting physical documents in real buildings to cloud-based systems, the idea of protecting the enterprise’s resources is never going out of style. The smarter we get with technology, the more options we’re going to have. Understanding the variables that matter—things like organization size, resource needs, employee locations—will help inform your decision.

Want to learn more about how we use technology and AI to recommend the right access model for you? Read more here.