What is Access Control?
Access control is a security practice regulating who can view, use, and update digital resources in an enterprise’s ecosystem—it aims to minimize risk by restricting access to assets.
You can think of access control as the security checkpoint at an airport. You won’t be able to get through if you don’t have a valid ticket and identification. That’s because sensitive areas of the airport require having a ticket.
You may even have to show your ticket and ID several times just to get to the plane, while airport personnel and employees will have different levels of access based on their identification.
Generally speaking, there are two types of access control: physical and logical.
- Physical access control is concerned with restricting access to physical assets like office buildings and data centers.
- Logical access control focuses on the digital side of an organization’s assets — restricting access to files, data, networks, and systems.
You may see articles discussing one or both categories, but we’ll focus on logical access control for the rest of the glossary.
Types of Access Control Systems
Access control is an overarching practice, and there are several models for implementing this type of security measure. It’s also important to understand that many of these systems aren’t mutually exclusive and can work together.
Let’s start by discussing some of the most popular models to help you better navigate popular terms and understand which one makes sense for your organization.
Discretionary Access Control (DAC)
DAC lets admins define the specific policies for users or non-human identities to access systems or data. For example, an admin managing cloud storage is in charge of dictating which identities are allowed to access the infrastructure.
Airports might use this model by allowing management or shop owners to have discretion over who is allowed to enter their designated area. The head of security might decide it’s okay for janitorial staff to enter the security area, but employees of shops are not allowed. Access is managed by the person in charge of the given area rather than an overarching authority.
DAC lacks a centralized authority by design since admins are usually in different departments. This shortcoming is one of the reasons why some organizations opt for another access control method, especially if the organization needs to adhere to strict regulatory and data protection standards like GDPR, HIPAA, CCPA, SOC 2, and more.
Role-Based Access Control (RBAC)
RBAC is arguably one of the most popular models due to its versatility. It allows users to do certain things (permissions) based on their role, and serves as the foundation for both Mandatory Access Control (MAC) and DAC.
At our airport, we can think of RBAC as the ticketing and employee badge systems. Valid tickets are generated for users, while employees receive badges with valid ID numbers. Once given a ticket or badge, the person inherits the roles associated with them — such as being able to board a plane or allow employees to enter areas off-limits to travel.
You can read more about RBAC from our in-depth glossary focusing on the common model.
Mandatory Access Control (MAC)
MAC regulates access rights through a central authority. Both public and private organizations with a large amount of sensitive data, like hospitals and banks, often choose MAC over other models. MAC allows granting or denying access to a given resource based on the user’s security clearance level.
In the digital sense, we can assign specific assets and resources hierarchical classifications. We might label logging into a CRM as “Internal,” but then label viewing private data about customers “Restricted.” For example, a user may have limited access to an internal system where access to more sensitive user information remains restricted.
Users are only allowed to see assets specific to the clearance level assigned to their account, putting the focus on properly labeling digital assets. MAC builds upon RBAC and is often preferred by organizations frequently handling highly sensitive information.
Attribute Based Access Control (ABAC)
Attribute Based Access Control (ABAC) manages access rights by creating rules and relationships based on attributes. Typically, organizations implement ABAC at the group level, affecting all individual users assigned to the same group.
We can break ABAC down into several attributes, which include subject, resource, action, and environment. When a user tries to access a digital asset, the system checks against predefined access criteria. If the user does not meet dictated attributes, the system won’t granted them access. These access criteria can include the user’s location, time of day, or any other attribute that may restrict or determine access.
Organizations might prefer ABAC when they need more flexibility compared to other methods. Still, the trade-off is that implementation and management will typically take more time as there are more attributes to define and map.
Access Control Creates the Foundation of Strong Security
What method of access control is the right choice for your organization? Take the time to thoroughly evaluate the different options in relation to the rest of your infrastructure.
The right answer will be different based on your unique needs, including other systems, compliance requirements, and available personnel. Evaluate these options before choosing the right access control method to employ.
Ready to discover how we can help? Reach out to us today to schedule a demo to see what we can do for you.