Just like physical keys determine who has legitimate access to physical spaces, access control policies protect digital spaces. Access controls determine who can access data, apps, systems and digital resources – and in what circumstances they can do so.
How does access control work?
Access control relies largely on techniques like authentication and authorization. These techniques allow organizations to define policies, verify that users are who they say they are, then grant them the appropriate level of access based on context like devices, locations, roles, and more.
To accomplish this, most organizations use identity and access management solutions to implement their access control policies. These systems identify users by verifying login credentials - usernames and passwords, PINs, biometric scans, security tokens, and also multifactor authentication (MFA) – which requires multiple authentication methods to verify a user’s identity.
What type of access control are there?
There are four primary types of access control, one of which is usually adopted by most organizations:
- Attribute-based access control - Access is based on a set of attributes or environmental parameters like time of day or location, which are assigned to resources and users.
- Discretionary access control – Policies for who is allowed access are determined by the owner or administrator of the system, data, or resources in question.
- Role-based access control - Based on a combination of role assignments, authorizations, and permissions, access is enabled according to defined business functions – a user’s role within the organization - rather than an individual’s identity.
- Mandatory access control – Common in government and military environments, access is granted based on information clearance levels, generally regulated by a central authority.
How is access control managed?
Access control is managed through a combination of five core principles:
- Authentication – The initial process of establishing user identity, like when a user first signs into their online banking account.
- Authorization – Adds a secondary layer of security to authentication, specifying exact access rights and privileges to resources.
- Access – After authentication and authorization, their identity is verified and they are granted access to the resources.
- Manage – Access control admins constantly add and remove user authentications and authorizations in dynamic and complex cloud and on-prem IT environments
- Audit – Allows security teams to enforce the principle of least privilege, gathering data from user activity and analyzing it to discover possible access violations.