What is access control?
Access control is a security term used to refer to a set of policies for restricting access to information, tools, and physical locations. Typically access control falls under the domain of physical access control or information access control. This article will focus on the latter.
What is physical access control?
Although this article focuses on information access control, gaining an understanding of physical access control is a good starting point. Physical access control is a set of policies to control who is granted access to a physical location.
Some real-world examples of physical access control include:
- Bar-room bouncers
- Subway turnstiles
- Airport customs agents
- Hotel room keycard scanners
In all of these examples, a person or device is following a set of policies to decide who gets access to a restricted physical location. For example, a hotel keycard scanner only grants access to authorized guests who have a hotel key.
What is information access control?
Information access control restricts access to data as well as software used to manipulate that data. Information access control is very commonly used in computer and network security. Some examples include:
- A user signing into their laptop using a password
- A user unlocking their smartphone with a thumbprint scan
- A Gmail user logging into their email account
- A remote employee accessing their employer’s internal network using a VPN
In all of these cases, software is used to authenticate and grant authorization to users wishing to access digital information. Both authentication and authorization are integral components of information access control.
What’s the difference between authentication and authorization?
In a nutshell, authentication is the security practice of confirming that someone is who they claim to be, while authorization is concerned with the level of access each user is granted.
For example, think of a traveller checking into a hotel. When they register at the front desk, they are asked to provide a passport to prove that they are indeed the person whose name is on the reservation. This is an example of authentication.
Once the hotel employee has authenticated the guest, the guest receives a keycard with limited privileges. This is an example of authorization. The guest’s keycard will grant them access to their room, the guest elevator, and the pool. This keycard won’t open other guests’ rooms or call the service elevator, because the guest is not authorized to access those locations.
An employee on the hotel housekeeping staff will have a keycard with a higher level of authorization; they can access all the guest rooms, the service elevator, the laundry room, and the employee lounge. They still can’t access certain sensitive areas, like the security center or the cash vault. Meanwhile, the hotel’s head of security has a keycard that can access any part of the hotel; they are authorized to have unrestricted access.
Computer and networking systems have very similar authentication and authorization controls. When a user signs into their email or online banking account, they use a login and password combination that only they are supposed to know. The software uses this information to authenticate the user. Some applications have much stricter authorization requirements than others; while a password is enough for some, others may require two-factor authentication or even a biometrical confirmation, such as a thumbprint or face ID scan.
Once authenticated, a user can only see the information they are authorized to access. In the case of an online banking account, the user can only see information related to their personal banking account. A fund manager at the bank can log in to the same application and see data on the bank’s financial holdings, and they may also have access to a tool for buying and selling securities on the bank’s behalf. Since the bank handles very sensitive personal information, it’s entirely possible that no one has unrestricted access to the data. Even the bank’s president or head of security may need to go through a security protocol to access the full data of individual customers.
Another example of authentication happens during TLS encryption. When a web browser connects to an HTTPS website, this triggers a TLS handshake, which authenticates the web server using public/private key encryption. The web server has to prove its identity before the browser downloads any content to display to the user.
What are some methods for implementing access control?
A very popular tool for information access control is a Virtual Private Network (VPN). A VPN is a service that allows remote users to access the Internet as though they were connected to a private network. Corporate networks will often use VPNs to manage access control to their internal network across a geographic distance. For example, if a company has an office in San Francisco and another office in New York, as well as remote employees scattered across the globe, they can use a VPN so that all of their employees can securely log into their internal network, regardless of their physical location. Connecting to the VPN will also help protect the employees against on-path attacks if they are connected to a public WiFi network.
VPNs come with some drawbacks though. Firstly, VPNs impact performance. When connected to a VPN, every data packet a user sends or receives has to travel an extra journey before arriving at its destination, as each request and response has to hit the VPN server before reaching its destination. This often increases latency. Secondly, VPNs generally provide an all-or-nothing approach to network security. VPNs are great at providing authentication, but not great at providing granular authorization controls. This means if an organization wants to grant different levels of access to different employees, they have to use multiple VPNs. This creates a lot of complexity, and still doesn’t satisfy the requirements of zero trust security.
What is zero trust security?
Zero trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. Zero trust networks also utilize microsegmentation. Microsegmentation is the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network.
Today many organizations are turning away from VPNs in favor of zero trust security solutions like Cloudflare Access. A zero trust security solution can be used to manage access control both for in-office and remote employees, while avoiding the major drawbacks of using a VPN.