Access control is a set of rules designed to determine who is granted access to a restricted location or restricted information.
Access control is a security term used to refer to a set of policies for restricting access to information, tools, and physical locations.
Although this article focuses on information access control, physical access control is a useful comparison for understanding the overall concept.
Physical access control is a set of policies to control who is granted access to a physical location. Real-world examples of physical access control include the following:
In all of these examples, a person or device is following a set of policies to decide who gets access to a restricted physical location. For example, a hotel keycard scanner only grants access to authorized guests who have a hotel key.
Information access control restricts access to data and the software used to manipulate that data. Examples include the following:
In all of these cases, software is used to authenticate and grant authorization to users who need to access digital information. Authentication and authorization are integral components of information access control.
Authentication is the security practice of confirming that someone is who they claim to be, while authorization is the process of determining which level of access each user is granted.
For example, think of a traveller checking into a hotel. When they register at the front desk, they are asked to provide a passport to verify that they are the person whose name is on the reservation. This is an example of authentication.
Once the hotel employee has authenticated the guest, the guest receives a keycard with limited privileges. This is an example of authorization. The guest’s keycard grants them access to their room, the guest elevator, and the pool — but not other guests’ rooms or the service elevator. Hotel employees, on the other hand, are authorized to access more areas of the hotel than guests are.
Computer and networking systems have similar authentication and authorization controls. When a user signs into their email or online banking account, they use a login and password combination that only they are supposed to know. The software uses this information to authenticate the user. Some applications have much stricter authorization requirements than others; while a password is enough for some, others may require two-factor authentication or a biometrical confirmation, such as a thumbprint or face ID scan.
Once authenticated, a user can only see the information they are authorized to access. In the case of an online banking account, the user can only see information related to their personal banking account. Meanwhile, a fund manager at the bank can log in to the same application and see data on the bank’s overall financial holdings. Since the bank handles very sensitive personal information, it’s entirely possible that no one has unrestricted access to the data. Even the bank’s president or head of security may need to go through a security protocol to access the full data of individual customers.
After the authentication process has been completed, user authorization can be determined in one of several ways:
Mandatory access control (MAC): Mandatory access control establishes strict security policies for individual users and the resources, systems, or data they are allowed to access. These policies are controlled by an administrator; individual users are not given the authority to set, alter, or revoke permissions in a way that contradicts existing policies.
Under this system, both the subject (user) and the object (data, system, or other resource) must be assigned similar security attributes in order to interact with each other. Returning to the previous example, the bank’s president would not only need the correct security clearance to access customer data files, but the system administrator would need to specify that those files can be viewed and altered by the president. While that process may seem redundant, it ensures that users cannot perform unauthorized actions simply by gaining access to certain data or resources.
Role-based access control (RBAC): Role-based access control establishes permissions based on groups (defined sets of users, such as bank employees) and roles (defined sets of actions, like those that a bank teller or a branch manager might perform). Individuals can perform any action that is assigned to their role, and may be assigned multiple roles as necessary. Like MAC, users are not permitted to change the level of access control that has been assigned to their role.
For instance, any bank employee assigned to the role of bank teller might be given the authorization to process account transactions and open new customer accounts. A branch manager, on the other hand, might hold several roles, authorizing them to process account transactions, open customer accounts, assign the role of bank teller to a new employee, and so on.
Discretionary access control (DAC): Once a user is given permission to access an object (usually by a system administrator or through an existing access control list), they can grant access to other users on an as-needed basis. This may introduce security vulnerabilities, however, as users are able to determine security settings and share permissions without strict oversight from the system administrator.
When evaluating which method of user authorization is most appropriate for an organization, security needs must be taken into account. Typically, organizations that require a high level of data confidentiality (e.g. government organizations, banks, etc.) will opt for more stringent forms of access control, like MAC, while those that favor more flexibility and user or role-based permissions will tend toward RBAC and DAC systems.
A popular tool for information access control is a virtual private network (VPN). A VPN is a service that allows remote users to access the Internet as though they were connected to a private network. Corporate networks will often use VPNs to manage access control to their internal network across a geographic distance.
For example, if a company has an office in San Francisco and another office in New York, as well as remote employees scattered across the globe, they can use a VPN so that all of their employees can securely log into their internal network, regardless of their physical location. Connecting to the VPN will also help protect the employees against on-path attacks if they are connected to a public WiFi network.
VPNs also come with some drawbacks. For example, VPNs negatively impact performance. When connected to a VPN, every data packet a user sends or receives has to travel an extra distance before arriving at its destination, as each request and response has to hit the VPN server before reaching its destination. This process often increases latency.
VPNs generally provide an all-or-nothing approach to network security. VPNs are great at providing authentication, but not great at providing granular authorization controls. If an organization wants to grant different levels of access to different employees, they have to use multiple VPNs. This creates a lot of complexity, and still doesn’t satisfy the requirements of zero trust security.
Zero trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. Zero trust networks also utilize microsegmentation. Microsegmentation is the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network.
Today many organizations are replacing VPNs with zero trust security solutions like Cloudflare Access. A zero trust security solution can be used to manage access control both for in-office and remote employees, while avoiding the major drawbacks of using a VPN.