Access control is a security technique that allows business/companies to restrict access to information, tools, and physical locations. It improves efficiency of processes and site/building management. Access control falls under two categories: physical or logical.
For physical access control we replace mechanical keys with cards or badges. Why is there a desire to replace keys? They are easily lost and can be an issue to reinstate. Keys do not leave an audit trail and can be difficult to manage. Switching to an electronic system allows for increased control and security. It gives you the control to allow who has access to what, which doors they have access to, and under which conditions they are allowed access. These parameters can be quickly and easily updated with the touch of a button.
Logical or information access controls allow for limitations to be set on computer network connections, system files and data. It restricts access to data and software that can be used against it. All access control systems have five key components: authentication, authorization, access, manage, and audit.
What are the primary types of access control?
Mandatory access control (MAC): Mandatory access control establishes strict security policies for individual users and the resources, systems, or data they are allowed to access. These policies are controlled by an administrator; individual users are not given the authority to set, alter, or revoke permissions in a way that contradicts existing policies.
Role-based access control (RBAC): Role-based access control establishes permissions based on groups (defined sets of users, such as bank employees) and roles (defined sets of actions, like those that a bank teller or a branch manager might perform). Individuals can perform any action that is assigned to their role and may be assigned multiple roles as necessary. Like MAC, users are not permitted to change the level of access control that has been assigned to their role.
Discretionary access control (DAC): Once a user is given permission to access an object (usually by a system administrator or through an existing access control list), they can grant access to other users on an as-needed basis. This may introduce security vulnerabilities, however, as users are able to determine security settings and share permissions without strict oversight from the system administrator.
When evaluating which method of user authorization is most appropriate for an organization, security needs must be considered. Typically, organizations that require a high level of data confidentiality (government organizations, banks, etc.) will opt for more stringent forms of access control, like MAC, while those that favor more flexibility and user, or role-based permissions will tend toward RBAC and DAC systems.