Access control structures how subjects interact with objects in a given system. It determines who can interact with what, as well as how they can interact. Access controls are a crucial security control: the fewer people who can access something, the less risk that it will be damaged or stolen.
In access control, a subject can be a person, an application, or a network – what matters is that it’s the subject doing the acting. An object can include information, devices, physical resources, applications, and networks.
A subject in one context might be an object in another. If a user runs an application, that application is an object; if that application then modifies a file, that application is then a subject. What matters is who acts on what: the subject interacts with the object. Access controls structure those interactions, providing the rules that govern who can do what.
These access controls can be simple or complex, loose or strict. It all depends on the size of the organization, trust within the organization, and the sensitivity of assets. The access controls on your personal computer are simple enough you don’t even have to think about them very much. But within a business, access controls are essential to protect sensitive assets.
The core access control process involves four steps: identification, authentication, authorization, and accounting. Let’s talk about each of those in turn.
Identification
In the identification step, a user states their identity. That can mean typing in a username or email address, swiping a card, showing an ID badge, or simply stating one’s name. Every subject needs a unique label so that the system can identify them without confusion.
Identification is pretty simple. Authentication is where it gets interesting.
Authentication
During authentication, the system verifies the user is who they say they are. It does so via one or more authentication factors. These factors fall into three broad categories:
- Something you know authentication factors, such as passwords and PINs, involve a secret bit of information. Something you know factors are essential to most logical access controls.
- Something you have authentication factors, such as keys or ID badges, involve something tangible you carry with you. Something you have factors abound when it comes to physical security – especially the lock and key, which is probably the most pervasive access control method.
- Something you are authentication factors, also known as biometrics, include fingerprint scanners, facial recognition, and any other authentication that relies on your body itself.
No authentication factor is immune from errors and issues. In fact, stolen credentials are involved in one out of every four data breaches. For this reason, many systems require multi-factor authentication. By asking users to use more than one factor, authentication becomes considerably more secure.
A system that asks users not only for a password (something you know), but requires them to enter a one-time code sent by text message to their smartphone (something you have), is much more secure than an authentication system that asks for a password alone.
Likewise, when it comes to physical access control, a keycard (something you have) plus a fingerprint scan (something you are) will be much more secure than a system that relies on a keycard alone.
The above factors aren’t all-inclusive. Many access control systems use additional factors, such as location and device information. These are typically used as secondary factors. If a user logs on through a trusted device, for instance, they may still have to input their password – but they might only have to enter a one-time code sent via SMS if they’re using a device they’ve never used before.
Authorization
Once a user has been authenticated, the system proceeds to authorization, in which it determines what level of access they have with regard to what resources. Essentially, authorization determines what subjects can and can’t do with a given object. Many systems, especially in logical access controls, rely on access control lists which list subjects and their permissions.
From there, it often comes down to whichever access control model is in use. In discretionary access control, for instance, any object’s owner (usually the person who created it) can assign access permissions at their discretion. Mandatory access control, however, is much more strict when it comes to how access is assigned. We’ll talk more about access control models and lists in a moment – for now, let’s focus on accounting.
For more information, check out our complete guide to authentication and authorization.
Accounting
The final element of the access control process is accounting, through which the system tracks actions within a system. A computer, for instance, might log who does what to a given file or database.
While accounting can be very precise under logical access control systems, it is often far less detailed when it comes to physical places and resources. But some systems do keep more precise records of physical resources. Libraries and archives, for instance, generally keep track of who checked out a resource at what time.
Authentication, authorization, and accounting are sometimes referred to as the AAA framework. Under many AAA protocols, accounting isn’t strictly necessary, and it is possible to implement access controls without tracking users within a system.
Access Control Policies
Access control often starts with a concrete access control policy: a high-level document that outlines how access control works at an organization. On its own, the policy does not do anything. Only through specific tools, rules, and procedures is the policy implemented.
An access control policy usually contains sections on the scope of the policy, the purpose of the policy, who is responsible for the policy, and how the policy is enforced. The policy document will often include or link to specific policies, such as a password policy or a remote access policy. It all comes down to the needs of the organization.
The Principle of Least Privilege
The principle of least privilege holds that users should only have access to the resources they need to do their jobs – and nothing more. By limiting who can access what, the principle of least privilege significantly reduces the risk that resources might be damaged, stolen, or made public. This principle is the north star for many access control policies.
However, the principle of least privilege does not make sense in every context. By making it harder to access information and resources, you make it harder for employees to do their jobs and increase the need for IT resources. And by restricting the flow of information, you limit collaboration. Some of the most vital breakthroughs happen when people work across teams – but if marketing doesn’t know what sales is doing, it will be much harder for those teams to work together.
Of course, even a transparent organization should take care to protect sensitive information and assets, such as customer information and the company bank account.
The principle of least privilege often comes up in conjunction with the need-to-know principle, which holds that employees should only have access to the information they need to do their jobs. The two principles are very similar – the most significant difference is that the need-to-know principle applies more strictly to information.
Logical vs Physical Access Control
One of the key distinctions among access controls is between logical access controls, which govern access to computer systems, and physical access controls, which govern access to physical places and resources. Though the fundamentals are largely the same for both, there are some key differences.
When it comes to authentication, logical access controls tend to rely on something you know factors, such as passwords. Physical access controls, on the other hand, tend to lean on something you have factors, such as keycards, as well as on biometrics, such as fingerprint scans.
When it comes to authorization, logical access controls are often more technical in their implementation. On a computer system, access is set by fixed rules and enforced by the computer itself. Whether you knowingly interact with it or not, nearly every operating system has some form of built-in access control.
Access Control Lists
Access control lists are fundamental to authorization, especially when it comes to logical access controls. An access control list lists users alongside their permissions, as pertains to a particular object. On Windows, for instance, every file or folder has its own access control list, which you can see below.
In the top panel, you’ll see the list of users. Below it you can see the permissions for the selected user, which detail whether that user can read files, modify a folder’s contents, execute a program, or more. You can find more detail about what each of these mean in our complete guide to access control lists.
Access Control Models
Logical access control systems usually operate on one of multiple distinct access control models, which structure how access is allocated within the system. Here are a few common access control models:
Discretionary Access Control (DAC)
Under discretionary access control, each object has an owner who can set access for other users at their discretion. It is the most widely used access control model, and is built-in to most consumer operating systems, including Windows.
Discretionary access control is the most flexible access control model. It allows the ground-level users to set access at will. However, it can become unwieldy at larger organizations, in which any of a thousand or more people could be an object owner.
Mandatory Access Control (MAC)
Under mandatory access control, administrators set security labels for both users and objects. Each object has a security classification, and each user has a security clearance. To access an object, a user must have a clearance matching or exceeding the object’s classification.
Mandatory access control is the strictest access control model, making it the model of choice for matters of national security. But it can also be unwieldy, and requires quite a bit of bureaucracy to function. For that reason, it doesn’t make sense for most business purposes.
Role-Based Access Control
Under role-based access control, users are assigned to groups or roles, and access is distributed based on groups. An employee in the accounting department would be assigned to the accounting role, for instance, and would then inherit any permissions belonging to that group.
By sorting users into groups, role-based access control streamlines access. Though it isn’t always necessary at small organizations, it can come in very handy the larger an organization gets.
Rule-Based Access Control
Under rule-based access control, access to a system is subject to rules set by a system administrator. It is commonly used by routers and firewalls to protect network traffic. Because a network might receive thousands of requests an hour, it does not make sense to approve access individually. Instead, a rule-based access control system determines access based on criteria such as IP addresses, subnet IDs, and user attributes.
These are only some of the most common models. You can find more in our complete guide to access control models.
Access Control in Practice
Whether you know it or not, you interact with access controls every day. You probably don’t think about access controls when you drive your car, for instance. But before you drive, you register both yourself and your vehicle with your state government.
And each time you drive, you unlock and start the car with your key, and carry both your own driver’s license and the vehicle’s registration every where you take it. If necessary, you can then prove that you’re legally authorized to drive and that you own the vehicle in question.
Many businesses instate access controls to guard who can enter their premises. You might need a parking sticker to park in the lot, and then an identification badge to swipe yourself in. Certain areas within a building, such as server rooms, might even be limited to a select group of employees. The fewer people who can directly access the servers, the less risk someone will steal sensitive data or take the servers offline.
Most computers have one or more access control models built-in. Windows runs on a foundation of discretionary access control. But it also includes features that allow organizations to implement role-based access control, as well as a layer of mandatory access control to protect the computer’s most sensitive areas.
Before 2006, Windows was highly vulnerable to malware attacks. Under purely discretionary access control, applications inherited the full permissions of the user that ran them – and could then take over the computer itself.
To shore up this vulnerability, Windows added the User Account Control system, a layer of mandatory access control. Under this system, users and applications operate under a medium integrity label by default. This prevents applications from making changes to the operating system itself or to security features.
Users can always override this control by running an application as administrator. But by limiting applications’ default level of access, Windows significantly curtailed malware attacks.
This hybrid approach is worth keeping in mind. The same might make sense in many organizations: using a tough access control system to guard the most sensitive assets, while otherwise allowing information to flow freely among employees via a less strict access control model.