A customer calls asking for details about how they are registered in your company’s database, so they can make sure their information is updated. You get a phone call from a business partner who needs to contact your colleague and asks you to check her calendar to see when she is free. While in essence quite different, both these scenarios are requests to access personal data.
But what if the person requesting access to personal data is not who he or she claims to be? In general, there are two things you need to consider when asked to give out somebody’s personal information: the identity of the person asking for the data, and whether they have the right to access that data. The technical term for this is “access control”. Various access control examples can be found in security systems in password-coded doors, fob-controlled gates, badges, biometric systems, motion detectors, and so forth.
A key component of information security, access control allows for streamlined control of movement around facilities or networks. In other words, it restricts the areas people can and cannot enter – be it a room or a computer. Back in the day, the simplest form of access control system would have been a standard lock and key. Today, it’s more likely to be an “access card” granting you entry to a secured area. Here, we take a closer look at how best to manage, monitor and track who has access to your door.
Security deep dive
When controlling access to an organization’s private information, you have to address both physical and logical access. Physical access refers to buildings, devices and documents while logical access refers to computer or system access. The technologies for dealing with each of them are quite different. Physical access control uses keys and badges to grant entry to a secured space, whereas logical access control employs advanced password programs and biometric security features.
Rather than handling user and access rights within each application, identity and access management solutions have introduced a centralized and more robust way of managing identities and regulating each user’s level of access to a given system. As endpoints proliferate across an organization, driven by bring-your-own-device policies and an expansion in the use of Internet-of-Things (IoT) devices, more control is needed. The solution is network access control (NAC), which provides a way to embed access control and endpoint security policies within an organization’s network infrastructure. This means that when a user tries to connect to a network, the NAC system holds the connection while it performs a risk assessment.
Why is access control used?
With large amounts of sensitive data stored electronically, the need to protect our informational assets has never been greater. Cyber threats evolve daily, requiring ever stricter safety measures, and keys and simple passwords no longer do the job. What you now need is a robust access control system that can help secure physical and confidential data, reduce admin costs, and keep your customers and staff safe.
Access control also helps organizations meet regulatory compliance requirements, such as the PCI DSS (Payment Card Industry Data Security Standard) and the HIPAA (Health Insurance Portability and Accountability Act). On another level, the ISO/IEC 27001 standard on information security also requires management to audit, and then mitigate, all of their organization’s vulnerabilities and cyber risks.
How does access control work?
Protecting identities is the core function of identity management, which provides several access control areas to make it clear what kind of access is being granted and to whom it is granted. This is only a superficial definition of access control, so let’s take a deeper look into how it all works. Identity management (IdM) draws a distinction between access control to resources within a domain and access control to the IdM configuration itself.
To make access control rules simple to implement, identity management divides access control definitions into three basic categories:
- Self-service rules, which define what operations a user can perform on their own personal entry
- Delegation rules, which allow a specific user group to perform write/edit operations on specific attributes for users in another user group
- Role-based rules, which create special access control groups that have much broader authority over all types of entities
Different types of access control
All these rules are integrated into a variety of access control systems, which determine how access permissions are assigned and controlled within an organization. These include:
- Discretionary access control (DAC): With DAC models, the data owner decides to grant access rights based on rules that they specify. DAC is the least restrictive, and therefore the least recommended, type of access control for commercial and business security.
- Mandatory access control (MAC): MAC was developed using a non-discretionary model in which one person (e.g. the Chief Security Officer) has sole discretion over access permissions and security clearance. MAC subjects and objects are assigned clearances and labels, respectively, such as “confidential”, “secret” and “top secret”. This type of access control is best suited to organizations that require high security and confidentiality.
- Role-based access control (RBAC): Under this model, access is granted based on the person’s job function and the resources required to do their job. Key security principles, such as “least privilege” and “separation of privilege”, are employed to give users the minimum level of access required to perform their role. RBAC is a user-friendly access control system, which allows admins to group users and adjust permissions from a central database.
- Attribute-based access control (ABAC): In contrast to the role-based access control method of RBAC, ABAC is a complex strategy that assigns or denies access to users based on a set of attributes assigned by the owner or administrator. While more complicated than RBAC, it gives admins the flexibility to make decisions according to context and evolving levels of risk.
- Rule-based access control (RuBAC): RuBAC involves defining the rules that govern access to a resource; these are often based on conditions such as “only users in the finance department can access financial data”.
Choosing the right software
So how do you know which access control system is best suited to your space? Network access control is a rapidly growing market segment which offers numerous types of access control software solutions. Some connect you directly to a control panel, and some don’t; some use a server, and some don’t. The one you choose will depend on the size of your organization, the number of devices you operate and the protection levels required.
Let’s break it down for the sake of simplicity. At a glance, there are three different types of access control software on the market today – server-based, embedded, and hosted – each with their own features and applications.
- Server-based access control: Typically found in large organizations, these are on-premise access control systems that rely on local servers to host and run software. Access control systems on a local network are only available on site, and don’t offer the flexibility of remote access. Here, the server is on a closed network that can only be accessed by other devices within that network. While this is very secure, it can be inconvenient as it requires a full IT team to purchase and renew software licences and maintain the servers.
- Web-based access control: Also known as embedded access control, browser-based solutions include a web application. For the application to operate, there is no requirement for Internet access; it connects to the LAN (local area network) and can be accessed from any device within the LAN. However, it’s still best to have a reliable Internet connection as this type of access control system allows programming and maintenance from any Internet browser, avoiding costly software installations onsite.
- Cloud-based access control: Unlike the other two types of access control, cloud-based software is hosted by remote data centres (usually managed by a third party) and accessed via software and mobile apps. Under this approach, you can control your entire campus, including multiple buildings, from one admin panel. Because the system syncs in the cloud, an Internet connection is needed to review the admin panel and make updates or changes. Cloud-based access control systems increase the security and scalability of your operation, while also reducing overhead costs and operating fees.
ISO/IEC 27001 Information security management systems
ISO/IEC 29146 Security techniques — A framework for access management
Access control: future perspectives
The way we live and work is shifting rapidly, forcing organizations to make drastic changes in order to meet their information security and compliance requirements. Until recently, security convergence has mostly focused on merging virtual and physical access control systems; today, however, remote and hybrid work models are driving new security demands. With fewer people physically at office buildings, and more flexibility in how they access workplace assets, the future of access control is likely to be fashioned by the continued development of new technologies.
As time unfolds, we may see the use of more sophisticated biometric identifiers or technologies such as IoT and AI-based systems. The most important, however, will be to allow access control systems to be connected to a whole network of devices, giving IT teams a more comprehensive and coordinated approach to security. When it comes to access control, we’re in for an exciting future – one that’s all at once intelligent, adaptive and reliable.