When we refer to access control systems, we’re talking about providing access to restricted areas of the enterprise. But familiarity and correctly utilizing access control systems to protect proprietary information are two completely different levels of understanding. For example, who gets access to what? What are the rules? How is access tracked?
The user must first be identified and authenticated before being granted access to private information—which means the basics of an access control system include criteria and records for every time someone “enters” the system.
Depending on the type of organization, the enterprise should consider a couple of broad ideas—what level of ownership it will have over the system and how to decide which employees get access to what. There are many models, each with different benefits.
The most common types of access control systems
Mandatory access control (MAC)
The mandatory access control system provides the most restrictive protections, where the power to permit access falls entirely on system administrators. That means users cannot change permissions that deny or allow them entry into different areas, creating formidable security around sensitive information.
It even restricts the resource owner’s ability to grant access to anything listed in the system. Once an employee enters the system, they’re tagged with a unique connection of variable “tags”—like a digital security profile—that speaks to their access level. So depending on what tags a user has, they will have limited access to resources based on the sensitivity of the information contained in them. This system is so shrewd, in fact, that government entities commonly use it because of its commitment to confidentiality.
Discretionary access control (DAC)
On the other hand, a discretionary access control system puts a bit of control back into leadership’s hands. They determine who can access which resources, even if the system administrator created a hierarchy of files with specific permissions. All it takes is the proper credentials to gain access.
The only disadvantage, of course, is giving the end-user control of security levels requires oversight. And since the system requires a more active role in managing permissions, it’s easy to let actions fall through the cracks. Where the MAC approach is rigid and low-effort, a DAC system is flexible and high-effort.
Role-based access control (RBAC)
Role-based access control attributes permissions to a user based on their business responsibilities. As the most common access control system, it determines access based on the user’s role in the company—ensuring lower-level employees aren’t gaining access to high-level information.
Access rights in this method are designed around a collection of variables that map back to the business—such as resources, needs, environment, job, location, and more. Many executives like this approach because it’s simple to group employees based on the kind of resources to which they need access. For example, someone in human resources does not need access to private marketing materials, and marketing employees don’t need access to employee salaries. RBAC provides a flexible model that increases visibility while protecting against breaches and data leaks.
More detailed, hands-on access control
While there are some established practices in access control, technology has given us the opportunity for more customized approaches. Depending on how “hands-on” the enterprise wants to be, there are many ways to think about it.
Rule-based access control
As you might have guessed, this system grants permissions based on structured rules and policies. Largely context-based, when a user attempts to access a resource, the operating system checks the rules decided on in the “access control list” for that specific resource. Creating the rules, policies, and context adds some effort to the rollout. Additionally, this system will often be blended with the role-based approach we discussed earlier.
Attribute-based access control
Drilling down a level deeper, this type of system provides different dynamic and risk-intelligent control based on attributes given to a specific user. These attributes are components of a user profile; together, they define the user’s access. Once policies are set, they can use these attributes to read whether or not a user should have control. These attributes can also be obtained and imported from a separate database, like Salesforce.
“Smarter,” more intuitive control systems
Some control systems transcend technology altogether. These are the systems that operate on a deeper, more intuitive level.
Identity-based access control
The most simple yet complex—identity-based control dictates whether a user can access a resource based on their visual or biometric identity. The user will then be denied or permitted access based on whether or not their identity can be matched with a name appearing on the access control list. One of the main benefits of this approach is providing more granular access to individuals in the system instead of manually grouping employees. This is a very detailed, technology-driven approach that gives an abundance of control to the business owner.
History-based access control
Another “smart” solution is a history-based access control system. Based on past security actions, the system determines whether or not the user gains access to the requested resource. The system will then scrape that user’s history of activities—the time between requests, content requested, which doors have been recently opened, etc. For example, if a user has a long history of working exclusively with secured accounting materials, a request to access next year’s marketing roadmap might be flagged in the system.
The future: AI-driven Identity Management
As access control moves into the future, the responsibility of managing the systems will continue to shift away from people and toward technology. Artificial Intelligence (AI) not only allows us to evaluate access permissions for users in real-time, but it’s also able to forecast the entire lifecycle of an employee. These solutions not only protect us from the “now,” they can identify risks and compliance issues before they become serious. The enterprise no longer has to tightly monitor the complicated web of policies and access control lists because AI simplifies visibility at a high level.
Wrapping Up
While access control has evolved from protecting physical documents in actual buildings to cloud-based systems, the idea of protecting the enterprise’s resources is never going out of style. The wiser we get with technology, the more options we will have. Understanding the variables that matter—things like organization size, resource needs, and employee locations—will help inform your decision.