Access control is a security technique that controls who in a computing system can access or use information, or what. It is a fundamental security principle that minimizes the risk to the company or organization.
What are Access Control components?
Access control at a high level is about restricting access to a resource. Whether physical or logical, every access control system has five main components:
- Authentication: The act of proving a claim, such as a person’s identity or a computer user’s. These include reviewing self-identification documents, verification a website’s authenticity with a digital certificate, or verifying login credentials against stored details.
- Authorization: The role of defining resource access rights or privileges, e.g., human resource personnel, is generally authorized to access employee records. This policy is typically formalized as guidelines for access controls in a computer system.
- Access: Once authenticated and authorized, the resource can be accessed by the person or computer.
- Manage: Managing an access control program requires the implementation and removal of a user or system authentication and authorization.
- Audit: Frequently used to uphold the principle of least privilege as part of the access control. Over time, users can end up getting access that they no longer need, e.g., when changing roles. Regular audits minimize this risk.
How does control of the access work?
Once you know what is access control, then you must also know about its working. Access control may be categorized into two types for enhancing physical security or cyber-security:
- Physical Access Control: It limits access to campuses, buildings, rooms, and physical IT properties, e.g., Proximity card for unlocking a door.
- Logical Access Control: Logical access control restricts computer network links, device files, and data connections, e.g., a username and password.
For example, a company can use an electronic control system that relies on user credentials, access card readers, intercom, audit, and reporting to track which employees have access to and have accessed a restricted data center.
Access control minimizes the risk of authorized access to physical and computer systems, forming a foundation of information security, data security, and network security.