Long gone are the days of the traditional lock and key system being the gold standard of access control. Modern businesses have evolved and require higher levels of access control. In this week’s blog, we’ll be defining what access control systems are and the different variations available.
The Evolution of Access Control
Modern access control utilises electronic credentials or biometric recognition to grant or deny access to a facility. This gives an administrator the immediate ability to add or remove entry privileges to any individual through the click of a computer mouse. Credential types may be simple keyfobs, credit card styles access devices, mobile phone recognition, fingerprints, PIN numbers and a host of emerging technologies. We’ll be discussing the various forms of access control available and the type of environment each are suitable for.
Defining Access Control
There are different variations of access control. Generally, access control defines a security technique that regulates authorised individuals entry into and out of a building – also known as physical access control. Access control also defines a security technique that regulates who or what can view or use resources within a computing environment, which also defines logical access control.
The Purpose of Access Control
Access control systems provide security by giving flexible control over authorised personnel. Access control systems are one of the most commonly used systems in electronic door control using a card or a magnetic stripe which can be accessed by swiping through a reader on the door. These access control systems are used for security measures.
Types of Access Control Organisations Use
Organisations use different access control models depending on their compliance requirements and the security levels of information technology they are trying to protect. However, generally most organisations will require high levels of security and use different variations of access control systems, which include the following;
1. Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is a security strategy where only the administrator manages the access controls. The administrator defines the usage and access policy, which cannot be modified or changed by users. This access control will also indicate who has access to what programs and files. MAC is most often used in systems where priority is placed on confidentiality.
2. Discretionary Access Control (DAC)
Discretionary Access Control (DAC) holds the business owner responsible for deciding which personnel are allowed in a specific location, physically or digitally. DAC is the least restrictive compared to the other systems. It essentially allows individuals to have complete control over any object they own as well as the programs associated with those objects.
3. Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) grants access based on a user’s role and implements key security principles, such as ‘least privilege’ and ‘separation of privilege’. This means personnel attempting to access information can only view data that has been deemed necessary for their role.
4. Rule-Based Access Control
A security model where the system administrator defines the rules that govern access to resource objects. Often these rules are based on conditions, such as the time of day or location. It is not uncommon to use some form of both rule-based access control and role-based access control to enforce access policies and procedures.
5. Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC) uses attributes as building blocks in a structured language, which defines access control rules and describes access requests. Attributes are sets of labels or properties, used to describe all the entities that must be considered for authorisation purposes. Each attribute consists of a key-value pair such as ‘Role=Manager’. This can be more clearly understood when using the attribute-based access control diagram, as shown on the right.
Why Use An Access Control System?
The goal of access control is to minimise the risk of unauthorised access to physical and logical systems. Access control is a fundamental component of security compliance programs that ensure security technology and access control policies are in place to protect confidential information.
Over the years, access control systems have become more and more sophisticated. Where once upon a time ‘access control’ may have simply been a physical brass key, now it usually refers to a computer-based, electronic card access control system.