Access Control

By Melissa Rudy
Updated: May 21, 2012

Access Control

Access control—a term referring to the measures taken to determine who can interact with a given resource—is actually part of our everyday lives. One of the simplest forms of access control is the lock on your car door, which prevents entry by anyone who doesn't have a key. Real-world access control is used for coin-operated restroom stalls, childproof medicine bottles, and ATM cards protected by PIN codes.

But in the realm of information technology, access control is an essential part of security. Of course, it’s a bit more complicated than your car door locks, because IT security has to guard against the cyber version of car thieves armed with crowbars and lock picks as substitutes for keys.

Security access control incorporates three primary areas of concern:

  • Authentication determines who is granted access to a given resource or system.
  • Authorization determines what the authenticated user can do.
  • Accountability records the actions taken by the user.

Identity and authentication: The gatekeepers of access control

The process of identity and authentication (I&A) makes sure that the subject entity—either a person or another electronic system—is really who they say they are. The most common and recognizable form of I&A is the user name and password system assigned to just about every electronic device and website that deals with personalized data.

There are several different ways to implement I&A on a system or resource. The authenticator, which is the mechanism used to verify identification, usually involves at least one of these factors:

  • Private information. This category includes login IDs or screen names, passwords, personal identification numbers (PINs), and security questions, and assumes that the information is known only to the owner of the account.
  • Physical object. Some IT security systems involve the use of smart cards, security tokens, or physical keys to grant access to a user.
  • Biometrics. A highly specialized form of authentication reserved for ultra-technical systems and spy movies, biometrics involves the use of voice, fingerprint, retina, or iris characteristics recognition for access control.
  • Location-based. Company firewalls and some global positioning systems use physical proximity as a factor for authentication.

Authorization: What you can—and can't—access

Once you've been identified and authenticated, the next step in access control is authorization. This refers to the actions you're able to perform in the system. Most electronic systems have different levels of user-dependent authorization, which are commonly called permissions.

The three typical sets of permissions are:

  • Read: With read permission, an authorized user can view the contents of a file and its directory. An example of a read permission is a PDF file viewed in the free Acrobat reader—you can see the file, but you can't change it.
  • Write: This permission allows authorized users to change the contents of a file or directory by adding, creating, deleting, or renaming. Blog and website design programs use write permission to allow the account owners to add and delete posts, change layouts, and apply templates.
  • Execute: Applicable to program files, the execute permission enables an authorized user cause a program to run. The most basic examples of execute permission are downloaded programs, either free or paid.

Accountability: Keeping track of your activity

This facet of security access control is the primary difference between electronic IT control and the simpler physical forms like locks and childproof caps. Accountability, also referred to as audit, employs components like audit trails and logs to record the actions users take while they're logged onto a system.

Audit trails and logs allow IT systems to detect and take action against security violations. These records also let system administrators recreate incidents that have led to security breaches, so they can trace the user, retract permissions, and take any other necessary actions.

Casual users can see accountability in action with systems that either time out or automatically disable accounts after a certain number of failed log-in attempts. These automated fail-safes are known as clipping levels, and they help to prevent unauthorized access.

Additional access control methods

While authentication, authorization, and accountability represent the primary building blocks of access control systems, extra measures are often employed. These include:

  • Encryption and hidden paths
  • Digital signatures
  • Social barriers
  • Automated system monitoring
  • Human monitoring

For IT security, access control is serious business—which is fortunate for all of us who would rather not have people regularly breaking into our email, Facebook profile, and online bank accounts. We get to keep the keys, while IT companies protect us from the electronic versions of crowbars and lock picks.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more