Access control is a fundamental component of data security that dictates who has access to company information. Access control policies make sure users are who they claim and that they have appropriate access to company data. It’s used to limit physical access to campuses, buildings, rooms, and data centres.
Access control identifies users by verifying various login credentials. These can include usernames and passwords, PIN, biometric scans, and security tokens. Many systems also need several authentication methods to verify a user’s identity.
Once a user is verified, access control then allows access and actions associated with that user’s credentials and IP address.
There are four main types of access control. Organizations choose the method that makes the most sense based on their unique security and compliance requirements.
Discretionary access control (DAC)
With discretionary access control, access is gained only if the owner or administrator of the system has granted permission.
Mandatory access control (MAC)
Mandatory Access Control is when the system only grants access when the user meets certain clearance and information requirements.
Role-based access control (RBAC)
Role-based access control is based on the roles of individuals within the organization. It grants access only to information needed to fulfill a specific role and denies access to information not necessary to the individual.
Attribute-based access control (ABAC)
Attribute-based access control, rather than looking at the role, looks at the user and the reason they need the information, and grants access accordingly.
Access control keeps confidential information from falling into the wrong hands, and prevents data leakage from both internal and external sources. It’s particularly important for organizations where resources, apps, and data live both on premises and in the cloud. Access control can provide more robust access security beyond single sign-on (SSO).