What is Access Control?
Access control is a collection of cybersecurity techniques that regulate who can enter, view, use, or modify secured systems, data, and/or resources within a computing environment.
The goal of access control is to prevent digital adversaries from gaining unauthorized access to secure IT systems, and to ensure that those systems can only be accessed by authorized individuals with legitimate credentials and a valid business purpose.
Why is Access Control Important?
- Maintaining Critical Systems and Data – Enterprises increasingly depend on physical IT assets and digital infrastructure for daily operational tasks. Access control systems help ensure that these systems remain operational and available by preventing unauthorized individuals from accessing the resources and making detrimental changes.
- Preventing Network Intrusion and Data Theft – Digital adversaries may attempt to gain unauthorized access to secure IT systems and networks for nefarious purposes, such as data theft, ransom demands, and other forms of cyberattacks. Access control helps block these intrusions.
- Compliance with Data Access Regulations – Organizations subject to data security and privacy regulations can use access control systems to enable access for authorized users, block access for unauthorized users, and establish an auditable record of who accessed or changed data.
Physical vs. Logical Access Control – What’s the Difference?
Enterprises implement both physical and logical access controls to prevent unauthorized access to their secured IT systems.
Physical access control includes a range of security measures that restrict access to data centers, buildings, offices, and other locations where physical IT assets are stored and operated. These security measures can include things like keycard entry systems, locks, alarm systems, and human security personnel.
Logical access control systems automate the regulation of access to digital IT systems by managing user permissions/authorization, identifying users and authenticating access attempts, granting users approval to access secured IT systems, and logging user activity.
How Does Access Control Work?
- Authorization – Authorization is the first step in the access control process. Authorization specifies which users or subjects are permitted to access a secured physical space or IT system, and what permissions those users have once they are granted access. Users who are authorized to access a secured area or system may be provided with access credentials, such as a keycard or a username/password.
- Identification and Authentication – When an individual requests access to a secured location or IT system, access control systems automate the process of identifying the person requesting access and authenticating their credentials to verify that they are legitimately authorized to access the resource. As part of the authentication process, the individual may be required to provide access credentials along with other forms of authentication (token-based, biometric, etc.).
- Access Approval/Denial – Access control systems approve or deny access to secured locations or systems based on successful identification of the user and authentication of their access credentials.
- Accountability/Auditing – Access control systems often incorporate an accountability/audit mechanism that creates a record of what a subject/user did while accessing a secure system or location. In physical access control, that accountability mechanism could be a closed-circuit security camera system that tracks the user’s behavior and movements while inside the secure location. In logical access control, that mechanism could be an audit log that creates a record of which resources the user views or modifies while accessing the system.
4 Types of Access Control You Should Know
IT organizations depend on logical access control systems to regulate access to many different types of secured digital systems, including email accounts, internal networks or intranets, public cloud deployments, and public-facing digital assets like web domains and hosting accounts.
Four of the most common models for logical access controls are:
- Mandatory Access Control – Mandatory Access Control (MAC) is a security model where access to secured systems is regulated by a central authority and based on multiple levels of security clearance. Information resources are assigned a security classification level and may only be accessed by individuals with an equal or greater level of security clearance.
- Discretionary Access Control – Discretionary Access Control (DAC) is a security model where access to secured systems is regulated by the owners or administrators of the system, rather than by a centralized authority. While MAC allows any person with security clearance to access an IT asset, DAC limits the propagation of access rights by allowing the administrators of a secured system to determine who will be authorized for access.
- Role-Based Access Control – Role-Based Access Control (RBAC) is a system that regulates access to secure networks and systems based on the job role of the user within the organization.
- Attribute-Based Access Control – Attribute-Based Access Control (ABAC) is a security model where access rights are granted by following security policies that evaluate user attributes (identity, etc.), resource attributes, and environmental conditions.
How Do Digital Adversaries Penetrate Access Control Systems?
- Brute Force Attacks – Digital adversaries may attempt to bypass access control systems by attempting to guess the login credentials of a legitimate user. If a guess is successful, the adversary gains access to the system with all of the privileges of a real user. Security teams can prevent brute force attacks by using lock-out policies and implementing multi-factor authentication for user logins.
- Social Engineering Attack – Digital adversaries use social engineering techniques like phishing, spear phishing, baiting, impersonation, and pretexting to manipulate legitimate users into disclosing their access credentials. Once the credentials have been disclosed, the adversary can use them to access the system and cause damage.
- Spyware and Ransomware – Digital adversaries can use malicious software programs (malware) to spy on their targets, steal access credentials, and gain access to secure systems. There are also ransomware tools that try to take over secured systems and lock out the legitimate network administrators while the attacker demands a ransom.
Protect Your Organization’s Security Posture with ZeroFox
ZeroFox provides enterprises with digital risk protection, threat intelligence, and adversary disruption capabilities to proactively detect and derail attempts by digital adversaries to penetrate access control systems and gain unauthorized access to secured enterprise IT systems.
The ZeroFox platform uses AI-driven analysis to monitor public-facing enterprise assets like email inboxes and social media accounts for phishing, malware, and other types of cyber attacks deployed by digital adversaries against enterprise targets.
Ready to learn more?
Download our InfoSec Guide: Addressing the Rise in Phishing and Financial Fraud to learn more about how digital adversaries leverage phishing attacks to defeat access control systems and how you can better protect your business.