Access control

What is access control?

Access control refers to methods and technologies used to secure and manage digital access to applications, data, and other IT resources.

Today, access control is crucial for maintaining the security of IT environments. With IT systems commonly accessible online, accessible from various devices, and in direct communication with each other. Each access attempt must begin by identifying who is attempting to gain access and what permissions they have. This is often managed through a Zero Trust approach, where each session starts with verification. The first step is verifying the user or the system, known as authentication. If successful, this is followed by authorisation, which checks what access rights the individual has.

It’s important to note that access control is not only essential for digital systems. Physical access control is equally important to prevent unauthorised access to facilities. Similar to digital access control, physical security is also complex. or instance, an intern may only be granted access to common areas, whereas IT staff might also require access to server rooms. There are substantial similarities between physical and digital access control, and ideally, there should be increasing integration between these systems. For instance, a finance department employee should have access to financial systems and also automatically receive a badge that grants entry to the finance department.

Access control security

How does user access security work? The most common method involves logging in with a username and password. However, this approach has its drawbacks. Passwords can be vulnerable for various reasons, and repeatedly entering these credentials can be cumbersome. Fortunately, we are becoming increasingly capable of addressing these disadvantages:

• SSO: Single sign-on is a technical solution that allows someone to access multiple applications and data with just one set of login credentials. This makes logging in with a username and password much simpler, as you don’t need to repeatedly log in.

• • MFA: With Multi-Factor Authentication, besides logging in with a password, an additional verification check is performed. For example, you might have to enter an extra code sent to your smartphone. This method authenticates using something you know (your password) and something you possess (your smartphone), making it much more secure.

In the examples mentioned, we’re still discussing the use of passwords. Even with MFA via your smartphone, you often need to input a code. As an alternative, an increasing number of organisations and services are supporting physical security devices like the YubiKey. This USB device (which may also include NFC access) allows you to log in directly without needing a username and password. Some devices are even equipped with a fingerprint reader for added security.

Different types of access control methods

There are various access control methods available, ranging from very strict to more flexible options:

• Mandatory Access Control (MAC) is a method where access to applications and data is centrally determined based on strict criteria to determine who gets access to which applications and data. Classifications such as confidential, secret, and top-secret are often used. Only users with the appropriate clearance have access. This is used, for example, in military environments.
• On the opposite end of the spectrum is Discretionary Access Control (DAC). In this method, the owner of a document determines the access and editing rights themselves. This can be found, for example, in SharePoint, where a user can specify who gets access to a specific file. Owners can also set whether others can only view the document or also edit it.

These methods are effective, yet they tend to be either too rigid (MAC) or too lenient (DAC) for managing all access rights within organisations. For instance, using an Access Control List (ACL), you can manage each user’s access rights individually (known as ‘access control entries’), but this often becomes unmanageable. Therefore Identity & Access Management systems frequently employ Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). These systems allow for efficient management of employee access rights without becoming overwhelming. We will explore this in more detail later in the article.

Note: MAC is also an abbreviation for Media Access Control. The so-called MAC address is a unique identification number that makes each device within a network—such as computers and printers—individually accessible. It is possible to block or enable applications or data per MAC address, known as MAC filtering.

Examples of specific access management models:

RBAC and ABAC are widely used in organisations, but there are also many other access control methods, each with its own characteristics, such as:

• PBAC (Policy-Based Access Control), which uses a set of policies to determine who gets access to applications and data under what conditions.
• HBAC (History-Based Access Control) is a method where access is also determined by previous actions. For example, a user may carry out certain financial transactions because they have conducted similar transactions before.
• ReBAC (Relationship-Based Access Control) considers the relationships between users. This is used, for example, in social media applications where you can view data from friends, or friends of friends.
• RAdAC (Risk-Adaptive Access Control) takes current threat risks into account when granting access. For instance, at a heightened risk level, additional restrictions may apply or more frequent use of MFA might be required.
• TAC (Temporal Access Control) considers the time when someone attempts to gain access. For instance, during office hours, people may gain standard access, but outside office hours, access may not be granted or only granted following additional MFA verification.
• CBAC (Context-Based Access Control) is an approach where various contextual factors can be used for access security. This could be the location of the individual working, the type of network (WiFi or mobile data), or the device being used.
• In GBAC (Graph-Based Access Control), access rights are determined not only by an individual’s role but also by information about joint projects people are working on or hierarchical relationships between employees.
• Following on from this, there is OrBAC (Organisation-Based Access Control), where the issuance of access rights in complex organisations is derived from someone’s organisational role, such as director, department manager, team manager, etc.
• Finally, in CapBAC (Capability-Based Access Control), users and systems are assigned ‘capabilities’ that allow them to perform actions. This is used, for example, in smart building and IoT (Internet of Things) networks where devices exchange data and issue commands to each other.

You might notice significant overlap among the various access control terminologies and descriptions. For example, Temporal Access Control (TAC), which considers the timing of access, can be viewed as a subset of Context-Based Access Control (CBAC), which utilises a broader range of contextual factors. These access methods and definitions are flexible, with combinations or hybrids often employed in practice.

Examples of access control tools

In the previous section, we discussed various access control methods for organising access to systems and data, ranging from access rights based on an individual’s role in the company to access rights in social media apps based on users’ relationships. These mechanisms often use various technical access control tools ‘under the hood’.

One example is security labels. These are data tags with information about the required classification level (confidential, secret, etc.) that are added to data and applications. This allows Mandatory Access Control (MAC) to be implemented technically. In Internet of Things environments, capability tokens are often used to manage the rights of devices remotely. To implement Policy-Based Access Control, tools such as Policy Decision Points (PDP) and Policy Enforcement Points (PEP) are frequently used. And to manage access between web services, the so-called Access Control Allow Origin parameter within the HTTP protocol is often used.

In the context of access security, it’s also common to mention encryption technology, but strictly speaking, these are two different matters. However, encryption plays a vital role in the storage of passwords (for instance, when using a password manager) and the transmission of login information across networks. Security protocols often mandate that both Access Control and Encryption are always implemented.

The role of IAM in your access control

How does IAM support access control in your organisation? Today, many organisations use the Identity Provider solution that is an integral part of platforms like Microsoft 365 (AD or Entra ID). The Identity Provider handles the primary authentication of users and then provides access to relevant applications and data via Single Sign-On (SSO).

Yet, that’s not the whole story. In an organisation with potentially hundreds or even thousands of users, it’s challenging to flawlessly and automatically provide and manage all those accounts and access rights. Each employee has different responsibilities and therefore needs access to different applications and data. Employees often change roles, too. To manage this seamlessly, you need a modern Identity and Access Management solution like HelloID. The success of such an IAM solution depends on the access control methods that the platform supports.

For instance, a very basic IAM solution might include an access control matrix or , where you simply register the rights of individual users. However, for larger and more complex organisations, this is not sufficient, and you need to use an IAM solution that supports RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control):

• • In Role-Based Access Control (RBAC), you organise your access rights based on the roles or functions an employee fulfills within the organisation. For example, a salesperson receives different access rights compared to a finance employee. If someone’s role changes, their rights are immediately adjusted.
  • Attribute-Based Access Control (ABAC) is similar to RBAC but is even more powerful because it uses more characteristics (attributes) of the users, applications, and data. Access rights in ABAC are not determined solely by a person’s role but could also be influenced by specific skills they possess, the department they work in, or their work location.

HelloID employs ABAC principles and, by working with so-called business rules, we can set access rights even more flexibly. For instance, rights issuance can be time-dependent; you could set up an account and access rights for a new employee to be automatically created in the system but only activated on their first day. Alternatively, a person might initially receive a basic set of rights, which are fully activated only after they agree to the user terms. HelloID uses a combination of the various access control methods described above, tailored to the needs of modern, professional, and agile organisations.