Access control—a term referring to the measures taken to determine who can interact with a given resource—is actually part of our everyday lives. One of the simplest forms of access control is the lock on your car door, which prevents entry by anyone who doesn't have a key. Real-world access control is used for coin-operated restroom stalls, childproof medicine bottles, and ATM cards protected by PIN codes.
But in the realm of information technology, access control is an essential part of security. Of course, it’s a bit more complicated than your car door locks, because IT security has to guard against the cyber version of car thieves armed with crowbars and lock picks as substitutes for keys.
Security access control incorporates three primary areas of concern:
- Authentication determines who is granted access to a given resource or system.
- Authorization determines what the authenticated user can do.
- Accountability records the actions taken by the user.
Identity and authentication: The gatekeepers of access control
The process of identity and authentication (I&A) makes sure that the subject entity—either a person or another electronic system—is really who they say they are. The most common and recognizable form of I&A is the user name and password system assigned to just about every electronic device and website that deals with personalized data.
There are several different ways to implement I&A on a system or resource. The authenticator, which is the mechanism used to verify identification, usually involves at least one of these factors:
- Private information. This category includes login IDs or screen names, passwords, personal identification numbers (PINs), and security questions, and assumes that the information is known only to the owner of the account.
- Physical object. Some IT security systems involve the use of smart cards, security tokens, or physical keys to grant access to a user.
- Biometrics. A highly specialized form of authentication reserved for ultra-technical systems and spy movies, biometrics involves the use of voice, fingerprint, retina, or iris characteristics recognition for access control.
- Location-based. Company firewalls and some global positioning systems use physical proximity as a factor for authentication.
Authorization: What you can—and can't—access
Once you've been identified and authenticated, the next step in access control is authorization. This refers to the actions you're able to perform in the system. Most electronic systems have different levels of user-dependent authorization, which are commonly called permissions.
The three typical sets of permissions are:
- Read: With read permission, an authorized user can view the contents of a file and its directory. An example of a read permission is a PDF file viewed in the free Acrobat reader—you can see the file, but you can't change it.
- Write: This permission allows authorized users to change the contents of a file or directory by adding, creating, deleting, or renaming. Blog and website design programs use write permission to allow the account owners to add and delete posts, change layouts, and apply templates.
- Execute: Applicable to program files, the execute permission enables an authorized user cause a program to run. The most basic examples of execute permission are downloaded programs, either free or paid.
Accountability: Keeping track of your activity
This facet of security access control is the primary difference between electronic IT control and the simpler physical forms like locks and childproof caps. Accountability, also referred to as audit, employs components like audit trails and logs to record the actions users take while they're logged onto a system.
Audit trails and logs allow IT systems to detect and take action against security violations. These records also let system administrators recreate incidents that have led to security breaches, so they can trace the user, retract permissions, and take any other necessary actions.
Casual users can see accountability in action with systems that either time out or automatically disable accounts after a certain number of failed log-in attempts. These automated fail-safes are known as clipping levels, and they help to prevent unauthorized access.
Additional access control methods
While authentication, authorization, and accountability represent the primary building blocks of access control systems, extra measures are often employed. These include:
- Encryption and hidden paths
- Digital signatures
- Social barriers
- Automated system monitoring
- Human monitoring
For IT security, access control is serious business—which is fortunate for all of us who would rather not have people regularly breaking into our email, Facebook profile, and online bank accounts. We get to keep the keys, while IT companies protect us from the electronic versions of crowbars and lock picks.