Access Controls
Definition
Access controls are security mechanisms that regulate who or what can view, use, or modify resources within an information system. They enforce authorization policies based on identity, role, or attributes, ensuring that only authorized users can access specific data and systems at the level appropriate to their job function. Access control failures are among the most common audit findings across every compliance framework.
Access Control Models
Role-Based Access Control (RBAC)
Access is granted based on the user's role within the organization. Users are assigned to roles, and roles have defined permissions. The most common model for enterprise compliance.
Attribute-Based Access Control (ABAC)
Access decisions are based on attributes of the user, resource, action, and environment. More granular than RBAC but more complex to implement and manage.
Discretionary Access Control (DAC)
Resource owners determine who can access their resources. Common in file systems but provides less centralized control for compliance purposes.
Mandatory Access Control (MAC)
Access is determined by security labels and clearance levels set by a central authority. Common in government and military environments.
Key Access Control Principles
Least privilege -- users receive only the minimum permissions needed for their job function
Need to know -- access to information is restricted to those who require it for their work
Separation of duties -- critical functions are divided among multiple people to prevent fraud or error
Multi-factor authentication -- access requires two or more verification factors
Regular access reviews -- periodic verification that access permissions remain appropriate
Timely deprovisioning -- access is revoked immediately upon role change or termination