What Is Access Control in Security?

Access control is a crucial component of information technology (IT) and cybersecurity. It is a mechanism
that regulates who or what can view, use, or access a particular resource in a computing environment.
The primary goal is to minimize security risks by ensuring only authorized users, systems, or services
have access to the resources they need.

Access control is not just about allowing or denying access. It involves identifying an individual or system,
authenticating their identity, authorizing them to access the resource, and auditing their access patterns.
This process minimizes the risk of unauthorized access, protecting sensitive information and systems.

Modern IT infrastructure and work patterns are creating new access control challenges. Trends like the
use of cloud computing, the growing use of mobile devices in the workplace, and the transition to
remove work, mean that the number of access points to an organization is growing exponentially. New
technologies like identity and access management (IAM) and approaches like zero trust are helping
manage this complexity and prevent unauthorized access.

How Does Access Control Work? 5 Key Components

Here is the general process involved in securing access and managing access control within an
organization.

1. Authentication

Authentication is the first step in access control. It involves verifying the identity of the user or system
requesting access. This is usually done by matching the provided credentials with the stored information.
Authentication methods include password-based, biometric-based, and certificate-based authentication.

2. Authorization

Authorization follows successful authentication. It involves granting or denying access based on the
user’s or system’s privileges. The privileges are predefined and dictate what resources the user or system
can access and to what extent. Authorization helps in maintaining the principle of least privilege,
ensuring users and systems have only the access they need.

3. Access

Access refers to the actual use or interaction with a resource. This could involve viewing, modifying, or
deleting data, or using a service. The extent of access is dictated by the authorization process. Access is
monitored and controlled to prevent unauthorized activities.

4. Manage

Management of access control involves maintaining and updating the access control system. This
includes defining and updating access policies, managing user credentials, onboarding and offboarding
users, and maintaining the access control hardware and software. Effective management ensures the
access control system remains robust and up-to-date.

5. Audit
Auditing is an essential component of access control. It involves monitoring and recording access
patterns and activities. Auditing helps in identifying any unusual or suspicious activities and aids in
forensic investigations. Regular audits can reveal security vulnerabilities and help improve the access
control system.

Types of Security Access Controls

There are several technical approaches to managing access control. Here are the main ones:

Role-Based Access Control (RBAC)

Role-Based Access Control, or RBAC, is an access control framework that assigns system access rights and
permissions to users based on their roles within an organization. For instance, a financial analyst in a
company might have access to sensitive financial data but would not have the same access to the
company’s HR records. RBAC is widely adopted due to its simplicity and ease of administration.

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control, abbreviated as ABAC, is a security framework that uses a set of policies
to grant or deny access to resources. These policies are based on attributes, which can include user
attributes (like role or location), resource attributes (like the type of information), and environment
conditions (like time or network location). ABAC is dynamic and flexible, making it suitable for complex
environments where access decisions need to consider a multitude of factors.

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is a method that grants access rights based on rules specified by
users. In DAC, the owner of the information or resource decides who can access specific resources. This
model provides flexibility and individual control, but it also comes with risks as users might inadvertently
grant access to those who should not have it.

Mandatory Access Control (MAC)

Mandatory Access Control, or MAC, is an approach where access is granted or denied based on the
information’s classification and the user’s security clearance level. It is widely used in organizations
handling highly classified and sensitive data, like military institutions or government agencies. MAC is
rigid and highly secure, but it can be complex to implement and manage.

Policy-Based Access Control (PBAC)

Policy-Based Access Control, or PBAC, is an access control model that determines access based on a set
of policies that define allowable actions within a system. PBAC policies are often complex, involving a
combination of rules, roles, attributes, and environmental factors. This model allows for fine-grained
access control, enabling administrators to manage access based on the specific needs of the organization
and the context of the access request. While PBAC is fairly similar to ABAC, it is easier to implement and
requires less IT and development resources.

What Is an Access Control Matrix?

An access control matrix (ACM) is a model to help visualize what permissions subjects have for certain
resources within a system. It structures who can do what within a system by mapping subjects against
resources. A subject typically designates a user, a role, or a device.

Each matrix cell specifies the levels of access permitted for particular subjects over particular objects.

Here is a simple example of an ACM:

Subject/Object File A File B Application X Database Y

Read, Write,
Admin Read, Write Execute, Configure Full Access
Delete

Manager Read, Write Read Execute Read

Employee Read No Access Execute No Access

Guest No Access No Access No Access No Access

How can an Access Control Matrix be integrated with cloud-based systemsAccess Control Matrices
(ACMs) can be integrated with cloud-based systems to securely manage access to shared
resources4. Cloud providers use ACMs to enforce strict access control policies for their tenants, ensuring
compliance with security standards and preventing unauthorized cross-tenant access4.Key aspects of
ACM integration with cloud-based systems:

 Centralized Management: ACMs offer a centralized view of all permissions, simplifying the
management and auditing of security policies in cloud environments4.

 Data Isolation: ACMs ensure that data belonging to one company in a shared cloud environment
is completely isolated and inaccessible to other companies using the same infrastructure4.

 User Enrollment and Credential Management: Cloud-based access control systems begin with
user enrollment, where administrators create profiles for each person needing access and assign
credentials, which may include key cards, mobile credentials, or biometric data1.

 Real-Time Monitoring and Alerts: Cloud-based access control allows real-time monitoring of
access activity, providing live data on who is entering or exiting the building, and at what
times1. The system can send alerts via email or SMS for unauthorized access or other security
problems1.

 Integration with Other Systems: Cloud-based access control systems can integrate with other
systems such as video surveillance and alarm systems3.

 Cloud Controls Matrix (CCM): The CSA Cloud Controls Matrix (CCM) is a cybersecurity control
framework for cloud computing, composed of control objectives structured in domains covering
 key aspects of cloud technology2. It can be used to assess cloud implementations and provides
guidance on which security controls should be implemented within the cloud supply chain2.

 Remote Management: Cloud-based access control systems can be managed remotely, allowing
administrators to change access settings, check logs, and manage users from any location1.

What is a security policy?

A security policy (also called an information security policy or IT security policy) is a
document that spells out the rules, expectations, and overall approach that an
organization uses to maintain the confidentiality, integrity, and availability of its data.
Security policies exist at many different levels, from high-level constructs that describe
an enterprise’s general security goals and principles to documents addressing specific
issues, such as remote access or Wi-Fi use.

A security policy is frequently used in conjunction with other types of documentation

such as standard operating procedures. These documents work together to help the
company achieve its security goals. The policy defines the overall strategy and security
stance, with the other documents helping build structure around that practice. You can
think of a security policy as answering the “what” and “why,” while procedures,
standards, and guidelines answer the “how.”

Four reasons a security policy is important

1. Guides the implementation of technical controls

A security policy doesn’t provide specific low-level technical guidance, but it does spell out the intentions
and expectations of senior management in regard to security. It’s then up to the security or IT teams to
translate these intentions into specific technical actions.

For example, a policy might state that only authorized users should be granted access to proprietary
company information. The specific authentication systems and access control rules used to implement
this policy can change over time, but the general intent remains the same. Without a place to start from,
the security or IT teams can only guess senior management’s desires. This can lead to inconsistent
application of security controls across different groups and business entities.

2. Sets clear expectations

Without a security policy, each employee or user will be left to his or her own judgment in deciding
what’s appropriate and what’s not. This can lead to disaster when different employees apply different
standards.

Is it appropriate to use a company device for personal use? Can a manager share passwords with their
direct reports for the sake of convenience? What about installing unapproved software? Without clear
policies, different employees might answer these questions in different ways. A security policy should
also clearly spell out how compliance is monitored and enforced.

3. Helps meet regulatory and compliance requirements

Documented security policies are a requirement of legislation like HIPAA and Sarbanes-Oxley, as well as
regulations and standards like PCI-DSS, ISO 27001, and SOC2. Even when not explicitly required, a
security policy is often a practical necessity in crafting a strategy to meet increasingly stringent security
and data privacy requirements.

4. Improves organizational efficiency and helps meet business objectives

A good security policy can enhance an organization’s efficiency. Its policies get everyone on the same
page, avoid duplication of effort, and provide consistency in monitoring and enforcing compliance.
Security policies should also provide clear guidance for when policy exceptions are granted, and by
whom.

To achieve these benefits, in addition to being implemented and followed, the policy will also need to be
aligned with the business goals and culture of the organization.

Three types of security policies

Security policies can vary in scope, applicability, and complexity, according to the needs of different
organizations. While there’s no universal model for security policies, the National Institutes of Standards
and Technology (NIST) spells out three distinct types in Special Publication (SP) 800-12:

1. Program policy

Program policies are strategic, high-level blueprints that guide an organization’s information security
program. They spell out the purpose and scope of the program, as well as define roles and
responsibilities and compliance mechanisms. Also known as master or organizational policies, these
documents are crafted with high levels of input from senior management and are typically technology
agnostic. They are the least frequently updated type of policy, as they should be written at a high enough
level to remain relevant even through technical and organizational changes.

2. Issue-specific policy

Issue-specific policies build upon the generic security policy and provide more concrete guidance on
certain issues relevant to an organization’s workforce. Common examples could include a network
security policy, bring-your-own-device (BYOD) policy, social media policy, or remote work policy. These
may address specific technology areas but are usually more generic. A remote access policy might state
that offsite access is only possible through a company-approved and supported VPN, but that policy
probably won’t name a specific VPN client. This way, the company can change vendors without major
updates.

3. System-specific policy

A system-specific policy is the most granular type of IT security policy, focusing on a particular type of
system, such as a firewall or web server, or even an individual computer. In contrast to the issue-specific
policies, system-specific policies may be most relevant to the technical personnel that maintains them.
NIST states that system-specific policies should consist of both a security objective and operational rules.
IT and security teams are heavily involved in the creation, implementation, and enforcement of system-
specific policies but the key decisions and rules are still made by senior management.
Confidentiality is the protection of information in the system so that an unauthorized person cannot

access it. This type of protection is most important in military and government organizations that

need to keep plans and capabilities secret from enemies. However, it can also be useful to

businesses that need to protect their proprietary trade secrets from competitors or prevent

unauthorized persons from accessing the company’s sensitive information (e.g., legal, personal, or

medical information). Privacy issues have gained an increasing amount of attention in the past few

years, placing the importance of confidentiality on protecting personal information maintained in

automated systems by both government agencies and private-sector organizations. Confidentiality

must be well-defined, and procedures for maintaining confidentiality must be carefully

implemented. A crucial aspect of confidentiality is user identification and authentication. Positive

identification of each system user is essential in order to ensure the effectiveness of policies that

specify who is allowed access to which data items.

Threats to Confidentiality: Confidentiality can be compromised in several ways. The following

are some of the commonly encountered threats to information confidentiality –

 Hackers

 Masqueraders

 Unauthorized user activity

 Unprotected downloaded files

 Local area networks (LANs)

 Trojan Horses

Confidentiality Models: Confidentiality models are used to describe what actions must be taken to

ensure the confidentiality of information. These models can specify how security tools are used to

achieve the desired level of confidentiality. The most commonly used model for describing the

enforcement of confidentiality is the Bell-LaPadula model.

 In this model the relationship between objects (i.e, the files, records, programs and

equipment that contain or receive information) and subjects (i.e, the person, processes, or

devices that cause the information to flow between the objects).

 The relationships are described in terms of the subject’s assigned level of access or privilege

and the object’s level of sensitivity. In military terms, these would be described as the
security clearance of the subject and the security classification of the object.

Another type of model that is commonly used is Access control model.

 It organizes the system into objects (i.e, resources being acted on), subjects (i.e, the person

or program doing the action), and operations (i.e, the process of interaction).

 A set of rules specifies which operation can be performed on an object by which subject.

Types of Confidentiality :

In Information Security, there are several types of confidentiality:

1. Data confidentiality: refers to the protection of data stored in computer systems and

networks from unauthorized access, use, disclosure, or modification. This is achieved

through various methods, such as encryption and access controls.

2. Network confidentiality: refers to the protection of information transmitted over computer

networks from unauthorized access, interception, or tampering. This is achieved through

encryption and secure protocols such as SSL/TLS.

3. End-to-end confidentiality: refers to the protection of information transmitted between two

endpoints, such as between a client and a server, from unauthorized access or tampering.

This is achieved through encryption and secure protocols.

4. Application confidentiality: refers to the protection of sensitive information processed and

stored by software applications from unauthorized access, use, or modification. This is

achieved through user authentication, access controls, and encryption of data stored in the

application.

5. Disk and file confidentiality: refers to the protection of data stored on physical storage

devices, such as hard drives, from unauthorized access or theft. This is achieved through

encryption, secure storage facilities, and access controls.

Uses of Confidentiality :

In the field of information security, confidentiality is used to protect sensitive data and information

from unauthorized access and disclosure. Some common uses include:

1. Encryption: Encrypting sensitive data helps to protect it from unauthorized access and

disclosure.

2. Access control: Confidentiality can be maintained by controlling who has access to

sensitive information and limiting access to only those who need it.

3. Data masking: Data masking is a technique used to obscure sensitive information, such as

credit card numbers or social security numbers, to prevent unauthorized access.

4. Virtual private networks (VPNs): VPNs allow users to securely connect to a network over

the internet and protect the confidentiality of their data in transit.

5. Secure file transfer protocols (SFTPs): SFTPs are used to transfer sensitive data securely

over the internet, protecting its confidentiality in transit.

6. Two-factor authentication: Two-factor authentication helps to ensure that only authorized

users have access to sensitive information by requiring a second form of authentication,

such as a fingerprint or a one-time code.

7. Data loss prevention (DLP): DLP is a security measure used to prevent sensitive data from

being leaked or lost. It monitors and controls the flow of sensitive data, protecting its

confidentiality.

Confidentiality policies are crucial in data and information security because they protect sensitive
information from unauthorized access and disclosure67. These policies include instructions for
employees on how to handle confidential data to ensure its protection1. By providing clear guidelines,
organizations can minimize data breaches caused by human error and ensure regulatory compliance1.

Key elements of data confidentiality policies:

 Restricting Data Access: Controlling who has access to non-public information, documents, and
files based on the principle of least privilege, granting access only on a need-to-know basis1.

 Data Encryption: Employing algorithms to turn data into an unreadable format, ensuring that
only authorized individuals can decrypt and read the information12.

 Data Retention Policy: Defining what data needs to be stored, for how long, and how to safely
dispose of it when it's no longer necessary1.

 Regular Audits: Conducting routine checks to identify vulnerabilities and ensure that security
measures are effective3.

 Strong Authentication: Using strong passwords and, where practical, two-factor authentication
to verify user access2.

 Physical Security: Securing devices and paper documents to prevent unauthorized physical
access2.
A well-defined confidentiality policy should outline procedures for handling confidential information
about clients, partners, and the company8. These policies should be regularly updated and
communicated to employees to foster a culture of data protection3.

Data Confidentiality Policy1. Policy Brief & PurposeThis policy explains how [Company Name] expects
its employees to treat confidential information, ensuring it is well-protected1. Employees will
unavoidably receive and handle personal and private information about clients, partners, and the
company1. This policy aims to set standards and/or a framework for the usage and protection of
confidential data related to the organization2.2. ScopeThis policy affects all employees, including board
members, investors, contractors, and volunteers, who may have access to confidential information1.3.
DefinitionsData confidentiality is a set of rules that limits access or places restrictions on any information
that is being shared6. Confidential information includes, but is not limited to1:

 Unpublished financial information1

 Data of Customers/Partners/Vendors1

 Patents, formulas, or new technologies1

 Customer lists (existing and prospective)1

 Data entrusted to our company by external parties1

 Pricing/marketing and other undisclosed strategies1

 Documents and processes explicitly marked as confidential1

 Unpublished goals, forecasts, and initiatives marked as confidential1

 Employees’ personal data files and other records4

 Commercial or official secrets4

 Identifiers and passwords of the IT system users4

4. Personal Data Protection Principles

 Fairness and lawfulness: When processing personal data, the individual rights of the data
subjects must be protected. Personal data must be collected and processed in a legal and fair
manner3.

 Restriction to a specific purpose: Personal data can be processed only for the purpose that was
defined before the data was collected3.

 Transparency: The data subject must be informed of how their data is being handled3.

 Data reduction and data economy: Before processing personal data, determine whether and to
what extent the processing of personal data is necessary3.

 Deletion: Personal data that is no longer needed after the expiration of legal or business
process-related periods must be deleted3.

5. Employee Obligations
  Employees should not use confidential information for any personal benefit or profit1.

 Employees should not disclose confidential information to anyone outside of our company1.

 Employees should not replicate confidential documents and files and store them on insecure
devices1.

 Employees are obliged to return any confidential files and delete them from their personal
devices when they stop working for our company1.

 Each individual granted access to data and information holds a position of trust and must
preserve the security and confidentiality of the information they use5.

6. Confidentiality Measures[Company Name] will take measures to ensure that confidential information
is well protected1:

 Store and lock paper documents1

 Encrypt electronic information and safeguard databases1

 Ask employees to sign non-compete and/or non-disclosure agreements (NDAs)1

 Ask for authorization by senior management to allow employees to access certain confidential
information1

 Safe-keeping of records that contain confidential data in a place, for which the Company
establishes certain level of access on a case-by-case basis4.

 Compliance with the internal rules for handling paper records that contain confidential data in
order to avoid the risk of their leakage4.

 “Clean Desk” Policy4.

 Mandatory authorization when logging in the IT system4.

 Use of special folders, not allowed for sharing, to store and transfer the confidential
information4.

7. EnforcementIn the event of non-compliance with Data Privacy Policy, the concerned Department
Manager/s and/or concerned parties involved shall be suspended and/or terminated and/or legal action
shall be taken towards parties involved in non-compliance2.8. Policy ReviewThis policy will be reviewed
periodically and updated as needed1.