What is Access Control?
Access control involves managing who has access to specific systems and resources at a given time. The concept of access control revolves around the process comprised of three steps. These steps are identification, authentication, and authorization. Using these three principles a system administrator can control what resources are available to a system’s users.
The term identification refers such things as user names and identification cards. It is the means by which a system user identifies who they are. This step is usually performed when logging in.
Authentication is the second step of the access control process. Passwords, voice recognition, and biometric scanners are common methods of authentication. The purpose of authentication is to verify the system user’s identity.
After a system user is authenticated they are then authorized to use the system. The user is generally only authorized to use a portion of the system’s resources depending upon their role in the organization. For example, the engineering staff would have access to different applications and files than the finance staff, or human resources.
There are more ways to enforce access control besides using software. Access control can be maintained by something a simple as a locked door. Only users with the correct key or door card would be allowed to enter.
One of the principles that should be incorporated when establishing an effective access control policy is the practice of minimal access or least privilege. What this means is that a user should have the least amount of access required to do their job. The principle of least privilege includes limiting the resources and applications accessible by a user as well as the time access is allowed. For, instance at times it may not be advisable to allow access to financial records at 3AM in the morning when the facilities should be closed.
