AuthenticationWorld.com

Access Control

What is access control?

The meaning of access control has changed over the last several years.  Originally, access control usually refereed to restricting physical access to a facility, building or room to authorized persons.  This used to be enforced mainly through a physical security guard.  Then, with the advent of electronic devices, access control has evolved into the use of physical card access systems of a wide variety including biometric activated devices.

As computers evolved the meaning of access control began to change.  Initially "access control lists" evolved specifying the user identities and the privileges granted to them in order to access a network operating system or an application.  

Access control further evolved into the authentication, authorization and audit of a user for a session.  Access control authentication devices evolved to include id and password, digital certificates, security tokens, smart cards and biometrics.

Access control authorization meanwhile evolved into role based access control. (RBAC)  This normally involves "mandatory access control".  Mandatory access control is access control policies that are determined by the system and not the application or information owner.   RBAC is commonly found in government, military and other enterprises where the role definitions are well defined, the pace of change is not that fast and the supporting human resource environment is capable of keeping up with changes to an identity re their roles and privileges.

Modern Enterprise Access Control Systems:

Today, in the age of digitization, there is a convergence between physical access control and computer access control.  Modern access control (more commonly referred to in the industry as "identity management systems") now provide an integrated set of tools to manage what a user can access physically, electronically and virtually as well as providing an audit trail for the lifetime of the user and their interactions with the enterprise.

Modern access control systems rely upon:

• Integrated enterprise user and identity databases and Lightweight Directory Access Protocol (LDAP) directories
• Strong business processes pertaining to the provisioning and de-provisioning of a user
• Provisioning software integrated with the business provisioning and de-provisioning process
• Site, building and room based access control systems that are LDAP enabled or, able to be integrated into a virtual enterprise LDAP directory
• A global enterprise id for each user to integrate the user's identity between many applications and systems
• A strong end to end audit of everywhere the physical person went as well as the systems, application and information systems they accessed

With many portions of an enterprise now outsourced, the challenges to access control have increased.  Today it is becoming common to have contractual agreements with the enterprise's outsource partners that:

• Automatically provision and de-provision users
• Build trusted authentication and authorization mechanisms
• Provide end to end user session audit
• Integrate with the remote user's physical access e.g. to a call center operating on the enterprise's behalf.

Access Control Business Case

Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing