Access Control

Access Control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources. Through authentication and authorization, access control policies make sure users are who they say they are and that they have appropriate access to company data. Access control can also be applied to limit physical access to campuses, buildings, rooms, and data centers.^[1]

Access control is a broad term that describes policies and methods that ensure only verified individuals can physically or virtually touch items that they have permission to access. This process involves restricting access or granting permissions that allow someone to do something to a protected item. This includes having permissions to do any of the following to protected items (digital or physical resources):

• Access,
• Read,
• Modify,
• Communicate,
• Delete or otherwise destroy.

For longtime IT cybersecurity expert Greg Scott, access controls typically boil down to understanding the relationship between two specific terms: subjects and objects.
“Subjects are usually people or groups. Objects are usually files or directories. The key is, subjects access objects, and so access controls regulate how subjects access objects.”

In this understanding, objects could be resources that you want to protect from unauthorized access, use, or disclosure. And the subject is the user (or group of users or even non-person entities such as applications or services) that the access controls apply to. So, access controls (in a more technical sense) are the tools, policies, models, and mechanisms that enable you to grant or restrict access to your organization’s digital or physical resources. This includes everything from restricting or granting access to specific files and databases to IT systems and physical locations.

If you look at the definitions of access control on the National Institute of Standards and Technology (NIST) website, you’ll see a lot of variations. However, they all basically mean the same thing in a roundabout way: access control is a way for you to ensure that only the individuals (or groups) you choose have access to your sensitive data, applications, technologies, and critical infrastructure.

Basically, these types of physical and logical restrictions prevent unauthorized individuals from doing things they shouldn’t with your sensitive systems or data. Furthermore, they also help to prevent inadvertent exposure or disclosure of sensitive items.^[2]