When we refer to access control systems, we’re talking about providing access to restricted areas of the enterprise. But familiarity and correctly utilizing access control systems to protect proprietary information are two completely different levels of understanding. For example, who gets access to what? What are the rules? How is access tracked?
The user must first be identified and authenticated before being granted access to private information—which means the basics of an access control system include criteria and records for every time someone “enters” the system.
Depending on the type of organization, the enterprise should consider a couple of broad ideas—what level of ownership it will have over the system, and how to decide which employees get access to what. There are many models, each with different benefits.
The most common types of access control systems
Mandatory access control (MAC)
The mandatory access control system provides the most restrictive protections, where the power to permit access falls entirely on system administrators. That means users cannot change permissions that deny or allow them entry into different areas, creating formidable security around sensitive information.
It even restricts the resource owner’s ability to grant access to anything listed in the system. Once an employee enters the system, they’re tagged with a unique connection of variable “tags”—like a digital security profile—that speaks to what level of access they have. So depending on what tags a user has, they will have limited access to resources based on the sensitivity of the information contained in it. This system is so shrewd, in fact, that it’s commonly used by government entities because of its commitment to confidentiality.
Discretionary access control (DAC)
A discretionary access control system, on the other hand, puts a little more control back into leadership’s hands. They determine who can access which resources, even if the system administrator created a hierarchy of files with certain permissions. All it takes is the right credentials to gain access.
The only disadvantage, of course, is giving the end-user control of security levels requires oversight. And since the system requires a more active role in managing permissions, it’s easy to let actions fall through the cracks. Where the MAC approach is rigid and low-effort, a DAC system is flexible and high-effort.
Role-based access control (RBAC)
Role-based access control attributes permissions to a user based on their business responsibilities. As the most common access control system, it determines access based on the user’s role in the company—ensuring lower-level employees aren’t gaining access to high-level information.
Access rights in this method are designed around a collection of variables that map back to the business—such as resources, needs, environment, job, location, and more. Many executives like this approach because it’s simple to group employees based on the kind of resources to which they need access. For example, someone in human resources does not need access to private marketing materials, and marketing employees don’t need access to employee salaries. RBAC provides a flexible model that increases visibility while maintaining protection against breaches and data leaks