Be it a building, a house, a machine or software- controlling the access to all of these is essential to ensure that they are used only for the purpose that they are meant for, and not exploited at all. This is where the need for access control systems come in. By definition, an access control system involves the implementation of selective restriction of access to a resource or a place. The term ‘access’ here may be a broad one including consuming, using and even entering. Permission to access any kind of a resource is called authorization, and two analogous forms of this control are login credentials and locks.
Physical Security as a form of access control
The first and the most basic form of access control systems comes in the form of a geographical access control. This form can be enforced by security personnel, such as a border guard or a ticket checker, or via a device such as turnstile. There may also be fences to prevent the circumvention of access control.
Physical access control is more of a ‘who, where and when’ kind of system. This determines who is allowed to exit or enter, for where would the access be granted and finally, when would the access or exit be allowed. Historically, this was achieved by a key and lock- meaning that when a door was locked, only someone who had a valid key could enter. However, now electronic access control is applied to solve the limitations which were posed by a mechanical lock and key. These involve a wide range of credentials which can be applied to achieve the same.
Mechanism of electronic access control
When the credential is pressed into a reader, the information is then sent to the control panel, which is in fact a highly accurate processor. The entered credential and its associated information is then compared to what is known as an ‘access control list’, granting or denying access based on the fact whether the credential was present in the list or not. This, however, is a ‘single factor transaction’, where transactions can be passed around which would then subvert the access control list.
A better form of an access control system mechanism involves the inclusion of the following three factors of information authentication:
- Any piece of information that the user knows, such as a PIN or password
- Anything that the user possesses, such as a key or smart-card
- Something that the user himself is, like a fingerprint which is verified through biometric measurement
Passwords are among the most common means of performing verification of a user’s identity before granting access to information systems. Now a days, a fourth factor is included, which is ‘someone you know’. In this, another person that is already known to the other can provide a human element of authentication.
Here, the access control system is comprised of an authorization, authentication, approval of access and lastly audit. Invariably, in all kinds of access control systems, subjects refer to those entities which perform tasks on or over the systems. Resources to which the access is being controlled to are called objects. Both the subject and object are analogous to software entities, and not human users, since the human user can affect the system only through any software entity and not directly.
There are basically two kinds of models for access control- one which is based on the capability and one which has the ACL as its basis.
In this kind of model, access is provided to the object through the possession of an unforgettable reference or a capability. This is analogous to how possession of one’s house key grants one access to his house. The conveyance of access to another party takes place by the transmission of this capability over a safe/secure channel.
ACL or Access Control Lists
In this model, grant of access to the subject is dependent upon whether its identity is amongst a list that is associated with the object. This can be thought of as analogous to how a bouncer checks the ID of a person at a private party to see if his or her name is on the guest list. Access is conveyed through editing the list. There are different ACL systems employing different conventions regarding who or what would be responsible for editing the list and how it’d be done.
Different kind of access control for accounts
Primarily, there are the following kinds of access control system for implementing it to different accounts:
The user does not possess have much freedom in deciding as to who can access the files. For instance, clearance of security of the users and the data classification are the security labels used for defining the trust-level.
In this, the owner of the data decides as to who all have can be granted access to a certain resource or resources. Like, for instance, the system administrator creating file-hierarchies which the access of whom may be granted with some specific permission as the basis.
This allows access which has the job title as its basis. For instance, an HR specialist would not have the permission to create network accounts- which would be reserved only for the network administrators.
Rule-based access control
This can be most simply explained by the following example- allowing the students in the labs only during specific hours or a fixed predetermined time in the day.
This model is what allows the designer of the policy to define the security policy which is independent of the implementation.
Responsibility Based Access Control
In this model, the access to information is based on the responsibilities which are assigned to an actor or a certain business role.
An access control system is of various kinds applications in a variety of areas apart from the ones mentioned above, including telecommunication, public policies, public policies and so on. Properly implemented and regularly updated systems for access control are probably the best tool to prevent misuse of both technology and resources associated with them.