Access Control

What Is Access Control?

Access control is a security discipline concerned with regulating which users, processes, or systems can view, modify, or execute resources within a computing environment. It establishes the rules and mechanisms that enforce separation between subjects (entities requesting access) and objects (resources being protected), ensuring that only authorized principals perform permitted operations. Access control sits at the center of computer security architecture, and failures in its implementation account for a large share of data breaches and unauthorized system intrusions.

The field draws its theoretical foundations from operating systems research, formal methods, and cryptography. Early access control work in the 1960s and 1970s focused on time-shared mainframes, where preventing one user from reading another's files was a fundamental design constraint. Those early protection models, developed by researchers such as Lampson and lattice-model theorists, established the vocabulary still in use today.

Access Control Models

The major access control models each take a different approach to expressing and enforcing policy. Discretionary access control (DAC) lets the owner of a resource decide who may access it, as seen in traditional Unix file permissions. Mandatory access control (MAC) removes that discretion: a central policy authority assigns sensitivity labels to subjects and objects, and the system enforces rules such as "no read-up, no write-down" regardless of owner preference. Role-based access control (RBAC), formalized by Ferraiolo and Kuhn at NIST in 1992 and standardized as ANSI/INCITS 359-2004, assigns permissions to roles rather than individuals, reducing administrative overhead in large organizations. Attribute-based access control (ABAC) generalizes all of the above: authorization decisions evaluate arbitrary attributes of the subject, the object, the requested action, and the environment, as defined in NIST Special Publication 800-162.

Network and Distributed Access Control

As systems moved from single machines to networked environments, access control had to extend across communication boundaries. Network access control (NAC) enforces policy at the point where a device connects to a network, checking device health, user credentials, and policy compliance before granting admission. In distributed systems, access decisions may be delegated to remote policy decision points, requiring protocols such as RADIUS and XACML to carry policy information between enforcement and evaluation components. Active distributed networks add complexity by allowing network elements themselves to execute code, requiring that access control policies govern not just data flows but the injection of programs into the network fabric.

Biometrics and Capability-Based Security

Two distinct sub-areas extend the access control model in opposite directions. Biometric authentication replaces or supplements credential tokens such as smart cards and passwords with physiological measurements: fingerprint minutiae, iris patterns, facial geometry, or voice characteristics. Because biometric data is inherently probabilistic rather than binary, biometric access systems must balance false acceptance rate against false rejection rate, a tradeoff studied extensively in standards work by the IEEE Biometrics Council. Capability-based security takes a different approach: rather than consulting a central access control list, each subject holds an unforgeable token (a capability) that directly encodes what operations it may perform on a given object. Capability systems appear in microkernels, certain cloud IAM frameworks, and some programming language security models.

Applications

Access control has applications in a wide range of disciplines, including:

  • Physical building security and smart facility management systems
  • Healthcare information systems protecting patient records under HIPAA and similar regulations
  • Cloud identity and access management for multi-tenant infrastructure
  • Industrial control systems and SCADA environments
  • Mobile device and embedded system security
Loading…