Access Control Models: How to Navigate Changing Security Frontiers
BizTech Staff | 10/20/2020
As businesses undertake digital transformation projects frontiers expand in both physical and digital spaces, access control has become about more than just keycards and security kiosks. The need for more robust security across organizations has led IT leaders to explore various access control systems, including examining how different access control models and management structures could work together to benefit business.
But before an access control management structure or model can be implemented, let’s take a look at access control in the interconnected age.
What Is Access Control and How Does It Work with IoT?
Access control is a security technique that regulates who or what can view or use resources in any environment. There are two main types: physical and logical. Both forms of access control are concerned with entry to restricted areas but vary on how to define those areas.
Logical access control addresses who or what can attain virtual access to data, digital resources and computer networks (think password-protected documents or two-factor authentication). Meanwhile, physical access control impedes bodily access to buildings, rooms or other tangible assets (think metered gates or doors that lock automatically).
The rise of the Internet of Things has transformed access control. Security cameras, card readers, locks and more can now connect via a single wireless network, allowing security managers to control them from various software-based platforms. Whether it’s using a smartphone to open a door or monitoring security footage via a tablet from a remote location, IoT has increased the mobility and scope of access control in a way never before seen on previous systems.
But even as the IoT revolution changes access control, it can create added vulnerability for hackers looking to exploit these interconnected networks. That’s where access control models and management become key.
Understanding Access Control Models and Management
There are three primary models of access control:
Web-based access control systems are entirely cloud-based and store permissions on the web rather than on a physical device. This model allows security managers greater access and visibility into the areas they’re monitoring and makes it easier to update or change security permissions in real time from any location.
Mobile-based access control models function in much the same way. Using a smartphone, security teams can remotely access every aspect of a business's security system — from the password-protected server to a locked door — to update and change permissions via codes sent over Wi-Fi or cellular signal.
For businesses looking for even greater mobility, connecting all access control software and hardware via one network allows security managers to update these devices all at once in real time. This IoT-based access control model keeps systems up to date with the latest security patches.
However, these models can create their own security risks. Anything cloud- or web-based, or which links several devices to one source, can easily fall prey to hackers. Access control management systems can reduce this increased cybersecurity risk by clearly identifying who can access secured information.
What Are the Types of Access Control?
Mandatory Access Control (MAC) management is the strictest management option and cedes total control of an entire operating system — doors, cloud-based services, elevators, smartphones — to a system administrator. Without this administrator's permission, no one and nothing can gain access.
Discretionary Access Control (DAC) management is one step down from MAC and allows businesses to decide who has access to which areas. Think of this as a bit like the official guest list for a party: The people on the list have access to the party, but they can’t bring a friend and might not have access to every room at the event. Unlike with MAC systems, there is no single entity that grants permissions.
Similar to DAC, Role-Based Access Control (RAC) grants permissions based on certain criteria. Here, a user might have access to his or her personal email, but not to a business’s private files on the same server. This allows businesses to create layers of security and grant access based on unique needs.
Last, Rule-Based Access Control (RBAC) is a mixture of DAC and RAC. Here, an individual or list of individuals have access to certain areas based on unique needs but must abide by certain rules (think of elevators that lock out employees after hours, regardless of whether they have keycards).
How to Choose an Access Control Model and Management System
No one type of access control is foolproof, and no one model or management structure is better than another. What’s important is that a business identifies its end goal before implementing any type of access control structure.
R&S Erection of Concord, a California-based vendor of garage doors, commercial gates and loading dock equipment, recommends following four steps when selecting access control:
1. Consider access control policies, models and mechanisms. As outlined above, the model and management structure selected is critical to the success of access control. Choosing the model and structure helps identify the hardware and software requirements.
2. Know the hardware and security requirements. Hardware will vary based on what level of security is needed and what kind of authentication process is required. For instance, fingerprinting will require different hardware and offer a different level of security than, say, keycard readers or facial recognition requirements.
3. Assess connectivity and costs. Not all access control systems work with all types of operating systems. Some offer web-based connectivity solutions that may require network upgrades. Consider network capacity and the cost of additions or extensions before selecting certain access control models.
4. Plan for the future. While many access control system vendors will offer upgrades, make sure to examine such policies before purchasing. Also consider future business developments before committing to one type of access control model or management structure.