What is access control?

Access control is a core element of security that formalizes who is allowed to access certain apps, data, and resources and under what conditions.

Access control defined

Access control is an essential element of security that determines who is allowed to access certain data, apps, and resources—and in what circumstances. In the same way that keys and pre-approved guest lists protect physical spaces, access control policies protect digital spaces. In other words, they let the right people in and keep the wrong people out. Access control policies rely heavily on techniques like authentication and authorization, which allow organizations to explicitly verify both that users are who they say they are and that these users are granted the appropriate level of access based on context such as device, location, role, and much more.

Access control keeps confidential information—such as customer data and intellectual property—from being stolen by bad actors or other unauthorized users. It also reduces the risk of data exfiltration by employees and keeps web-based threats at bay. Rather than manage permissions manually, most security-driven organizations lean on identity and access management solutions to implement access control policies.

Different types of access control

There are four main types of access control—each of which administrates access to sensitive information in a unique way.

  • Discretionary access control (DAC)

    In DAC models, every object in a protected system has an owner, and owners grant access to users at their discretion. DAC provides case-by-case control over resources.

  • Mandatory access control (MAC)

    In MAC models, users are granted access in the form of a clearance. A central authority regulates access rights and organizes them into tiers, which uniformly expand in scope. This model is very common in government and military contexts.

  • Role-based access control (RBAC)

    In RBAC models, access rights are granted based on defined business functions, rather than individuals’ identity or seniority. The goal is to provide users only with the data they need to perform their jobs—and no more.

  • Attribute-based access control (ABAC)

    In ABAC models, access is granted flexibly based on a combination of attributes and environmental conditions, such as time and location. ABAC is the most granular access control model and helps reduce the number of role assignments.

How access control works

In its simplest form, access control involves identifying a user based on their credentials and then authorizing the appropriate level of access once they are authenticated.

Passwords, pins, security tokens—and even biometric scans—are all credentials commonly used to identify and authenticate a user. Multifactor authentication (MFA) adds another layer of security by requiring that users be verified by more than just one verification method.

Once a user’s identity has been authenticated, access control policies grant specific permissions and enable the user to proceed as they intended.

The value of access control

The goal of access control is to keep sensitive information from falling into the hands of bad actors. Attacks on confidential data can have serious consequences—including leaks of intellectual property, exposure of customers’ and employees’ personal information, and even loss of corporate funds.

Access control is a vital component of security strategy. It’s also one of the best tools for organizations who want to minimize the security risk of unauthorized access to their data—particularly data stored in the cloud.

As the list of devices susceptible to unauthorized access grows, so does the risk to organizations without sophisticated access control policies. Identity and access management solutions can simplify the administration of these policies—but recognizing the need to govern how and when data is accessed is the first step.

How to implement access control

  • Connect on goals

    Align with decision makers on why it’s important to implement an access control solution. There are many reasons to do this—not the least of which is reducing risk to your organization. Other reasons to implement an access control solution might include:

     

    • Productivity: Grant authorized access to the apps and data employees need to accomplish their goals—right when they need them.
    • Security: Protect sensitive data and resources and reduce user access friction with responsive policies that escalate in real-time when threats arise.
    • Self-service: Delegate identity management, password resets, security monitoring, and access requests to save time and energy.

  • Select a solution

    Choose an identity and access management solution that allows you to both safeguard your data and ensure a great end-user experience. The ideal should provide top-tier service to both your users and your IT department—from ensuring seamless remote access for employees to saving time for administrators.

  • Set strong policies

    Once you’ve launched your chosen solution, decide who should access your resources, what resources they should access, and under what conditions. Access control policies can be designed to grant access, limit access with session controls, or even block access—it all depends on the needs of your business.

    Some questions to ask along the way might include:

    • Which users, groups, roles, or workload identities will be included or excluded from the policy?
    • What applications does this policy apply to?
    • What user actions will be subject to this policy?

  • Follow best practices

    Set up emergency access accounts to avoid being locked out if you misconfigure a policy, apply conditional access policies to every app, test policies before enforcing them in your environment, set naming standards for all policies, and plan for disruption. Once the right policies are put in place, you can rest a little easier.

Access control solutions

Access control is a fundamental security measure that any organization can implement to safeguard against data breaches and exfiltration.
 

Microsoft Security’s identity and access management solutions ensure your assets are continually protected—even as more of your day-to-day operations move into the cloud.
 

Protect what matters.

Learn more about Microsoft Security

Frequently asked questions

|

In the field of security, an access control system is any technology that intentionally moderates access to digital assets—for example networks, websites, and cloud resources.

 

Access control systems apply cybersecurity principles like authentication and authorization to ensure users are who they say they are and that they have the right to access certain data, based on predetermined identity and access policies.

Cloud-based access control technology enforces control over an organization's entire digital estate, operating with the efficiency of the cloud and without the cost to run and maintain expensive on-premises access control systems.

Access control helps protect against data theft, corruption, or exfiltration by ensuring only users whose identities and credentials have been verified can access certain pieces of information.

Access control selectively regulates who is allowed to view and use certain spaces or information. There are two types of access control: physical and logical.

  • Physical access control refers to the restriction of access to a physical location. This is accomplished through the use of tools like locks and keys, password-protected doors, and observation by security personnel.
  • Logical access control refers to restriction of access to data. This is accomplished through cybersecurity techniques like identification, authentication, and authorization.

Access control is a feature of modern Zero Trust security philosophy, which applies techniques like explicit verification and least-privileged access to help secure sensitive information and prevent it from falling into the wrong hands.

Access control relies heavily on two key principles—authentication and authorization:

  • Authentication involves identifying a particular user based on their login credentials, such as usernames and passwords, biometric scans, PINs, or security tokens.
  • Authorization refers to giving a user the appropriate level of access as determined by access control policies. These processes are typically automated.