Access controls authenticate and authorize individuals to access the information they are allowed to see and use.
At a high level, access control is a selective restriction of access to data. It consists of two main components: authentication and authorization, says Daniel Crowley, head of research for IBM’s X-Force Red, which focuses on data security.
Our new gaming site is live! Gamestar covers games, gaming gadgets and gear. Subscribe to our newsletter and we’ll email our best stuff right to your inbox. Learn more here.
Authentication is a technique used to verify that someone is who they claim to be. Authentication isn’t sufficient by itself to protect data, Crowley notes. What’s needed is an additional layer, authorization, which determines whether a user should be allowed to access the data or make the transaction they’re attempting.
Access control, then, is about guaranteeing that users are who they say they are and that they have the appropriate access “to do what they’re supposed to be able to do,” Crowley says.
How important is access control to overall data security?
Without authentication and authorization, there is no data security, Crowley says. “In every data breach, access controls are among the first policies investigated,” notes Ted Wagner, CISO at SAP National Security Services, Inc. “Whether it be the inadvertent exposure of sensitive data improperly secured by an end user or the Equifax breach, where sensitive data was exposed through a public-facing web server operating with a software vulnerability, access controls are a key component. When not properly implemented or maintained, the result can be catastrophic.”
What types of organizations need access control the most?
Any organization whose employees connect to the internet—in other words, every organization today—needs some level of access control in place. “That’s especially true of businesses with employees who work out of the office and require access to the company data resources and services,” says Avi Chesla, CEO of cybersecurity firm empow.
Put another way: If your data could be of any value to someone without proper authorization to access it, then your organization needs strong access control, Crowley says.