What is access control?
Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources. Through authentication and authorization, access control policies make sure users are who they say they are and that they have appropriate access to company data. Access control can also be applied to limit physical access to campuses, buildings, rooms, and datacenters.
Explore additional data security topics:
Access control identifies users by verifying various login credentials, which can include usernames and passwords, PINs, biometric scans, and security tokens. Many access control systems also include multifactor authentication (MFA), a method that requires multiple authentication methods to verify a user’s identity.
Once a user is authenticated, access control then authorizes the appropriate level of access and allowed actions associated with that user’s credentials and IP address.
There are four main types of access control. Organizations typically choose the method that makes the most sense based on their unique security and compliance requirements. The four access control models are:
- Discretionary access control (DAC): In this method, the owner or administrator of the protected system, data, or resource sets the policies for who is allowed access.
- Mandatory access control (MAC): In this nondiscretionary model, people are granted access based on an information clearance. A central authority regulates access rights based on different security levels. This model is common in government and military environments.
- Role-based access control (RBAC): RBAC grants access based on defined business functions rather than the individual user’s identity. The goal is to provide users with access only to data that’s been deemed necessary for their roles within the organization. This widely used method is based on a complex combination of role assignments, authorizations, and permissions.
- Attribute-based access control (ABAC): In this dynamic method, access is based on a set of attributes and environmental conditions, such as time of day and location, assigned to both users and resources.
Access control keeps confidential information such as customer data, personally identifiable information, and intellectual property from falling into the wrong hands. It’s a key component of the modern zero trust security framework, which uses various mechanisms to continuously verify access to the company network. Without robust access control policies, organizations risk data leakage from both internal and external sources.
Access control is particularly important for organizations with hybrid cloud and multi-cloud cloud environments, where resources, apps, and data reside both on premises and in the cloud. Access control can provide these environments with more robust access security beyond single sign-on (SSO), and prevent unauthorized access from unmanaged and BYO devices.
8 BYOD best practices
See how the right BYOD strategy and policy-based access control helps boost productivity while keeping resources secure.
As organizations adopt hybrid work models, and as business apps move to the cloud, it’s important to protect against modern-day threats coming from the internet, usage of BYOD and unmanaged devices, and attacks looking to exploit apps and APIs. Citrix secure access solutions ensure applications are continually protected, no matter where people work or what devices they use.
- Citrix Secure Private Access provides zero trust network access (ZTNA) to all IT-sanctioned apps. It uses adaptive authentication to continually evaluate access based on end user roles, locations, device posture, and user risk profiles to keep malicious content and web-borne threats at bay.
- Citrix Analytics for Security uses sophisticated machine learning and artificial intelligence to continuously assess users, identify security risks, and prevent unauthorized access.