Access control (sometimes abbreviated as AC):
- is "[l]imiting the flow of information from the resources of a system only to authorized persons, programs, processes or other system resources on a network.
- is "[a] means to ensure that access to assets is authorized and restricted based on business and security requirements.
- includes "[p]rocedures, physical barriers and security personnel provided to limit access to sensitive areas."
- is "the granting or denying to a subject of certain permissions to access a resource (e.g., to view a certain file, to run a certain program)."
- is "[p]revention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner."
- is "[p]rotection of resources against unauthorized access; a process by which use of resources is regulated according to a security policy and is permitted by only authorized system entities according to that policy.
- is "[t]he process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances)."
- "restrict[s] the ability of unknown or unauthorized users to view or use information, hosts, or networks. Access control technologies can help protect sensitive data and systems. Access controls include boundary protection, authentication, and authorization technologies."
- is "[t]he mechanisms for limiting access to certain information based on a user's identity and membership in various predefined groups. Access control can be mandatory, discretionary, or role-based."
- is "[a] procedure to identify and/or admit personnel with proper security clearance and required access approval(s) to information or facilities using physical, electronic, and/or human controls.
A basic management objective for any organization is to protect the resources that support its critical operations and assets from unauthorized access. Organizations accomplish this by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computer resources (e.g., data, programs, equipment, and facilities), thereby protecting them from unauthorized disclosure, modification, and loss.
Specific access controls include system boundary protections, identification and authentication of users, authorization restrictions, cryptography, protection of sensitive system resources, and audit and monitoring procedures. Without adequate access controls, unauthorized individuals, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain. In addition, authorized users could intentionally or unintentionally modify or delete data or execute changes that are outside of their authority.
Forms of access controls
Controlling access can be based on any or a combination of the following:
By controlling who can use an application, database record, or file, an organization can help to protect that data. It is particularly important to control who is allowed to enable or disable the security features or to change user privileges.
Users need to ensure that secure applications sufficiently manage access to data that they maintain. Access control includes any or all of the following: knowing who is attempting access, mediating access according to some processing rules, and managing where or how data is sent.
- Identity-based Access Control. A security policy based on comparing the identity of the subject (user, group of users, role, process, or device) requesting access and the authorizations for this identity associated with the object (system resource) being accessed.
- Information Flow Control. Information flow policies dictate whether information with a particular characteristic can move from one controlled entity (container or subject) to another. Information flow control is based on some fundamental characteristic of the information (not the container), and might not involve an identifiable subject.
- Compendium of Approved ITU-T Security Definitions, at 2.
- Framework for Cyber-Physical Systems, at 5.
- NIST, FIPS 31.
- Cryptography's Role in Securing the Information Society, App. B, Glossary, at 353.
- ISO/IEC 18028-2: 2006-02-01.
- RFC 2828.
- FIPS 201.
- Technology Assessment: Cybersecurity for Critical Infrastructure Protection, at 44.
- Privacy Technology Focus Group Final Report, App. B, at 49.
- Intelligence Community Standard 700-01, at 2.
- Access control card
- Access control center
- Access control check
- Access Control Decision Function
- Access Control Enforcement Function
- Access control function
- Access control information
- Access control label
- Access control list
- Access control measures
- Access control mechanisms
- Access control policy
- Access control procedures
- Access control service
- Access control software
- Access control system
- Access control technologies
- Logical access control
- Logical Access Control Systems
- Discretionary access control
- Mandatory access control
- Physical access control
- Physical Access Control System
- Role-based access control
- Virtual access controls