Industry Voice: Establishing access control

By Mike Olivier | Apr 19, 2021

A building block of system security is controlling access. It goes without saying, if you cannot control access, then there is no control. In system security, this includes physical access control and data access control, or what is often called logical access.

For physical and logical access, the methods of control are fairly similar, though applied radically differently. Physical access is simpler; it is certainly more direct. We all control physical access to our car and home, whether that is an apartment or a house. The door is locked, and there is a key that allows for access control. Secondly, the key is safeguarded; it is not, or should not be, placed where anyone can access it. Under the doormat is most likely not a good idea; it is hardly novel and like putting your password on a Post-It Note next to the computer display.

Nevertheless, we provide keys to trusted individuals so that they too can access our car, home, etc. The key is the token that allows for access, and we provide that token to others based on the relationship and the role they play. In this example, the physical world is much more straightforward than the logical world. In the physical world, there are physical things we want to safeguard; we physically secure them and then allow access to these things based on relationships and roles. The logical world is complicated by the fact that usually, there are more people involved, and there are more things to secure; it is more than access to a door that then provides access to an apartment or a house.

In the system security framework, logical access needs to be mapped, unlike physical access logical access it can get very detailed. For example, in mapping logical access to an office building, all employees could have access to the front door of the office, then a smaller population could have access to the storage or to other types of offices, then fewer still to the accounting office. Then from the small subset that has access to the accounting office, maybe only two have access to the safe in the closet, in the accounting office, in the office building. Also, consider that the one or two with access to the safe may have another key with universal access to all spaces in the office, and they determine the access for all; they are the ones with administrative rights. In this example, there are reasons for these variations in access control. Access to the rooms in the office is granted because of the user role; some work in engineering, some in accounting. Some may need access to multiple rooms, others to only one room, the shop floor, for example. In the access control framework, this is related to the job they need to do.

Essentially, access control is establishing layers of access, or a hierarchy of access, an outline for this is called role-based access control. This begins with defining what tasks need to be done in the organization and connecting the tasks to the roles. The roles are based on a job, or what needs to be done, and the resources needed to accomplish the task. Accounting is a role, and for accounting, you need access to the accounting application software and other related resources; engineering is another role that may require access to applications and system resources.

One of the many concepts that guide access is the principle of least privilege. The principle of least privilege is ensuring that users only have access to the resources they need to do their job. This is obvious in real life, the physical world, where the keys to your house or car are closely held. In fact, in the old days, there used to be two sets of keys for cars, one to unlock the door and the second for the ignition to start the car. Even in the pre-computer world of mechanical things, there was access control.

Setting up access control and establishing a role based access control framework is not a quick task. Most organizations have this framework by default; this is basic or fundamental system administration. The organization's security requirement is to review this process and to ensure what has grown over time actually represents how the business functions. For most, this is a background task; this is what the managed service provider does; it is the magic stuff that occurs behind the curtain. However, establishing this as an element of the organization's security framework requires management acknowledgment and a degree of management supervision. The question then arises, what do these people actually do, who actually does have administrative control over the organization, and it is not uncommon to find administrators with access rights that no longer work for the company.

With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at