Access Control
Home /
Glossary Index /
Alphabet A
What Is Access Control?
Access control is a foundational security principle that determines who is allowed to view, use, or interact with resources within a computing environment. In practice, it is the set of policies, mechanisms, and technologies that regulate which users, devices, or systems can access specific data, applications, networks, or physical locations — and under what conditions that access is permitted.
In cybersecurity, access control is not a single tool but a layered discipline. It encompasses identity verification, permission assignment, policy enforcement, and ongoing monitoring of how resources are accessed across an organization. Without well-designed access control, sensitive data, critical infrastructure, and internal systems are exposed to both external attackers and internal misuse.
As organizations adopt cloud infrastructure, remote work environments, SaaS platforms, and zero trust architecture, access control has become one of the most operationally complex, and most consequential, areas of enterprise security.
Why Access Control Matters in 2026
Data breaches and insider incidents consistently trace back to failures in access control: credentials that were never revoked, accounts with excessive permissions, or systems that lacked any enforcement of least-privilege principles.
According to multiple industry reports, a significant proportion of data loss incidents involve valid credentials — meaning an attacker or malicious insider used legitimate access rather than exploiting a technical vulnerability. Strengthening access control directly reduces this attack surface.
For organizations subject to GDPR, HIPAA, PCI DSS, SOC 2, or ISO 27001, access control is also a formal compliance requirement. Auditors routinely examine whether access is limited to those with a business need, whether permissions are regularly reviewed, and whether access logs are maintained for forensic purposes.
Types of Access Control Models
Understanding the major access control models helps organizations select the right framework for their environment and risk profile.
1. Discretionary Access Control (DAC)
In DAC, the owner of a resource determines who can access it. A file owner, for example, can grant read or write permissions to other users. This model is flexible but creates risk when individual users make poor permission decisions or when accounts are compromised.
Commonly used in: Legacy operating systems, small organizations, personal computing environments.
Commonly used in: Legacy operating systems, small organizations, personal computing environments.
2. Mandatory Access Control (MAC)
MAC enforces access based on security classifications assigned by a central authority — typically an administrator or a system policy. Users cannot override or modify access rules, regardless of resource ownership. Access is determined by the sensitivity label of the resource and the clearance level of the requesting user or process.
Commonly used in: Government agencies, defense organizations, and environments handling classified information.
Commonly used in: Government agencies, defense organizations, and environments handling classified information.
3. Role-Based Access Control (RBAC)
RBAC assigns permissions to roles rather than individual users. Users are then assigned roles based on their job function. An employee in the finance department receives access appropriate to that role; a developer receives access relevant to engineering systems. RBAC is the most widely deployed model in enterprise environments because it simplifies permission management at scale.
Commonly used in: Enterprise IT environments, SaaS platforms, cloud infrastructure.
Commonly used in: Enterprise IT environments, SaaS platforms, cloud infrastructure.
4. Attribute-Based Access Control (ABAC)
ABAC evaluates access decisions based on a combination of attributes — user attributes (role, department, clearance), resource attributes (sensitivity, classification), and environmental attributes (time of day, device type, location). ABAC enables fine-grained, context-aware access policies that RBAC alone cannot express.
Commonly used in: Zero trust architectures, cloud-native environments, organizations with complex, dynamic access requirements.
Commonly used in: Zero trust architectures, cloud-native environments, organizations with complex, dynamic access requirements.
5. Policy-Based Access Control (PBAC)
PBAC centralizes access decisions in a policy engine that evaluates rules across multiple dimensions simultaneously. It is often considered an extension of ABAC and is increasingly adopted in zero trust frameworks where access decisions must account for identity, device posture, network context, and behavioral signals in combination.
Commonly used in: Large enterprises implementing zero trust network access (ZTNA), SASE architectures, and adaptive security programs.
Commonly used in: Large enterprises implementing zero trust network access (ZTNA), SASE architectures, and adaptive security programs.
Core Components of an Access Control System
A complete access control implementation involves several interrelated components working together.
- Identity and Authentication: Before access can be controlled, the identity of the requesting user or system must be verified. This involves authentication mechanisms including passwords, multi-factor authentication (MFA), certificates, and biometrics.
- Authorization: Once identity is verified, the system determines what that identity is permitted to do. Authorization is the enforcement layer of access control — matching a verified identity against defined permissions.
- Least Privilege: The principle that every user, application, or system process should have access only to the resources strictly required to perform their function. Least privilege limits the blast radius of compromised accounts and reduces insider threat risk.
- Access Provisioning and Deprovisioning: The operational processes for granting access when employees join or change roles, and revoking access when they leave or no longer require it. Failure to deprovision access promptly is one of the most common access control failures in enterprise environments.
- Access Reviews and Audits: Periodic reviews of who has access to what, to identify and remediate permission drift — the accumulation of unnecessary access over time as users change roles or projects evolve.
- Privileged Access Management (PAM): Specialized controls for accounts with elevated permissions — system administrators, database administrators, and service accounts — that present elevated risk if compromised.
Access Control in Zero Trust Architecture
Zero trust fundamentally reframes access control. The traditional model assumes that users inside the network perimeter can be trusted; zero trust assumes no implicit trust and requires continuous verification for every access request, regardless of network location.
In a zero trust framework, access control decisions are made dynamically based on:
- Identity and credential strength
- Device health and compliance status
- Application being accessed and its sensitivity
- Network context (location, IP, connection type)
- Behavioral signals and risk score
This shifts access control from a point-in-time gate at the network boundary to a continuous, context-aware evaluation engine applied to every transaction.
Access Control and Data Loss Prevention
Access control is closely related to — but distinct from — data loss prevention (DLP). Access control determines whether a user can reach a resource. DLP governs what they can do with data once they have access to it.
Effective data security programs combine both: access control limits who can reach sensitive data, while DLP limits how that data can be moved, copied, shared, or extracted. Gaps in access control directly increase the effectiveness of insider threats that DLP must then detect and prevent.
Common Access Control Failures and How to Avoid Them
- Orphaned accounts: User accounts that remain active after an employee leaves. Mitigation: automated deprovisioning tied to HR system offboarding workflows.
- Device health Privilege creep: The accumulation of permissions as users change roles without removal of prior access. Mitigation: periodic access reviews and role recertification processes.and compliance status
- Over-privileged service accounts: Applications or automated processes with administrative-level permissions that far exceed operational requirements. Mitigation: apply least privilege principles to service accounts and rotate credentials regularly.
- Shared credentials: Multiple users sharing a single account, eliminating individual accountability and complicating forensic investigation. Mitigation: enforce individual accounts with MFA for all users.
- Weak authentication on privileged accounts: Administrator accounts protected only by password. Mitigation: mandatory MFA and privileged access management (PAM) for all elevated accounts.
Frequently Asked Questions
Authentication verifies the identity of a user or system — confirming they are who they claim to be. Access control determines what that verified identity is permitted to do. Authentication is a prerequisite for access control; they are sequential but distinct functions. A user can be successfully authenticated but still denied access if their permissions don't cover the requested resource.
Least privilege is the access control principle that every user, application, or process should have only the minimum level of access required to perform their specific function. It matters because it limits the damage that can be caused by a compromised account, a misconfigured application, or a malicious insider. Excess permissions are one of the primary enablers of both external attacks and insider data theft.
RBAC assigns permissions based on a user's role in the organization — a fixed category like "finance analyst" or "system administrator." ABAC evaluates multiple attributes simultaneously — user role, device type, time of access, resource sensitivity, location — to make more contextual, granular access decisions. RBAC is simpler to implement; ABAC provides greater precision for complex environments.
PAM is a specialized discipline focused on securing, monitoring, and managing accounts with elevated permissions — administrators, database managers, and service accounts. Any organization where compromised administrator credentials could cause catastrophic damage needs PAM. In practice, this means virtually all enterprises. PAM solutions provide features like credential vaulting, session recording, just-in-time access, and automated credential rotation.
Industry best practices and most compliance frameworks recommend formal access reviews at least quarterly for privileged accounts and annually for standard user accounts. High-sensitivity systems — those holding regulated data or critical infrastructure — should be reviewed more frequently. Access reviews should also be triggered by events: role changes, department transfers, and employee offboarding.
The principles are the same, but the implementation differs significantly. Cloud environments introduce identity-based perimeters (IAM policies), service-to-service authentication, and API access controls that don't exist in traditional on-premises architecture. Cloud access control also requires attention to cross-account permissions, federated identity, and the management of cloud-native service accounts — areas where many organizations have significant visibility gaps.
