What is Access Control?
What is Access Control?
Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.
Core principles
Access control is built on several foundational principles:
- Least privilege — users are granted only the minimum access necessary to perform their job functions
- Separation of duties — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority
- Need to know — access to information is restricted to those who require it for a specific purpose
- Default deny — access is denied by default unless explicitly granted
Types of access control
Role-Based Access Control (RBAC) — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.
Attribute-Based Access Control (ABAC) — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).
Discretionary Access Control (DAC) — resource owners decide who can access their resources. Common in file systems where owners set permissions.
Mandatory Access Control (MAC) — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.
Access control components
A complete access control program addresses:
Authentication — verifying the identity of users:
- Passwords and passphrases
- Multi-factor authentication (MFA)
- Single sign-on (SSO)
- Biometric authentication
- Certificate-based authentication
Authorization — determining what authenticated users can do:
- Permission assignments
- Role definitions
- Access control lists
- Policy enforcement points
Access lifecycle management — managing access throughout the user lifecycle:
- Provisioning (granting access when hired or role changes)
- Review (periodic access certification)
- Deprovisioning (revoking access upon termination or role change)
Access control in compliance frameworks
Every major framework requires access control:
- SOC 2 — CC6.1 through CC6.8 cover logical and physical access controls
- ISO 27001 — controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management
- HIPAA — the Security Rule requires access controls for ePHI (45 CFR 164.312(a))
- PCI DSS — Requirements 7 and 8 address access restriction and user identification
- NIST CSF — PR.AC covers identity management, authentication, and access control
Access reviews
Regular access reviews (also called access certifications) are a critical control:
- Review user access rights periodically (quarterly is common for sensitive systems)
- Verify that access aligns with current job responsibilities
- Identify and remove excessive or unnecessary access
- Document review results and remediation actions
Common access control weaknesses
- Excessive permissions that accumulate over time (privilege creep)
- Shared accounts that prevent individual accountability
- Delayed deprovisioning when employees leave or change roles
- Lack of MFA on critical systems
- Inconsistent access review processes
How episki helps
episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our compliance platform.
