What is Access Control?

What is Access Control?

Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.

Core principles

Access control is built on several foundational principles:

• Least privilege — users are granted only the minimum access necessary to perform their job functions
• Separation of duties — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority
• Need to know — access to information is restricted to those who require it for a specific purpose
• Default deny — access is denied by default unless explicitly granted

Types of access control

Role-Based Access Control (RBAC) — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.

Attribute-Based Access Control (ABAC) — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).

Discretionary Access Control (DAC) — resource owners decide who can access their resources. Common in file systems where owners set permissions.

Mandatory Access Control (MAC) — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.

Access control components

A complete access control program addresses:

Authentication — verifying the identity of users:

• Passwords and passphrases
• Multi-factor authentication (MFA)
• Single sign-on (SSO)
• Biometric authentication
• Certificate-based authentication

Authorization — determining what authenticated users can do:

• Permission assignments
• Role definitions
• Access control lists
• Policy enforcement points

Access lifecycle management — managing access throughout the user lifecycle:

• Provisioning (granting access when hired or role changes)
• Review (periodic access certification)
• Deprovisioning (revoking access upon termination or role change)

Access control in compliance frameworks

Every major framework requires access control:

• SOC 2 — CC6.1 through CC6.8 cover logical and physical access controls
• ISO 27001 — Annex A controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management
• HIPAA — the Security Rule requires access controls for ePHI (45 CFR 164.312(a))
• PCI DSS — Requirements 7 and 8 address access restriction and user identification
• NIST CSF — PR.AC covers identity management, authentication, and access control

Access reviews

Regular access reviews (also called access certifications) are a critical control:

• Review user access rights periodically (quarterly is common for sensitive systems)
• Verify that access aligns with current job responsibilities
• Identify and remove excessive or unnecessary access
• Document review results and remediation actions

Common access control weaknesses

Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:

• Excessive permissions that accumulate over time (privilege creep)
• Shared or generic accounts that prevent individual accountability
• Delayed deprovisioning when employees leave or change roles
• Lack of MFA on critical systems and remote access paths
• Inconsistent access review processes with no documented remediation
• Service accounts with standing privileged access and no rotation schedule
• Lack of visibility into SaaS application access outside the corporate IdP

Implementing access control in practice

Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:

1. Map your environment — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.
2. Define roles based on job functions — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.
3. Centralize authentication with SSO — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.
4. Layer MFA on all critical systems — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.
5. Automate provisioning and deprovisioning — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.
6. Build an access request and approval workflow — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an audit trail that satisfies compliance requirements.
7. Monitor and log access events — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.

Access control requirements by framework

Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:

Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.

A few notes on framework-specific nuances:

• HIPAA treats MFA as an "addressable" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.
• PCI DSS v4.0 expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.
• SOC 2 does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.
• NIST CSF provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.

Zero trust and access control

Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: never trust, always verify.

In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:

• Continuous verification — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.
• Micro-segmentation — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.
• Device posture checks — the security state of the connecting device (patch level, endpoint protection status, disk encryption) is evaluated before access is granted.
• Identity-centric perimeter — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.
• Least privilege enforcement at the session level — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.

NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.

Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.

Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.

How episki helps

episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our compliance platform.