About the author
Roland Thomas
Associate Director | Corporate Development
Roland is an Associate Director in Thomas Murray’s Corporate Development team. He joined Thomas Murray in 2018 with responsibility for group strategy, partnerships and corporate finance. More recently, Roland’s role has focused on establishing Thomas Murray’s cyber risk business, starting in 2021 with the launch of our Orbit Security platform, and the development of our expert cyber risk consultancy. Roland has a BA in English Language and Literature from Oxford University.
‘Access control’ is what it sounds like – it means managing, and in some cases restricting, access to computer systems, networks, applications, and data. It requires having tools and policies in place to ensure that your resources are available only to authorised people or entities (like critical third parties, or CTPs).
Effective access control is a combination of many other forms of control – physical, digital (‘logical’), and administrative – that create a robust security framework. It helps organisations to prevent unauthorised access, reduce the level of insider threats, protect sensitive data, and maintain its overall security posture.
Access control is therefore best thought of as a defensive measure, designed to:
protect sensitive information;
maintain the confidentiality, integrity, and availability of resources; and
prevent harmful activities and data breaches.
Physical access control
Again, this is what it sounds like – making physical locations secure. In cybersecurity terms this would refer specifically to areas like data centres, server rooms and other restricted areas containing mission-critical hardware or hard copies of sensitive information. Accordingly, standard locks will usually be supplemented by biometric authentication, access cards, CCTV, and security guards.
Logical access control
Applications, data, networks and computer systems can be controlled with a variety of LAC methods, including:
Access control lists (ACLs): These specify which users or groups are allowed or denied access to specific resources.
Attribute-based access control (ABAC): Access rights are based on a range of factors, like the user’s role in the organisation, the business’s requirements and so on.
Audit and monitoring: Logging access events, reviewing logs for suspicious activity, and generating reports to track patterns, spot anomalies, and comply with regulatory requirements.
Authorisation: The level of access rights and permissions an authenticated user will be given is based on their role, responsibilities, and the principle of least privilege. This ensures users can access only what they need to complete their tasks.
Mandatory access control (MAC): Access control policies are based on classification levels and labels assigned to data and users. This approach is often used in highly secure environments, like government systems.
Role-based access control (RBAC): This means granting access rights based on predefined roles, which simplifies management by associating permissions with job functions or responsibilities.
Single sign-on (SSO): Allowing users to authenticate once and gain access to multiple interconnected systems or applications without requiring them to re-enter their credentials.
User authentication: Anyone attempting to access systems or applications will have to provide personalised credentials like usernames, passwords, PINs, biometrics, or two-factor authentication (2FA).