The Essence of Access Control

At the very core of any access control system are principles so basic that they are the rudiments of physical as well as logical access control. There are four processes that make up the foundation of access control with such astounding clarity that they encompass every other feature associated with systems we have come to depend on to make decisions about who enters our buildings or accesses our networks. These processes are identification, authentication, authorization, and accountability. Regardless of the methods employed to execute these processes, they must always be included in order to construct a reliable access control system.

Simply stated, identification is the process by which a person provides information, unique to himself, as the basis of his request to be granted access. This unique identifier can be generated and presented in a myriad of ways, but it's purpose is always the same; it says "this is who I am and this is how you can tell me from any other individual." This is often a card number or PIN that has been assigned to a single individual and is recorded in a database.

The authentication process intends only to determine if the individual requesting access is telling the truth about who they say they are. There are four methods of authentication, namely: something you know (PIN), something you have (card), something you are (fingerprint), and something you produce (signature). For higher security applications these methods are often used in a cascading hierarchy. For example, during normal working hours a building access control system may allow entry using only an access card (something you have) but after hours the authentication process may escalate to require both a card and a PIN (something you know). Obviously the combination of any two authentication methods will provide a higher level of security than the use of only one method.

Authorization can take place after the identification and authentication processes have determined who you say you are and that you are telling the truth. Authorization is often based on complex rules. Using parameters such as the time of day, the day of the week, the entry point in question, and other criteria, the access system will either grant (authorize) access or deny it. The ability to input complex and customized rules of authorization is routinely what makes the difference between a commercially popular or unpopular system.

Accountability ensures that a record is kept of what actions were allowed or denied by the system. It should also record and report how the authorization rules were created and by whom. The process of accountability is the adhesive that guarantees all other processes are adhered to and are compliant with the system's overall objective.

If you are charged with evaluating the effectiveness of an access control system, be it either a card reader system to let people in the front door or a software package designed to keep ne'er-do-wells off of the company network, always identify the four basic processes of access control to see that they are present and effectively implemented in the tool to be used.