The Plain English Version
Access control is deciding who can access what in your organisation - which systems, which files, which rooms. Like managing keys to your office: you decide who gets a key, which doors it opens, and you take it back when they leave.
Good access control means people only have access to what they need for their job, nothing more. This limits damage when accounts are compromised and reduces insider threat risks.
The Principle of Least Privilege
Users should have the minimum permissions necessary to do their job. A marketing assistant does not need access to financial systems. A developer does not need admin rights to production servers. This is fundamental to good access control.
Types of Access Control
- Physical - Keys, badges, biometrics for buildings and rooms
- Logical - Usernames, passwords, permissions for systems and data
- Role-based (RBAC) - Access based on job roles, not individuals
- Attribute-based (ABAC) - Access based on multiple factors like location, time, device
Common Access Control Mistakes
Permissions accumulate over time - people change roles but keep old access. Shared accounts make it impossible to track who did what. Admin rights given out too freely. No regular reviews of who has access to what.
The result? Former employees still have access, current employees have far more access than needed, and nobody knows who can access sensitive data.
Getting It Right
Start with an access review - who has access to what? Implement role-based access where practical. Require approval for access requests. Review permissions regularly, especially when people change roles. Remove access immediately when people leave.