Access Control

Access control encompasses the policies, procedures, and technologies that manage who can access what resources in an information system. It is a fundamental security principle ensuring that only authorised users, applications, and processes can interact with specific data and systems.

Access control models:

• DAC (Discretionary): Resource owners control access permissions
• MAC (Mandatory): System-enforced access based on security classifications
• RBAC (Role-Based): Access granted based on organisational roles
• ABAC (Attribute-Based): Access decisions based on attributes (user, resource, context)
• Zero Trust: Verify every access request regardless of source

Access control components:

• Authentication: Verifying identity (who are you?)
• Authorisation: Granting permissions (what can you do?)
• Accounting/Auditing: Tracking access (what did you do?)

Principle of Least Privilege:

• Users should have only the minimum access needed for their role
• Remove access promptly when no longer needed
• Regularly review and audit access permissions
• Default to deny, explicitly grant what is needed

Implementation practices:

• Use role-based access control (RBAC) for organisational access
• Implement multi-factor authentication for sensitive systems
• Conduct regular access reviews (quarterly minimum)
• Automate user provisioning and de-provisioning
• Log and monitor all access attempts
• Separate duties for critical operations
• Use privileged access management for admin accounts

Australian compliance context:

• Australian Privacy Principles require reasonable security measures
• ACSC Essential Eight recommends restricting admin privileges
• PCI-DSS requires access control for cardholder data
• APRA CPS 234 mandates access management for financial entities