Remote Access Control - What is it and how does it work?

Remote access control is a necessary component of company security that ensures users can access systems securely and their data stays private. There are several approaches to implementing access control depending on the needs and resources a company has.

‍‍Table of contents

1. What is access control?
2. How does access control work?
3. Step one: Authentication
4. Step two: Authorization
5. Types of access control
6. Why do you need access control?
7. Access control is a security must-have
8. Access control can be practical
9. What does GoodAccess handle access control?

What is access control?

In computing, access control deals with authenticating and authorizing users, and logging access history for auditing purposes. It is one of the pillars of company security policies as it involves assigning and verifying user privileges to selected systems.

Nowadays, access control usually incorporates elements of zero trust, which is an approach that disregards implicit trust in users attempting to gain access and instead ascribes it on a least-privilege basis. That way users can only access those systems they actually need.

How does access control work?

Step one: Authentication

Authentication is a process that verifies the user’s access credentials. Traditionally, they consist of a username and password, but often include others, like one-time passcodes, security tokens, or biometric scans (collectively known as multi-factor authentication).

The purpose of authentication is to make sure the user is who they claim to be and to prevent access for unauthorized personnel.

Step two: Authorization

During authorization, the user is assigned privileges that define what they are allowed to do in the systems they are accessing. For instance, some users can hold administrator rights, some edit rights, and some only be permitted to view the content.

Types of access control

There are several policy models that companies generally adopt.

• Discretionary access control (DAC) - In discretionary policies the owner directly manages individual user privileges and access to each company system.
• Mandatory access control (MAC) - Mandatory policies assign access based on progressive levels of clearance (think “confidential, secret, top secret”). The access rights are managed by a central regulating authority.
• Role-based access control (RBAC) - This widely used model assigns access based on predefined company functions; i.e., what they do and need. For example, developers and salespeople will have access to different company systems, and you can expect managers and administrators to have higher privileges than more junior employees.
• Attribute-based access control (ABAC) - This model requires users to provide certain attributes to prove that they are eligible for access. These attributes can be simple, such as proving you are of a certain age, or complex, combining information like user data, job title, department, geographical location, time of day, type of resource being accessed, etc.

Why do you need access control?

Access control is a security must-have

Whenever a company gets hacked, the question they ask is, “How did they get in?” Access control is a vital mechanism among the data protection measures that businesses are using. A bulletproof access control strategy is one of your best defenses against data leakage.

Especially companies with multicloud infrastructures, whose systems, resources, and employees are often spread out far beyond company premises, need a robust remote access scheme to ensure users and sensitive data are protected from exposure when traveling over the internet.

Access credentials themselves are also a tempting target for interception, as credential mining can be a lucrative pursuit for those who have the means to steal them.

All this indicates two things. One, the attack surface is enormous, and, two, sending data via unsecured connections is risky to say the least. It is therefore essential to send your data via a private encrypted channel when accessing your systems remotely.

Access control can be practical

Restricting user access not only prevents deliberate tampering with data but also inadvertent mistakes. It’s common sense to restrict access to certain systems, allowing in only teams or departments that know how to use them.

However, if you have a lot of team members, setting up granular privileges for them is a lot of work, and can be tough to maintain in the long-term. Fortunately, access control solutions often offer mechanisms to make the work simpler and the whole system easier to manage.

What does GoodAccess handle access control?

GoodAccess creates a private virtual network of double-encrypted connections and uses the mechanism of access cards to implement access control. These access cards work very much like their real-world counterparts. You simply create an access card, choose which systems it authorizes access to, and assign it to users.

The benefit is three-fold:

1. It’s more practical. Instead of granting privileges to each system individually, you can bundle them onto an access card and assign them per role.
2. It’s an easy way to segment your IT estate. For instance, if a salesperson’s credentials get compromised, the attacker only gets access to the CRM system and perhaps a few other systems, but your database server (where salespeople have no business being) would be unharmed. Segmentation in this sense is all about preventing compromise from escalating by containing it on a least-privilege, role-divided basis.
3. Access control in GoodAccess is network-based. That means it doesn’t deal with the access credentials to a specific system but defines access on the network layer.

You can try out GoodAccess’ access control yourself; just sign up for your 14-day trial.

‍