Defining the different types of access control

While access governance is the big picture, policy-building part of Critical Access Management, access control is the double-locks and extra protections that help keep an organization’s most valuable assets safe. The types of access control that reduce risk, increase visibility, and increase friction when it comes to granting access rights and privileges, or the allowing the use of such access rights and privileges, are an extra safeguard—like having both a deadbolt and a second key lock on a door—that can be personalized to fit an organization’s access management needs.  Think of access control like gaining entry to a safe deposit box in a bank. It’s the doors you’re given permission to access, the pin code needed to get through that door, the person who walks you there and verifies your ID, and even the kind of key you’re given to access that box.  There are multiple types of access control that can be employed, and each one has a specific purpose within critical access management.

Defining the 4 types of access control


1. Fine-grained access controls

This looks different by need and organization, but generally, fine-grained access controls allow an organization, or department, or even an individual (like IT) to further control and limit a user’s access rights. The types of fine-grained access controls include: 

  • Notifications to an IT professional or owner of the accessed asset when a user attempts to utilize certain access rights.
  • Approval request sent to an IT/security professional or the owner of the accessed asset when an identity attempts to connect to a certain access right. The access can’t be initiated until the notified person approves.
  • Time-based access—a kind of access that is time-bound instead of open-ended.
  • Access schedules which only allow  a user to use their access rights according to a predefined schedule.

2. Zero trust network access (ZTNA)

Zero Trust is more than a buzzword. Implementing a full zero trust network access strategy removes any implicit trust, regardless of who is accessing and what is being accessed. Since no one is trusted in this model, insider and outsider access need to be verified and authenticated each time a user logs into a system. ZTNA is just one part of a Zero Trust framework that an organization can employ to keep their systems safe. 

3. Multi-Factor Authentication (MFA)

Multi-factor authentication is one of the most common types of access control tools. Think of the two-factor authentication you need to log into your bank account or even potentially your work email. It utilizes multiple methods (password, a phone notification, an email, a fingerprint, or even a face scan), to double or triple check that the user is who they are claiming to be.

4. Privileged credential management

Credentials can't prevent threats if they aren’t properly managed. Privileged credential management is exactly that – a system that allows one to vault, manage, and hide privileged credentials.