An Overview of Physical and Logical Access Controls

In today’s digital world, it is more compelling than ever before for organizations to limit access to sensitive data and physical spaces. There are mainly two types of access controls-physical and logical. Physical access control limits access physically into areas, buildings, cabins and IT assets. Logical access control monitors access to computer networks, system files and data. [1] Together, the physical and logical access controls provide a much higher degree of security.

When choosing the type of access control system that is most suitable for an organization, a number of factors are to be considered. These include the nature of business, security procedures and the number of users operating the system. Access control systems come in three variations.

Under the Discretionary Access Control (DAC) the business owner is solely responsible for who is or are not allowed in a specific location, physically or digitally. DAC is the least restrictive among all, as it essentially gives an individual complete control over any objects they own, and all the programs associated with those objects. But DAC gives the end user complete control to set security level settings for other users. Since the permissions given are inherited into other programs, it could potentially lead to malware being executed without awareness of the end user.

Mandatory Access Control (MAC) is used by organizations that require more confidentiality and classification of data (i.e. military institutions). Only the owner and custodian manage the entire access controls. Basically, the MAC will classify all end users and only permit them to gain access through security within the established security guidelines.

Rule-Based Access Control (RBAC) is highly sought-after in the business sector. In RBAC systems, system administrator assigns the access and it is strictly based on the subject’s role within the firm and is limited within his/her job responsibilities. RBAC makes it much easier because rather than assigning multiple employees particular access, the system administrator only has to assign access to specific job titles.

Small businesses may probably find Discretionary Access Control easier and better to utilize. In case of have highly confidential or sensitive information on the business platform, a Mandatory Access or Role-Based Access Control system are better options they could consider.

Physical security basically prevents unauthorized access to office installations and documents and prevents espionage, sabotage, damage, theft, etc. For example, they may include fob controlled gates, RFID doors and password protected IT systems. [3]Issues like control of population, information dominance, multinational and interagency connectivity, antiterrorism, use of physical-security assets as a versatile force multiplier  [3] are to be considered while planning a physical access control.

Physical security controls- Examples

It may include fenced walls or razor wires that prevent an average by-passer from entering the security perimeter. Protective barriers may be used for preventing forced entry by persons or vehicles, which can be complemented by gates and security check points.

Locks: Only individuals with a key or access control card can enter or lock a door or gate. Locks can also be connected for a better comprehensive security monitoring system.

Organization may incorporate surveillance cameras and sensors that track movements and changes in the environment. Additionally, security lighting ensures all monitored areas are visible at any given point.

Water, smoke, heat detectors, firefighting systems protect against water leakages and fire.

Use of smart cards, biometric identification, and in-person clearance allows only authorized personnel access the restricted area.

Logical Security Controls safeguard organization systems, it mainly includes - user identification and password access, authentication, access rights and authority levels. It ensures only authorized users can perform actions or access information on a network or a workstation.

Issues that organization should consider when implementing logical security include, inadequate skill or training to accomplish the necessary logical security tasks, inadequate separation of responsibilities for activities can create opportunities for fraud, errors and omissions, Inadequate accountability for the achievement of logical security performance, Processes and Information systems may not be well designed or implemented and not yield desired results. So, accuracy of information, operational efficiency and compliance with regulations policies can be affected.  

Logical Security Examples

Access control in logical security, enable authorities control permissions to a computer-based information system. The PIN on a bank’s ATM system is a form of access control. Auditing is a way of tracking the occurrence of an attempted entrance or entrance into a system. It shows how successful the access control system is, who are denied, and their intention of attempt.

User account management- The access control is given to a user with authorized credentials. Login account must uniquely identify the person, but it must be part of a standard logins of the organization. Also, password needs to be sophisticated and has its own specifications. Even after access to the system, user can be restricted to certain folders or documents. The administrator can also put restrictions on document or folder, such as read only, but not modify or even create.

IT security administrators can check and see that violations and security activity that is logged into the system see what’s reported, what’s reviewed and appropriately escalated. When done frequently it not only identifies and resolves incidents of unauthorized activity, it lets improve the whole security process.

[6]A logical firewall can filter content like a subnet, or an IP address, or a port. It controls access by limiting what traffic can enter the system. [6]

[6]Another Logical firewall may use Virtual Private Network (VPN) technology instead of Network Address Translation (NAT). VPN systems have a point-to-point connection that allow only those addresses that were set up beforehand to communicate within the network. NAT takes a public IP address and converts it into a private IP address; no other networks have access. Here also the network must be set up beforehand, otherwise anyone that can access public network will be able to access the internal network.[6]

References

[1] Understanding the Difference Between Physical Access Control and Logical Access Control

http://www.mintcontrols.com/understanding-the-difference-between-physical-access-control-and-logical-access-control/   [1]

[2] 3 Types of Access Control: Which is Right for Your Building?

https://www.tedsystems.com/3-types-access-control-which-right-building/  [2]

[3] Physical-Security Challenges

https://www.globalsecurity.org/military/library/policy/army/fm/3-19-30/ch1.htm [3]

[4] [Examples] The Best Practices in Physical Security

 https://www.getkisi.com/blog/physical-security-examples [4]

[5] Logical Security

 https://en.wikipedia.org/wiki/Logical_security [5]

[6]Logical Security Examples

https://www.brighthub.com/computing/enterprise-security/articles/106207.aspx[6]