What is Access Management?
Access Management covers all measures and processes that determine who is granted access to which information, systems or physical spaces β and under what conditions. It is an essential link in protecting the confidentiality, integrity and availability of information.
Sound access management prevents unauthorised parties from entering systems or viewing information, and makes actions traceable and manageable.
π§ Why is access management important?
| Reason | Explanation |
|---|---|
| Securing systems | Prevents sensitive or critical data from being viewed by unauthorised parties |
| Accountability | Links actions to people or systems via identity management |
| Compliance with standards | Such as BIO, ISO 27001, AVG, IEC 62443 |
| Limiting damage in incidents | Fewer rights = less impact |
| Part of Security by Design | Access is safeguarded from the design stage onwards |
𧱠Components of access management
| Component | Description |
|---|---|
| Authentication | Confirming identity (e.g. password, token, biometrics) |
| Authorisation | Determining what someone is allowed to do (read, modify, delete) |
| Role-based access (RBAC) | Rights based on job role within the organisation |
| Context-based access (ABAC) | Rights depending on time, location, device, etc. |
| Logging and auditing | Recording of access and access requests |
| Access to physical spaces | Badge systems, keys, biometrics |
π Best practices for access management
- Least privilege: only access to what is strictly necessary
- Segregation of duties: avoid conflicts of interest (e.g. administration + audit rights)
- Multi-factor authentication (MFA): combine multiple forms of evidence
- Periodic re-evaluation: review user rights (recertification)
- Immediate deactivation upon offboarding
π Access management in an OT context
In Operational Technology (OT), access management is often less strictly regulated, but increasingly important:
| Application | Point of attention |
|---|---|
| SCADA systems | Personal logins, no shared accounts |
| PLC programming rights | Separation between operation and engineering |
| Remote access to OT networks | Restrict via VPN, jump servers, logging and MFA |
| Physical access to field equipment | Badge control, key management, camera surveillance |
| OTβIT interfaces | Segmentation and access control for data exchange |
For IEC 62443 compliance, fine-grained access management per OT zone is required.
π Relationship with other domains
| Topic | Relationship with access management |
|---|---|
| Identity Management | Provides input: who is who, and what is that person allowed to do? |
| Information Security Policy | Defines rules for access and rights structure |
| Incident Response Plan | Access logs are essential during incident investigation |
| Governance | Determines who can grant, modify or revoke rights |
| Zero Trust | Every access request must be revalidated, even within the network |
π In summary
Access management is the key to controlled digital and physical access. Without careful management, unnecessary risks arise, especially in environments with sensitive data or critical processes β such as in OT.