This section is based on ISO standard, GDPR, as well as Data Law, Cybersecurity Law and Law on Cyberinformation Security to provide an overview of common methods of Access Control.
Although the data protection regulations do not provide an explicit definition of access control, Access control can be understood as a technical measure for protecting cybersecurity and data. It serves to ensure physical and logical access rights of users, user groups, and devices to information systems and data, guaranteeing that only authorized subjects are permitted to access them.
(Art. 27 Data Law, Art. 16.4 Decree 165/2025/ND-CP, Art. 11.6 Decree 53/2022/ND-CP, ISO 27001)
Access control is not merely a preventive measure, it is also recognized in the Law on Cyber Information Security as one of the objects of information system security monitoring.
(Article 24.2 of Law on Cyber Information Security)
Firstly, Limiting Data Access: A fundamental requirement under data protection frameworks (Article 3.2 PDPL and Article 5.1(c) GDPR), is the principal of data minimization, which requires that organizations only collect and process data within a specific and clearly defined scope and purpose. Access control plays a key role here by ensuring that only authorized individuals can access specific types of data.
Secondly, Audit Trails and Accountability: Under Data Law, PDPL, GDPR or HIPAA, organizations are required to prove that they have applied strict technical measures to safeguard personal data. Access control - one of the technical safeguards mandated under Article 16.4(b) of Decree 165/2025/ND-CP - records showing who accessed, modified, or deleted data provide crucial evidence of compliance and support audits or investigations.
Organizations typically choose among several access control models to support compliance and security. The most common include:
|
Model |
Principle |
Advantages |
Limitations |
Typical Use |
|
DAC (Discretionary Access Control) |
Resource owner decides who may access the asset |
Flexible; users can manage permissions themselves |
Risk of over-permissioning; weak for sensitive data |
Small enterprises with low sensitivity data |
|
MAC (Mandatory Access Control) |
Access is based on security labels, and only the central authority can change the rules, not the users |
Strong security; centralized control |
Rigid; complex to manage at scale |
Government, military, high-security environments
|
|
RBAC (Role-Based Access Control) |
Rights assigned according to organizational role |
Easy administration; reduces errors in granting rights |
Less flexible in dynamic contexts |
Corporates, enterprise systems |
|
ABAC (Attribute Based Access Control)
|
Access determined by attributes (e.g., department, location, clearance) |
Highly flexible; fine-grained control |
Complex, costly to implement |
Multinational, large scale dynamic environments
|
- Principle of Least Privilege – PoLP:
A user, program, process or tool should be granted only the minimum level of access rights necessary to perform its tasks - nothing more.
Objective: To minimize risks of misuse, errors, or attacks if an account or system is compromised.
In short: PoLP ensures that every user or system has just enough privilege to do their job, with no “excess rights.”
- Need-to-know principle:
Access is granted only to the information a user requires to perform their job.
Focus on limits the scope of information available.
Objective: Prevents exposure of unnecessary or sensitive information.
Ex: An accountant can view financial records but not HR data.
- Need-to-use principle:
Access is granted only to the functions or system capabilities a user requires to perform their job.
Limits the level of actions/operations allowed.
Objective: Prevents misuse of system functions and reduces attack surface.
Ex: An accountant can view financial records but cannot edit or delete them.
- Combine RBAC and ABAC: A hybrid model leverages role-based structures while introducing attribute-based refinements, providing granular control and greater flexibility.
- Use Multi-Factor Authentication (MFA): MFA requires two or more authentication factors before granting access. Even if a password is compromised, attackers would still require additional factors to gain entry.
-Embrace a Zero Trust Policy: Under the principle of “never trust, always verify,” every login attempt is strictly verified, regardless of the user’s identity or location.
- Implementation of Access Control policy: This policy needs to describe the procedures and conditions for granting, reviewing, adjusting and revoking user access with the guidance of ISO 27002:2022.
Access Control is an essential component of data protection and a cornerstone of compliance with data protection regulations. By effectively managing who can access data, what data they may access, and how such access is granted, organizations can substantially reduce risks of data breaches, unauthorized access, and non-compliance penalties.
At Data Protectify, we believe Access Control is the “gatekeepers” of trust. With us, you’ll implement safeguards in full compliance with regulatory standards while aligning them to your business needs. Stay with us as we explore the next safeguards that will define digital accountability and set new standards for trusted business practices.