I have a very basic and simple question about two security concepts.
Both encryption and access control are used for privacy and to prevent unauthorized users from accessing some object (eg. files, processes, etc.).
What is the difference in practical environments? When do we use encryption and when do we use access controls (eg. ACL, RBAC, etc.)?
For example, I can encrypt one file to prevent unauthorized access, but I could also use an ACL method for this.
Encryption is used to provide confidentiality of data that may or will be accessed by an untrusted entity. Access control is used to limit or otherwise control an entity's access to an object. Asking "when do we use them" is an open question.
Access controls can be anything from a padlock on a gate to a permission set on a filesystem. They can be simple or complex, can control different operation types independently (read, write, delete, etc.), may involve audit logs, but are generally artificially enforced limitations. By that, I mean there's nothing to physically prevent you from bypassing them, if you've got access to everything. As an example, a filesystem DACL on Windows could be bypassed simply by reading the disk directly, or loading it up in a system which ignores access control (e.g. a Linux NTFS driver). In the physical realm, you can just cut the padlock or chain with bolt croppers, or cut a hole through the wall, or blow the gate up with explosives.
Encryption aims to provide some level of confidentiality based on a differential in computational complexity between an authorised user (i.e. someone with the correct key) and an unauthorised user (i.e. someone without the correct key). A user with the correct key can expend a small amount of resources on decrypting the data, and get the message. A user without that key must expend a significantly larger amount of computational resources in order to decrypt the message - usually so much that it becomes infeasible. The key difference here is that strong encryption provides a real, unavoidable boundary to access. You can't simply side-step it by doing direct reads to a disk or implementing a different accessor - or blowing the data store up with explosives for that matter.
The goals and uses of these two concepts are different. Encryption can provide very strong controls over data confidentiality, but is difficult to get right, can be computationally expensive, and becomes difficult to manage at scale when lots of users need access to the same data. Encryption also isn't trivially applicable to complex models where some users need to be able to read but not write, or write but not read (e.g. writing to a log file but not be able to see other log entries). Access control is much more flexible and can be easier to implement, especially in cases where complex relationships exist between users and data, but it is only enforced by the code that is running on the system. As such, access controls are much weaker (or even worthless) in threat models where local / physical access is a potential (e.g. theft of a hard disk).
The real answer to your question is that they're used whenever they're appropriate for the business logic and threat model in your particular scenario.
Encryption mechanisms can be used to achieve specific outcomes:
One of the main interests of cryptography for security is that you can use cryptographic primitives to enforce some properties on data regardless of where it is being stored. One needs access to keys or needs the ability to perform very complex (allegedly, too complex to be performed fast enough) mathematics in order to manipulate encrypted objects.
Access control mechanisms primarily implement protections on the integrity and confidentiality of data. Access control requires a trusted reference monitor that enforces a policy onto data objects. Policies can either be discretionary in which case the owners of each data item (as identified by the reference monitor) decide on whom can access their data; mandatory in which case the reference monitor's administrators decide who can access what; or a mixture of the two.
What's important is that the reference monitors checks all accesses to objects against the policy. So, access control is only appropriate within systems that you control.
Access control requires both authentication and authorisation. Authentication allows you to provide accountability, meaning that you know which principal accessed which resource; this would not be possible if you encrypted data and shared a secret key between more than two individuals.
In conclusion, encryption and access control have different applications, and enforce different properties, with different scopes of applicability. They're so different that it doesn't really make sense to compare them...
Even though both encryption and access control could enforce confidentiality, encryption will only do so as long as the encryption key you used is not stolen, whilst access control will only do so as long as the data is stored and accessed within the boundaries of the reference monitor.
It is very common to combine both methods for file storage. A drive will be encrypted to avoid unauthorised accesses via the hardware (where no reference monitor may be available), and an operating system acts as a reference monitor to perform access control checks that ensure software accesses respect a desired policy.
TL-DR: Encryption produces data representations that embody properties wherever these data are stored; whilst access control enforces arbitrarily complex properties and policies, but only on systems that one controls.
These are two separate concepts, and I'll attempt to make an analogy.
Imagine access control mechanisms are like locking windows and doors in a house. You have to make sure that all of them are locked down to create a secure house, but breaking them is still possible for entry. For some things in the house this level of security is all you need. But lets say you have money, passports, family jewels, or whatever that you want kept secure regardless of a door being broken into.
This is where encryption comes in. Imagine encryption is a safe. There are lots of different safes (types of encryption) with different levels of security (DES, 3DES, AES128, AES256, etc). Now even passed the access controls the user needs to break into something much more secure. What is protected by encryption depends on what data you feel needs this extra confidentiality. Like safes, scale-ability can be tough. Sure banks can afford large safes for large amounts of valuables (Google), but most people for home use just need something smaller (analogous to secure web browsing, GPG, etc).
If you want to use encryption across your enterprise you'll need to invest in infrastructure, and this really depends on your system; what are you trying to protect, and how much protection does it need.
Agree they are different, but some of the answers are more about typical implementations rather than basic differences.
Seems to me encryption info (algorithm, key, etc) are attributes of data, clear data is just a special case. Access control takes care of who can do what to some data and to its attributes. It should make sense for access control to say "user A has read access to this as clear data" while "user B has access only to encrypted version of the same data"; or "this user can re-encrypt this data".
