Fine-Grained vs. Coarse-Grained Authorization Policies

Gal Helemski
April 24, 2017

Gone are the days when a single authorization point was enough for website security. If network security was once comparable – metaphorically speaking – to the role of a bouncer at the entrance to a nightclub, i.e., a gatekeeper who decides who can and cannot have access to what’s inside – today we’ve moved over to a different model entirely, a paradigm that’s far more complex.

To limit the damage done by hackers, domains now need multi-layered security. Stated differently: in the age of IoT and growing cyber threats, the answer to securing the network lies in authorization, not just authentication.

And that’s really a matter of adopting more fine-grained access control.

The Metamorphosis of Access Control

Once upon a time, when access control was just a question of ACL, receiving access depended simply on whether a user’s ID appeared on the “white list” or the “black list.”

However, as pointed out by Gartner in this blog, today’s fast-changing cyber reality requires a methodology that is more fine-grained and considers a broader variety of information. And this is what’s led to the widespread adoption of ABAC – in which permissions are based on any piece of data or label that describes a user, resource, target, object, environment, or action. ABAC allows you to mix multiple attributes to define extremely targeted rules.

Minimizing Risk

The beauty of fine-grained authorization as opposed to more coarse-grained models is that it allows CISOs to calibrate an IAM system very precisely and determine the right degree of access – in other words, to maximize the efficiency of a company or organization by providing users with access to data they need, while avoiding exposure of the network to unnecessary risk.

It’s an ongoing process of fine-tuning. If controls are too tight, they prevent employees from doing their work – or customers lose access to services. But if authorization processes and controls are too loose, data can be at risk.

Granular permissions must be leveraged to ensure that security is maintained, while providing the necessary access to data that drives innovation.

Adopting Best Practices in Data Governance

And it’s important not only because of the obvious security issues involved, but also because data can be both a sensitive and a personal issue. According to the National Institute of Standards and Technology, personal data should be collected only for a specified purpose, and users should be protected against inadvertent disclosure of information.

As a result, access control in any organization must adjust the outcome for the user or role, and systems that respond to a broader range of contextual parameters are preferable as they provide protection against a wider set of threats and abuses.

Fine-grained access control is more flexible than coarse-grained approaches, and this facilitates better calibration of who has access to what. With fine-grained authorization, it is possible to define a wide range of user cases and limit how much data is viewed on a per-case basis.

Handling Multiple Use Cases – Elegantly

The significance of fine-grained authorization can be illustrated easily in the context of health organizations, where privacy is a particularly significant issue. Complex authorization methodologies are crucial in handling a range of use cases.

For example, doctors must access information about their own patients, but should not be able to view information about other people. In contrast, patient intake personnel should have access to insurance data and home addresses, but should not be able to see patients’ diagnoses. And application developers must be able to work with the database but should not be able to view private information of patients.

Amplifying ABAC with PlainID

Flexibility is the key factor in dealing with protecting data privacy and meeting access requirements that differ across users and applications. An innovative solution such as PlainID provides the necessary liability – by amplifying ABAC and providing contextual, fine-grained access control that allows the development of wide-ranging policies.

PlainID enables attribute-based decisions all the way from the user to the resource or action based on pattern or resource attributes. With PlainID, contextual, dynamic-based business policies can be used.

PlainID’s unified authorization platform brings a fresh approach to security by creating a single authorization layer that accommodates cloud, mobile, and legacy applications. The PlainID solution is a simplified Authorization platform that meets the growing complexity of who can access what – and streamlines the demands of successful IAM management.

Most popular posts