Many organizations rely solely on Role Based Access Control (RBAC) to make access decisions. The problem is that RBAC can only manage access control for broad groups of people (for example, “C-suite managers”). In contrast, Attribute Based Access Control (ABAC) is an automated process that uses predefined characteristics to make fine-grained access decisions (for example, “C-suite managers who work in marketing-related departments” (Chief Marketing Officer, Chief Branding Officer, etc.)
NIST explains that “As new subjects join the organization, rules and objects do not need to be modified...This benefit is often referred to as accommodating the external user and is one of the primary benefits of employing ABAC.”
In an ABAC system the main access decision components are categorized as follows:
Identity attributes are the set of characteristics that define who the user is. These identity markers can include the type of user (partners, employees, or customers), or their personal metadata (such as name, title, company and phone number).
Identity attributes can be extended to digital identities as well. For example, you can use an ABAC system to limit communication between specific segments and zones of your network. For example, a server containing customer-facing data (products, prices, etc.) cannot communicate with a server containing the company’s HR data.
Since identities can also be multidimensional, one person can have many roles, and the ABAC system can make access decisions based on all of them. For example, if an employee is a Project Manager for one project, a Software Developer in a second project, and an Advisor in a third project. ABAC can manage access rights for this one employee while taking into account all of their roles.
The resources in your organization that you want to protect are the asset attributes, which includes a company’s digital assets. You’ll need to decide which aspects of each of these resources are important for your company to categorize. For instance, you might want to define each of these digital assets according to what they are and what they are used for. Take, for example, a document, which you might want to categorize according to its metadata, such as the Document ID, the author, the document publication date, topic keywords, and so on.
When your digital assets are categorized in this way, the ABAC system can make intelligent decisions as to whether or not a requesting user should be allowed to view, edit, and/or share the resource.
Environmental attributes are more advanced types of descriptors. This attribute type does not focus on the identity of the requesting user or even on the asset. Rather, when an ABAC system looks for environmental attributes, it is taking into account dynamic factors such as the:
For instance, you can set the environmental attributes for highly secret projects such that they can only be accessed from company HQ, only during normal working hours, and not from smartphones or tablets.
You can also set environmental attributes to take into account cybersecurity events. This is particularly useful for hardening security around sensitive data during a cyber-attack. For instance, if a cyber-attack is detected, your ABAC policy might block all access to all company financial and HR data.
With distributed global systems, ABAC systems are certainly important for managing user access. But to remain competitive, businesses have to ensure that the teams that are authorized to access their data can actually access their data without running into blockades at every junction. With PBAC, the creation and updating of policies are more flexible in terms of technology. And because it’s more straightforward and scalable, it facilitates the mapping of identities and authorization data - making it a win-win.
Learn the specific steps you need to take to harness the power of ABAC and PBAC in providing your organization with the kind of system it needs to maintain fine-grained control over your company assets: 