Out with RBAC, in with ABAC!

Oren Harel
August 10, 2016

Assigning access controls is one of the foundational steps in information security and compliance. Enterprises commonly deal with data—personal, commercial, business internal —that absolutely cannot leak to the public at large nor internally within the organization. All the major compliance regimes, such as FISMA, PCI-DSS, and HIPAA, have detailed requirements that lay out who is allowed to access certain data, when that data can be accessed, and how to keep records of that access. One last question remains, however—how do you ensure that no unauthorized persons can access that data?

In order to truly lock down data, the NIST, via its National Cybersecurity Center of Excellence (NCCoE), is pushing forward  a more flexible method to manage privileges —Attribute Based Access Control (ABAC).

Modulate Access Using Attributes

Under ABAC, access to particular record or resource is moderated based on certain traits—attributes—of the person accessing the file (the subject), the resource itself (the object), and the time and place where the object is being accessed (the environment). Attributes of the subject may include their title, certifications, or training. Attributes of the object may include its related project, the personally identifying information (PII) it contains, and the sensitivity of that PII.  Viewed holistically, these attributes can now be used to set the rules that would enable access to data and resources.

RABC  (Role-Based Access Control) on the other hand,  involves creating a role for every organizational or business functionality, giving that role permission to access certain records or resources and assigning a user to the role. This system is entirely too granular, not flexible and very limited in large scales.

Simplify Access Controls  and Smart up your Permissions

Under ABAC, the number of actions needed to enforce access controls is substantially reduced. Blanket policies can be set, using natural language. For example, “Only auditors can view the sensitive data associated with their assigned projects” is a very simple policy to apply and manage under the ABAC system. Handling large amounts of users and data is relatively easy, since they all automatically fit the policy.

Additionally, environmental conditionals can be used to further modulate access. For instance, maybe a set of files is so sensitive that it can only be viewed on desktops that are on the corporate site. Environmental conditions can be based on a location, time, risk of access, and even events. For example, you might want to provide limited access upon a cyber-security event, and extend access of corporate engineers in case of an approved incident.

Using ABAC, enterprises can easily comply with GRC requirements that requires them to segregate data access, prevent unauthorized users from accessing sensitive data, control access creep, and even prevent authorized users from accessing sensitive data in a risky manner.

Automation to cope with constant changes

Change of role, organizational structure, assignment to new projects – adapts immediately to what documents, medical records, servers and more the user can access. No additional action is required to enable access to the new project data, the new user in the department, or a freshly assigned accountant.

ABAC truly is a more efficient approach to support your access decisions.

PlainID enables organizations to implement and maintain a sensible, highly responsive access control system that scales with the enterprise. See how PlainID is changing the face of Authorizations!

Most popular posts