Consider an international flight. The passengers bought tickets and the crew work on the plane – but they don’t all have the same rights. Passengers are restricted to their areas, the cabin crew has access to the entire aircraft, aside from the cockpit, and the pilots can enter any section of the aircraft they like. In other words, each person is assigned the level of authorization they need. This ensures an efficient and safe flight.
The same goes for your company’s networks, data, and applications. It is vital to assign access rights and privileges to users based on who they are and what they need to do. But what if a passenger is upgraded to first-class? What if, in an emergency, a passenger becomes the pilot? Can classic authorization methods seamlessly handle these changes?
Until now, the overwhelmingly popular approach to authorization was Role-Based Access Control (RBAC) – creating a set of roles that define all of the functions and job descriptions in an organization where users are assigned roles that determine what they can access and what operations they can perform.
With RBAC, users can also be organized into groups. For instance, all employees in the HR department would be assigned to the “HR group,” the VP Human Resources would also be assigned a “Manager” role, and the Recruitment Officer would be assigned the “Recruitment Officer” role. In this example, everyone in the HR group might have access to the departmental directory on the network, the VP would have read/write authorization on the main HR database, but the Recruitment Officer might only have read privileges on that same database.
But there are many problems with assigning authorizations to users based on roles and groups.
Most significantly, there are key disadvantages to RBAC including cost and difficulty in terms of logistics of managing access rights across businesses. When a new employee is onboarded, for example, they are typically assigned the same level of permissions as their coworkers. However, as their position evolves over time (or as they move to different departments or projects), their needs change. RBAC system management is a manual process, and System Administrators must move users between roles and groups, and new ones need to be added as necessary. As the company grows, this system becomes unwieldy and so users end up retaining rights to company resources that they should no longer be able to access.
Traditionally, business application authorization had been managed with user repositories which are made up of databases of users, their IDs, and the actions they are authorized to take. Specifically, over the last 25 years,organizations have been using Lightweight Directory Access Protocol (LDAP), an open industry-standard protocol for integrating third-party software with a company’s user directories. One LDAP database can service multiple applications and so it would seem to be a convenient solution for managing authorization, especially in large companies.
But LDAP has been anything but convenient.
Changing permissions for any application that it services require an inordinate amount of effort. Also, because permissions are static, they cannot automatically adjust to real-time situations. For instance, if a cybersecurity alert is raised, a System Administrator needs to manually adjust permissions to prevent a breach. Furthermore, the average organization has many repositories, and it becomes almost impossible to manage all of them properly. This increases the likelihood that at least one of them will become a security risk.
Where we come down: RBAC and other traditional methods of authorization management fall short of the mark. What you really want is a system that requires little to no manual management, is scalable, and is flexible. Some of these issues are solved with Attribute-Based Access Control (ABAC) systems. This is where authorization is managed by assigning attributes to users that not only include who they are and what assets they are attempting to access, but also environmental factors, such as their physical location, timezone, and so forth.
Policy-Based Access Control (PBAC) takes this one step further by making ABAC more dynamic. PBAC enables you to create policies that cover almost every scenario, making your authorization process a smoother, accurate, and more secure experience for IT and users alike.
To learn more about the right way to manage authorizations in your company: