The ABCs of ABAC: Multidimensional Security in the Digital Age

The digital age is continuously bringing us new security challenges. Cyberattacks are happening every day, throughout every industry, and hackers are continuously learning new techniques, becoming smarter and smarter. Meanwhile, our data becomes more and more vulnerable.

As new technologies continually emerge, enterprises are always looking for the best ways to secure their most critical business assets. Whether an organization needs to secure data stored in the cloud, secure data stored in Hadoop, or secure access to applications, an Attribute-Based Access Control (ABAC) model is the way to go for the digital age.

ABAC meets ever-evolving security challenges in the digital age and enforces enterprise-wide access based on business policies and regulations. ABAC moves beyond Role-Based Access Control (RBAC) models and succeeds where RBAC falls short.

Why the Role-Based Access Control (RBAC) Model Fails

With RBAC, access control is based on user roles and the permissions associated with those roles. But the RBAC model starts to fail when the number of access control use cases grows beyond a given point and becomes unmanageable. This leads to a problem in the IT world known as “role explosion.”

The other issue with RBAC involves Segregation of Duties (SoD). RBAC models are only two-dimensional and don’t allow for complex relationships. For example, within a hospital, we may want to give a nurse the ability to access some patients records, but not others. Unfortunately, RBAC doesn’t have a mechanism for implementing SoD in this example. We would have to rely on the application developer to implement the checks within the source code. This, in turn, leads to poor audit visibility and access review capabilities.

ABAC moves beyond Role-Based Access Control (RBAC) models to a truly context-aware multidimensional model.

The Future of Data Security: Attribute-Based Access Control (ABAC)

Unlike RBAC, ABAC has the ability to employ user attributes, action attributes, context attributes (such as time, device, and location), resource attributes (a record’s sensitivity), and much more. The fact that we can use attributes that describe virtually any scenario makes ABAC multi-dimensional.

With attributes in place, policies can be built to govern access in a way that’s dynamic, scalable and centralized. Let’s use the hospital example again. Say you are a nurse in the intensive care unit, how do we implement your authorization requirements based on those attributes? We need a medium that will allow us to do that. ABAC uses a policy language called the eXtensible Access Control Markup Language (XACML). Using this language, we can combine attributes in order to implement our policy requirements.

Say, for example, we have the requirement: “nurses can view and update records for patients assigned to the same department as the nurse.” XACML allows us to take the attributes used in this sentence (nurse, view, update, records, patients, and department) and translate it directly into machine language used to enforce the natural language policy. In our example, users with the role of “Nurse” within department “Intensive Care Unit” can do the action “view” and “update” on objects of type “patient records” in the department “Intensive Care Unit.” Because we can use variables in the policy language, a single policy can be applied to any department in the hospital - greatly simplifying ongoing maintenance and operations.

Using XACML, policies can be written to satisfy extremely complex requirements. XACML policies help to make ABAC extremely flexible and expressive to both share and limit access as conditions dictate.

ABAC provides a multi-dimensional system that through its use of attributes and policies prevents role explosion, increases scalability, enables relationships, eliminates SoD conflicts, and externalizes authorization for ease of management control.

In addition, ABAC allows organizations to comply with an ever-growing body of regulations in demanding regulatory environments across industries. Lastly, ABAC bridges the gap between business and IT. Where RBAC led to opaque and complex configurations that were hard to understand and audit, ABAC uses human-readable policies that can be quickly analyzed and shared with auditors and compliance managers, thereby closing the loop on access reviews.

Access control has evolved to meet the changing security challenges organizations face in the digital age. Attribute Based Access Control is now the standard model for organizations confronted by the need for a robust and flexible solution to today’s complex security threats.