What Is Access Control?
Network users must be authorized and authenticated in any organization before they are allowed access to areas of the system that could result in security breaches. Access control refers to the authorization process. In this article, we will explain one popular method for managing access control, attribute-based access control (ABAC).
What Is ABAC?
Attribute-based access control (ABAC) is an authorization model that draws on a set of characteristics or attributes to determine access to system resources. The role of ABAC security is to protect physical or logical objects such as data, files, network devices, and IT resources from unauthorized users. In the case of ABAC, an unauthorized user would be anyone that doesn’t have “approved” characteristics as specified by the access control policies.
ABAC is a very logical form of access control. It evolved from simpler access control lists like DAC, MAC, and role-based access control (RBAC). In this article, we’ll explore how attribute-based access control works.
Attribute-based access control (ABAC) has emerged as the next-gen method for controlling access to sensitive corporate data. The previously popular RBAC method has not proven itself in the complexity of today’s technology.
To illustrate this, military companies, including every branch of the United States army, have started using ABAC systems. Put simply, ABAC assigns data with relative ‘IF/THEN/AND’ rules rather than simply permitting certain data to relevant users. The US Department of Commerce has made ABAC a mandatory practice and its popularity is spreading.
Components of Attribute-Based Access Control
With attribute-based access control, access control policies determine access permissions based on the attributes of the user, resource, action, and environment involved in an access request.
User
The user or subject is the entity that requests access to a resource to perform an action. Attributes in a user profile include the user’s name, role, organization, ID, departmental and organizational memberships, management level, security clearance, and other identifying criteria. ABAC systems will obtain this data from an HR directory, or gather this data from ABAC authentication tokens during login.
Resource
A resource is defined as the asset or object that the user wants to gain access to. Resource attributes include identifying characteristics like creation date, owner, file name, and data sensitivity.
Action
The action describes the activity the user is going to do with the resource. Action attributes include verbs like “read,” “write,” “read,” “view,” “approve”, and “delete.” In some cases, multiple attributes can describe an action.
Environment
The environment is the broader context of each access request. Environmental attributes are contextual and include the time of access, location of the data, current organizational threat level, the subject’s device, communication protocol, and encryption strength. Environmental factors can also include internal risk signals that the company has defined, such as deviation from the subject’s normal behavior patterns.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
How ABAC Works
ABAC systems set rules that combine various attributes to determine if permission will be granted to perform a specific action with a certain object or resource. The system logically calculates these attributes to grant or deny access.
The process works roughly like this:
- An access request is triggered
- The ABAC tool collects attributes to determine if they align with existing policy rules.
- If the attributes match the policy rules, access is permitted.
ABAC Compared to Other Access Control Models
Older access control models include mandatory access control (MAC), discretionary access control (DAC), and more recently role-based access control (RBAC). These access control models are user-centric and do not account for additional, more granular parameters such as resource information, the relationship between the user and the resource, and dynamic or behavioral information, like time, current risk, or behavioral norms of the user.
The ABAC security model addresses these issues by defining its permissions based on additional attributes, allowing for a more granular approach. The concept of using user, environment, and resource attributes is now allowing access control policies to address more complex use cases.
ABAC vs. RBAC
RBAC has more limited control variables as compared to ABAC. When comparing RBAC to ABAC, RBAC is limited to broad role definitions, while ABAC takes a fine-tuned approach. For example, with a RABAC system in place, any employee in the HR department might be able to access employee and payroll information. With ABAC, further control can be leveraged, placing more specific rules to accessibility, such as only allowing access during certain times or for specific branch employees. This can make a significant difference in reducing security incidents and can ultimately help with compliance audits for regulatory bodies.
Pros of ABAC
- Granular and flexible policies
- Compatibility with new users
- Stringent security and privacy
Cons of ABAC
The main drawback of ABAC is its exhaustive scope. It requires extensive mapping authorization policies to create an ABAC policy. This is a worthwhile investment for large organizations with complex security requirements, but smaller companies with less stringent security needs are better off not adopting ABAC.
Access Control as Part of a Security Strategy
When it comes to cyber security, it’s critical to implement an access control process that fits your company’s security needs. Efficiently managing user permissions and access levels is not only a matter of saving the time of your employees but a crucial cybersecurity infrastructure project.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
