How Attribute-Based Access Control (ABAC) Can Enhance Dynamic Data Protection
With the transformation in the data landscape today, organizations face an overwhelming increase in the amount of data generated along with data breaches being brought into the limelight nearly every day. According to a report by IBM, the average total cost of a data breach has increased by almost 10% from 2020 to 2021 — customer personally identifiable information (PII) was the most common type of record lost, as it was included in 44% of breaches. Dynamic data protection offers a system to identify and perform checks on the data based on who, where, when, and how the data is being accessed in order to protect critical data and assets from any potential risks. Using Dynamic authorization technology along with attribute-based access control (ABAC) to enhance the data security model can help mitigate the mentioned risks.
Nitin Aggarwal is an associate partner with Infosys Consulting. He has been working with Infosys for over 12 years. He is currently leading the Enterprise Security, Risk and Compliance Practice at Infosys Consulting. He has been helping clients achieve sustainable compliance and also move to new ways of managing security in an enterprise, specifically around attribute-based access controls.
In episode four of NextLabs’ Cybersecurity Expert Series, we sat down with Nitin to gain some insights about what has caused the shift in the need for dynamic data protection and how attribute-based access control (ABAC) can enhance dynamic data protection. Read his insights below or watch the full Q&A video on our YouTube.
What has caused the shift in the need for dynamic data protection?
Dynamic data protection has been there for a long time, but in the recent past, companies have been moving or looking towards dynamic data protection mode because of multiple reasons, such as COVID. Because of covid, remote working has become more prevalent and when you talk about remote working to achieve data security, you have to actually have checks on data — where data is being accessed, when it is being accessed and how it is being accessed. These things are only possible through dynamic data protection.
If you look at the recent case, which is the geopolitical situation around Russia and Ukraine. A lot of companies are required to put sanctions on how they do business with the Russian companies, or with Russian entities; how they share data; how they operate in Russia. So, this requires a lot of change in the way they operate and change in the way the systems have to behave. This also calls for something similar to dynamic data protection.
Similarly, there are more regulations that keep coming up, like the GDPR regulation, which requires a flexible concept of managing data security.
What are some of the current challenges that companies are facing when it comes to dynamic data protection?
The challenges companies face for dynamic data protection today is, first of all, the applications per se, they do not offer the capability to go fine grain, which means you have limited capability in a lot of applications being used in the majority of companies. To impose the restrictions at the minutest level, which is kind of the need when you talk about dynamic data protection, that you do not want to rely on the level at which the native security concepts go. You want to go to the lowest level where you want to control the data.
The second challenge is the native security concepts in a lot of the applications — they do not allow you to put restrictions based on dynamic factors or dynamic attributes such as, the time at which somebody is accessing, the location from where somebody is accessing. So, most of the security is mostly static and there is no way in the applications where they are able to manage it dynamically saying “I have been granted some access in the application, I’m only able to use that access or do something with the access when I’m working in the offices. As long as I’m in the offices, I’ll continue to have the access and as soon as I login from outside the office or from a location which is not allowed, even though I’ve the access in the application, I will not be able to see or do anything with that access.” So, these are cases which are not available through the native security concepts of the applications and these are the challenges that companies face.
How does ABAC enable dynamic protection?
Attribute-Based Access Control works based on attributes, as the name goes. It relies on fetching data around attributes and determines whether a user should be allowed access something or do something in the application based on how the values of the attributes fetch at that point in time tells the system or evaluation of decisions based on those attribute values.
In attribute-based access control, we define policies which are actually built based on the attributes and we can say, “you are allowed to view sensitive data only when you are from, let’s say, HR department and you are trying to access within office hours, and you have some security clearance”. What happens is, every time a user tries to access the data which is sensitive or classified as sensitive, the system at that time will check whether the user belongs to HR department and the user is belonging to a specific clearance level. Based on that, at that point in time, the system will either allow the user or deny the user. If the attribute levels change within the next hour and the user is again trying to access, the behavior may be different based on what the (attribute) values are.
Which types of organizations would benefit from an attribute-based access control system?
There are different types of organizations that can benefit from dynamic data security or attribute-based access control. Companies that have to comply with regulatory requirements, such as export compliance, trade compliance, ITAR. There are also companies that have to comply with regulations such as GDPR, where you are supposed to apply restrictions on who can access and who can use personal sensitive data. There may also be a wider use case for organizations, as part of their mergers and acquisition transactions where, let’s say, you have diverse out a part of your entity and you have to draw a boundary line into what a diversified entity user should see versus what a retain entity user should see. So, rather than having to redesign the security model or reapply the whole model, you can use attribute-based access control in such companies to do data segregation on the fly.
Discover more from NextLabs’ Expert Series, featuring industry experts in educational and thought-provoking conversations on Data-Centric Security, Zero Trust Architecture, Safeguarding AI, and more.
To comment on this post
Login to NextLabs Community
NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.
Don't have a NextLabs ID? Create an account.