Home | Products| Application Enforcer | Managing Role and Group Explosion with Dynamic Authorization
Globalization trends and greater diversity in the business world drive the need for enterprises‘ access management requirements with a more dynamic approach. This NextLabs white paper “Managing Role and Group Explosion with Dynamic Authorization” describes the current challenges companies face, why the traditional Role-Based Access Control (RBAC) should be enhanced with Attribute-Based Access Control (ABAC), some best practices to implement ABAC, and the NextLabs approach to address the challenges.
Below is an overview of the paper. For the full explainer, click the button below.
Current Trends Driving Access Management Requirement
The trend to adopt a more data-centric approach in access management is prompted by both regulations and business landscape.
- Adopting Zero Trust: The National Institute of Standards and Technology (NIST) has adopted as a recommendation (NIST 800-207) that organizations implement a Zero-Trust approach to their security. As the principle “Never Trust, Always Verify” suggests, users are no longer assumed to be trusted to have access to a network or system. Instead, every attempt to access is evaluated regardless of previous context, and users are given the least privileged access to the data and applications. Adopting this approach helps enterprises to update their security measures into a fine-grained system that centers around protecting sensitive and valuable data rather than the network.
- Globalization and Diversified Workforce: The globalization of trade relations, business processes, and workforce requires enterprises to strike a delicate balance between effective business practices and data security. While communication and information sharing are key to successful international collaborations, they also pose challenges to securing sensitive data in cross-regional and cross-organizational practices. The diversification of workforce further increases the challenges in data security, as employees in various geographic locations will need to access the organizations’ data and resources from various environments, including a wide range of device types, different locations, and at many times of the day. Therefore, these trends of globalization make it imperative for companies to develop a flexible and reliable access management system to address these challenges.
- Industry Consolidation: Facing the precarious business environment, companies go through various consolidations such as mergers, acquisitions, and establishing joint ventures to address needs to grow revenues or withstand risks. In these organizational changes, the flow of data and personnel in the old and new organizations are increasingly complicated, making it a crucial issue to make sure that only the authorized user has access to sensitive business-critical data.
- IT Consolidation: To increase work efficiency and reduce management overheads, companies with globally distributed operations tend to adopt wide-reaching systems instead of smaller separate systems. As time of use is distributed across the day, the utilization of certifications and system capacity can be fully explored. While optimizing the IT system, it is crucial for enterprises to make sure that access management is in place.
Role and Group Explosion: How to Solve It
In traditional RBAC, each access combination would be specified by a specific role, and users of a system would be members of all the roles that cover the access that they require. Thus, RBAC approaches demand an exponential number of roles or user groups to be defined, leading to role and group explosion. RBAC intensifies the complexity of access management, especially when access control is implemented on a more granular level.
Integrating Attribute-Based Access Control (ABAC) with RBAC can greatly simplify the access management process and enhance the existing RBAC functions. ABAC is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, object, and environment conditions, and a set of policies that are specified in terms of those attributes and conditions.” The combination of attributes and environmental factors such as location and time of the day allow for easy and fine-grained access control that tailors to various business contexts and needs, and greatly reduces the number of role assignments. Applicable both on-premises and in hybrid cloud environment, combining ABAC with RBAC offers a future-ready identity and access management solution.
<