The Definitive Guide to Attribute-Based Access Control (ABAC)
Attribute-based access control (ABAC) has emerged as the next-gen technology for secure access to business-critical data. The complexities of today’s IT landscape – think cloud apps, data silos, mobile, IoT, Big Data – has exposed the limitations of role-based access control (RBAC) solutions, leaving organizations vulnerable on the data security front. By many, including Gartner and NIST, ABAC is now being considered as the dominant mechanism for the future. As part of a consortium tasked with creating a reference architecture for ABAC, NextLabs was selected by the National Institute of Standards and Technology (NIST) to help define the core capabilities and benefits of ABAC.
What is ABAC?
According to NIST, ABAC is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”
Attribute Based Access Control (ABAC) provides access to users based on who they are rather than what they do: for example, the business unit they work in and how they were hired. Attributes allow for an easier control structure because permissions can be based on the user’s type, location, department and so on, mirroring the physical aspects of the business. By looking at a user’s attributes—information that is already known and often stored in an HR system—ABAC permits you to express a rich, complex access control policy more simply. For example, if a user named Margret Smyth is promoted from the Marketing to management, her access permissions will be updated because her business attributes changed, not because someone remembered that she had admin permissions and took the time to update a configuration file somewhere.
The benefits of ABAC are many and there are some requirements that can only be achieved using an ABAC model. The most significant benefit is ABAC’s user-intuitive nature that hides technical permission sets behind easy-to-understand user profiles that anyone with authority can update, knowing that the user will have the access they need as long as their attributes are up to date. The other benefit of ABAC is the flexibility it gives; almost anything about the user and the business can be represented, allowing the business to think the business way, not the IT way. Which applications, what type of data users can access, what transactions they can submit, and the operations they can perform automatically change based on these contextual factors. The net effect is that organizations utilizing ABAC can make more concise decisions based on real-time operation information.
For example, using ABAC, access to business-critical data can be determined by attributes or characteristics of the user, the data, or the environment, such as group, department, employee status, citizenship, position, device type, IP address, or any other factors which could affect the authorization outcome. These attributes can be sourced from user identities, applications, and system resources, environmental attributes, they can also be retrieved from any other data source, such as IAM, ERP, PLM, employee information from an internal HR system or customer information from Salesforce, databases, LDAP servers, or even from a business partner for federated identities.
ABAC can be used in conjunction with Role Based Access Control (RBAC) to combine the ease of policy administration which is what RBAC is well-known, with flexible policy specification and dynamic decision making capability that ABAC is renowned for. Combining RBAC and ABAC into a single hybrid ABAC / RBAC (ARBAC) solution can provide a future-ready identity and access management solution capable of designing and enforcing rules based on individual profiles and business environment parameters. For example, ARBAC can be applied to enforce mandatory access control based on certain attributes while still providing discretionary access control through supercharged roles known as ‘job functions’ that are profiled based on user employment types. Alternatively, ARBAC can also be applied to implement the risk-adaptable access control concept, where access permissions can be made mutually exclusive through rules pertaining to segregation of duties for example.
The ARBAC hybrid approach allows the system to combine the IT and Business structures together. While basic access is provided automatically, the business can still provide additional access to specific users through roles that fit into the business structure. By making roles attribute-dependent, additional limitations can be put in place for certain users automatically without any additional searching or configurations, better organizing and reducing the number of access profiles that need to be kept track of. In a larger company with several business units and multifunctional employees, allowing access to be driven by attributes simplifies the process of determining correct access for users. As the result, a hybrid structure makes decision-making easier for enterprises when it comes to assigning user account access to workers. When the approach is combined with a matching user-centric control interface, IT is finally able to outsource the workload of onboarding and offboarding users to the decision makers in the business.
It is expected that, as time goes on, ABAC will become widely accepted as the authorization model of choice for businesses. A solution which can bridge the gap between RBAC and ABAC is therefore important — an indispensable, high-value software asset for the intelligent enterprise!