In this ITWeb interview, archTIS Governance & Compliance expert Dave Matthews discusses the topic of ABAC vs RBAC: How to create more efficient data security and avoid permission creep.
Demands on data have created a host of challenges for security and administration, and traditional tools are not keeping up. As we expand collaboration and business activities outside the office, data moves more widely and user permissions expand with every responsibility or team project.
Keeping ahead of this permission burden is tough yet necessary for zero trust “don’t trust, verify” security. But standard role-based authentication lacks the flexibility and dynamism to accommodate these new workplace behaviours.
“The traditional security parameter has faded significantly as we started working more outside the office and adding more roles and responsibilities to people’s credentials,” says archTIS’ Product Manager Governance and Compliance, Dave Matthews. “That’s bad news for data security that relies on role-based authentication because data goes where people do. So even if you authenticate a user, it’s much harder today to control what they do with data. As we give more and more permissions, it’s harder to keep data secure.”
For decades, organisations relied on role-based access controls (RBAC). But as it becomes easier for data to move around – copied to other devices and pasted into meeting channels – RBAC can’t cover all the opportunities for mistakes, negligence and malicious activities. It’s becoming essential for authentication to follow the data on a case-by-case basis, a concept called attribute-based access control, or ABAC.
ABAC for better data security
ABAC focuses on attributes rather than roles. Whereas a role is tied to an account and its permissions, ABAC applies a broader range of conditional decisions around how data is used.
“The big difference is context,” says Matthews. “Right now, I’m in my home office, using my company laptop on a secured VPN. Using ABAC, my security determines that this is a safe place to access certain documents and that I can share them in this meeting’s chat. But afterwards, I might go out for lunch. I decide to check some work messages from my phone and I log onto the restaurant’s WiFi. Yet I can’t access certain data because ABAC determines that the content should not be accessible in this situation. In both cases, I used the same role credentials and policies. But attribute-based access makes a deeper decision than just what my role’s permissions are.”
ABAC uses a range of attributes to make such decisions. It considers data properties, such as where the data was saved, who created the data and what permissions are associated with the files. It can look at data sensitivity, export controls, compliance, policies and other variables.
Then ABAC weighs user attributes: not only their permissions but the device, location and additional considerations. Weighing all the relevant attributes, ABAC decides how to segregate the data. The above example would flag and block sensitive information from opening on the restaurant’s WiFi. But it can be much more specific, such as not opening sovereign data from an international location or limiting access to sensitive financial information from outside of the corporate network.
Flexibility is the difference
ABAC adds data authentication flexibility and automation that RBAC doesn’t provide. It remains important to authenticate users and give them appropriate permissions. But RBAC is insufficient for modern data transactions and collaborative workplaces.
“Access has to be flexible and dynamic,” says Matthews. “For example, sales and marketing work together on a particular marketing campaign. But they need approval from the legal team, so we grant them access to the data as well. But do we have the controls in place to temporarily grant access? Or is that now there until somebody remembers to go back and do a clean-up?”
Privilege creep is a genuine problem in companies, regardless of their size. It’s easy to add permissions and a chore to remove them in a timely fashion, says Matthews: “Companies put considerable time and effort into RBAC policies and management, paying for those costs to keep the system maintained, particularly when they want to establish many policies that make the system seem flexible. You can bring ABAC right into that. Mature organisations often will have many policies ready to go out of the box. You can implement ABAC on top of those policies.”
The best ABAC solutions scale out and can focus on specific challenges. For example, Matthews mentions a pension fund that uses ABAC to ensure personal customer data is never copied to public storage.
Data no longer remains inside the company parameter, and user permissions have ballooned as collaboration grows. Traditional role-based authentication is not enough to keep data secure yet accessible. If you want to keep data safe while offering employees flexible access and avoiding privilege creep, ABAC is the answer.