One of the vital aspects of data security is Access Control (AC) that intends to control access to information based on access policies.

Access control mechanisms stem from the need of data access to the right person at the right time, without violating privacy.

The proliferation of numerous users and various attributes related to users such as roles, tasks, time, geography, usage, etc has led to the development of multitudes of access control mechanisms within organizational login access control architectures.

Over the years, the organizational access control models has evolved, such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), Identity Based Access Control (IBAC), and Role Based Access Control (RBAC).

But, these identity management techniques have failed to provide proper requisite access of a database to its users.

This article talks about the various facets of access control mechanism and why organizations need a shift from Role-Based Access Control (RBAC) to Attribute Based Access Control (ABAC).

‍

What is Role Based Access Control (RBAC)?

‍

Role-Based Access Control (RBAC) is an approach to restricting system access to authorized users. This approach is based on the roles that individuals hold within an organization and the permissions that are associated with those roles. This means that a person's role in an organization determines their access to resources.

RBAC is widely used in large organizations like enterprises where job functions are clearly defined. The benefits of RBAC include simplicity of management to resources.

However, it has certain limitations such as being static and context insensitive. It is not always suitable for dynamic environments where the roles and permissions may frequently change. It also provides coarse-grained access which may lead to unauthorized disclosure of information.

With database proliferation and issues highlighted with the various access control models, researchers developed Attribute-based Access Control mechanism.

Also, in Identity and Access Management Summit (2014), Gartner predicted that by 2020, 70% of enterprises will use ABAC as the dominant mechanism to protect critical assets.

Let’s understand RBAC and ABAC in detail.

‍

‍

Role-Based Access Control (RBAC) model employs pre-defined roles that carry a specific set of privileges associated with them and to which subjects are assigned.

For example, an individual assigned the role of Manager will have access to a different set of objects than someone assigned the role of Analyst.

Before moving ahead, let’s understand subjects and objects:

• Subjects are the entities, typically users, who can perform actions on objects within the system. They are assigned roles based on their responsibilities and qualifications, which determine their access rights.

• Objects are the resources that a subject (user) can access. These could include files, databases, systems, or any other entities that the system needs to secure and control access to.

In this model, the person who assigns roles decides who can access what. The object owner decides what each role can do.

When someone requests access, the system looks at their role and what it's allowed to do before making a decision.

‍

How does RBAC work?

‍

Once you define roles in your organisation, you can define the permission at an user level based on:

• Access: The visibility of the data landscape to the user.

• Operations: The access levels of the user to carry out operations such as the read, write and edit levels of files.

• Sessions: This relates to the conditions of usage patterns such as the duration of data access, the period or time of access and the range of access (for how long can the user see the data? )

‍

For better understanding of RBAC models, the National Institute of Standards and Technology (NIST) defines four sub-types of RBAC:

• Flat: All employees possess at least one role defining their permissions; however, some may have more than one.

• Hierarchical: Roles are defined by seniority levels. Senior executives have their own permissions, in addition to those held by their subordinates.

• Constrained: The principle of separation of duties is applied, whereby multiple individuals collaboratively work on a single task. This method enhances security and helps to prevent fraudulent activities.

• Symmetrical: Role permissions are frequently reviewed, and changes are made based on those reviews.

‍

What are the pros of RBAC?

‍

The benefits of RBAC (Role-Based Access Control) includes:

• A simplified and streamlined security management as roles are based on the responsibilities and privileges of users within an organization.

• RBAC allows for efficient control over resources, reducing the likelihood of privilege creep.

• It also helps in enforcing least privilege and segregation of duties, essential principles of a robust security system.

• RBAC is well-suited for large-scale organizations with a well-established hierarchy and distinct roles, making it easier to manage permissions.

‍

What is Attribute Based Access Control (ABAC) ?

‍

Traditionally, access control has been based on the identity of a user requesting execution of a capability to perform an operation (e.g., read) on an object (e.g., a file), either directly, or through predefined attribute types such as roles or groups assigned to that user.

Practitioners have noted that this approach to access control is often cumbersome to manage given the need to associate capabilities directly to users or their roles or groups. It has also been noted that the requester qualifiers of identity, groups, and roles are often insufficient in the expression of real-world access control policies.

An alternative is to grant or deny user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized and more relevant to the policies at hand. This approach is often referred to as ABAC.

NIST defines ABAC as, “An access control method where subject requests to performoperations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”

‍

Attributes in ABAC can be defined as the quality or feature regarded as a characteristic or inherent part of someone or something. Attributes can be considered as key-value pairs which can have a single value or they can be multi-valued (also referred to as set-valued attributes). Identities, clearances, sensitivity, roles and other properties of users, subjects and objects can all be expressed as attributes.

‍

ABAC Example

‍

Consider the example of an educational institution in which more than one student has the name Jane Doe.

To distinguish one Jane from the other, you may need additional information such as last name.The problem can be solved in case every student’s full name is unique. But what if there are two Jane Doe in the same course.

For this, you may need further information e.g. student roll number, specialization, department or peculiar apparent features etc. All these factors can be considered as a student’s attributes.

Extending the same example, consider the scenario in which Jane Doe from the Information Security Department is allowed to attend a seminar but any other student even with the same name from some other department is not allowed.

In addition, assume that the roll numbers assigned to students are unique inside a department but they may overlap at inter-department level. The legitimate Jane Doe will have to present her department information as well in order to be allowed to enter the seminar hall.

In this case, being enrolled as a student or having Jane Doe as the full name alone is not enough. Here, role, name, department etc. are all attributes of a person/user.

Hence, considering a single factor for controlling access in such a situation may not be appropriate, and we need to consider multiple factors simultaneously.ABAC model offers the use of multiple factors in making the access control decisions in terms of subject, object, and environment attributes.

‍

How does ABAC work?

‍

‍

The above image explains attribute based access control implementation mechanism in simple terms.

• The access model starts with the subject requesting for access to object (files, data, etc).

• Next, ABAC mechanism determines the rules (access control policies), subject attributes (name, affiliation, clearance, etc.), object attributes (type, owner, classification, etc.), and environmental conditions to compute a decision.

• Subject is given access to object if it satisfies all the relevant clearance for authorization.

‍

What are the key differences between RBAC and  ABAC?

‍

The disadvantages of RBAC and how the advantages of ABAC address the restrictive nature of RBAC are outlined below:

‍

‍

Limitation of ABAC

‍

Though the above RBAC vs ABAC differences highlighted the superiority of ABAC, a limitation of ABAC is the lack of a comprehensive standard on attributes-based access control.

The basic idea behind ABAC solutions is the use of subject, object, and environment attributes for access control decisions.

However, considering ABAC as a definitive model could exclude much-needed flexibility and fine-grained control. A standard ABAC model could provide a theoretical foundation for ABAC products and solutions.

In the ABAC versus RBAC debate, RBAC's administrative ease is often highlighted, particularly in permission auditing and review due to its static nature.

NIST standard RBAC offers a range of models with auditing capabilities, while ABAC lacks effective permission auditing and review capabilities, hindering its broad adoption.

This could be addressed with a standard definition of ABAC, including a family of models. The motivation for an ABAC family of models is similar to that of RBAC; not all applications require all ABAC features, nor do all vendors offer them.

This family of access control models would facilitate ABAC features of varying complexity, providing a systematic categorization approach for different system implementations.

‍

Why effective access control mechanism is important?

‍

Effective access control systems is essential as it incorporates authentication and authorization processes to verify the identity of users and determine their access rights, respectively.

These systems are fundamental to cybersecurity strategies, safeguarding against unauthorized access, data breaches, and cyber threats.

For physical security, access control systems can range from traditional lock-and-key setups to advanced biometric systems, ensuring that only authorized personnel can enter secure areas.

Whether in digital or physical domains, the goal remains the same: to minimize the risk of unauthorized access and ensure the security of sensitive information and assets.

‍

Other Types of Access Control Models

‍

Starting with Lampson’s access matrix in the late 1960’s, dozens of access control models have been proposed.

Only three have achieved success in practice: Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC).

Below highlights the meaning of each of these access control models.

‍

Discretionary Access Control (DAC)

‍

Discretionary Access Control (DAC) is a type of access control system that grants permissions based on rules specified by users.

It's termed "discretionary" because the control of access is left to the discretion of the individual user.

In DAC systems, each user and resource (like files, directories, devices) has an owner.

The owner has complete control over the resource and can determine who can access it, including granting other users permission to read, write, or execute the resource.

A common example of a DAC system is a typical file system in an operating system where users can create, delete, open, and manage their files at their discretion.

However, DAC systems have potential security risks, as they allow permissions to be passed on, which could lead to unauthorized access if a user is not diligent about managing permissions.

‍

Mandatory Access Control (MAC)

‍

Mandatory Access Control (MAC) is a security strategy that restricts the ability of a user to access or perform operations on a system, based on the level of authorization of the user and the classification of the information.

In MAC, access rights are assigned to the system's resources, and the system (not the users) determines if a user can access specific resources.

This approach is used in organizations where data confidentiality and classification is of utmost importance, like military institutions.

It is designed to prevent users with lower clearance levels from accessing sensitive information classified at higher levels, enhancing the security of the system.

‍

How to choose between RBAC and ABAC?

‍

Implementing RBAC and ABAC in cybersecurity depends on various requirements and its differs at an organization level.

‍

RBAC is suited for large scale organizations because:

• The roles and duties in large organizations are usually well-defined and static, making it easier to assign permissions based on roles.

• RBAC provides a straightforward method for managing user permissions, reducing administrative overhead.

• It allows for efficient control over resources, reducing the likelihood of privilege creep which can be common in large organizations.

• It enforces least privilege and segregation of duties, essential principles of a robust security system in large organizations.

• The simplicity of the RBAC model makes auditing and reviewing permissions easier, an important feature for large organizations with many employees and roles.

‍

ABAC is suited for both large scale organizations and small and medium organizations (including startups) because:

• ABAC provides a more dynamic and fine-grained access control suitable for organizations of all sizes that have diverse and changing environments.

• It considers multiple attributes (e.g., user attributes, resource attributes, and environmental conditions) before granting access, providing a more nuanced and flexible approach to access control.

• ABAC enables organizations to implement a more personalized and context-aware access control, which can be beneficial for startups and SMEs where roles might not be as clearly defined as in larger organizations.

• The ABAC model can easily adapt to changes in the organization or its environment, making it suitable for rapidly growing or changing organizations like startups.

• It allows for the creation of complex access control policies that can fit the specific needs of an organization, regardless of its size.

‍

Attribute-Based Access Control: The Future of Data Security

‍

The data security landscape has evolved over the years, with breaches now occurring in very specific, localized areas. This situation can prompt database users to unintentionally create opportunities for both internal and external infiltration.

The solution to this problem lies in strengthening the security access control protocols for users accessing the organizational database in cloud environments. This means using security solutions for implementing features like attribute based access control.

OptIQ, a modern data security platform, aims to offer businesses with attribute-based access control for their users or user groups. It also ensures data governance through the creation of policies.

Administrators can establish access policies either at the user level or on a global scale, based on data access needs. As predicted by Gartner, Attribute-Based Access Control (ABAC) is the future of data security.

Organizations need to shift their approach to a more fine-grained control over data usage and patterns. To learn more about the OptIQ data security product and its capabilities, you can sign up for a demo here.