Attribute-Based Access Control

In the last few years, it is fair to say that data breaches have become one of the biggest problems for most organizations.

02:15 18 April 2022

In the last few years, it is fair to say that data breaches have become one of the biggest problems for most organizations – mostly because of the sheer number of data breaches happening on a yearly basis. In this context, spending resources on a comprehensive data security system is completely logical.

 

However, the traditional model of data security – the one that embraces the concept of a strong perimeter defense – is becoming less and less effective with each year. The main reason for that is the nature of modern data breaches – more often than not the reason for a data breach is an insider threat.

 

An insider threat consists of two large groups of actions: mishandling of sensitive information, be it intentional or accidental, as well as the deliberate data theft performed with the intent to gain something out of it. This is the kind of threat that is near impossible to handle with the traditional security model alone.

 

This is where data-centric security comes in, offering a completely different approach to data security as a whole. Instead of focusing on an outer perimeter around the entire system, the data-centric system focuses on protecting the data itself, no matter if it’s in motion or at rest. 

 

The success of data-centric security has been confirmed by the vast amount of organizations that are already using it, including governments and multinational coalitions. For example, NATO uses data-centric security as one of the core parts of a data security strategy (NATO STANAG 4774 and 4778), and NIST (The National Institute of Standards and Technology) recommends a data-centric security approach as one of its best practices (there is an entire paper titled “Data Classification Practices: Facilitating Data-Centric Security Management”).

 

Data-centric security includes multiple different elements that help with facilitating this approach as a whole – including some elements that are fairly common, such as data discovery, data encryption, data tagging and data classification, and also some elements that are extremely specific, including zero trust access, digital watermarking, and attribute-based security controls, as well as many others.

 

While data classification and data tagging might be some of the most important elements for a data-centric security model, there are also many other elements that contribute a lot to the system as a whole. Attribute based access control (ABAC) is one such example, offering the ability to dynamically change permissions for each and every piece of information depending on a variety of factors.

 

The existence of multiple different parameters and factors acts as a safeguard to make sure that the only one who gets full access to the information in question is not only the correct person, but also in the right place and the right time. This allows even the most security-reliant industries to retain the ability to collaborate and share information without the risk of accidental or intentional sharing (because the ABAC system is automated).

 

ABAC uses an entire dictionary of attributes to create individual circumstances and safeguards for each specific document, so that there is no oversight and little to no risk of a data breach. A lot of the attributes that ABAC uses to allow or deny user access are often industry-specific, but it is possible to show some of the more common ones, segregated in groups:

 

• Data type – Images, Videos, Documents, etc.
• Device parameters – Device Name, Device Classification, Device Credentials, MAC Address, etc.
• User credentials – User name, User Security Clearance, User Group, User Organization, etc.
• Network parameters – Network Name, Network Classification, Network Credentials, etc.
• Geographical information – Country Name, Country State, Detailed Address, and so on.

 

There are multiple different areas that ABAC can work in, combining the ability to collaborate and communicate without losing the ability to protect important information, with examples such as:

 

• Critical Defense work and other Top Secret objectives that ABAC provides with a granular level of control that is necessary for this level of security.
• Productivity improvements are guaranteed for larger and more complex projects with ABAC, as well as a better, more secure collaboration process.
• Confidential data that is necessary to uphold important justice processes can also be protected with the help of ABAC.
• Both the inter-agency and the multinational collaboration can be made more secure with using ABAC on a government level.
• For financial organizations, ABAC is capable of helping with protecting all kinds of client information, as well as to stay compliant to any regulations necessary.
• Sharing intellectual property and sensitive information in the field of health and response services can also be made that much more secure with ABAC, and more.

 

It is fairly easy to see how attribute-based access control is capable of improving many fields of work on its own, and it becomes at its most effective when used as a part of a dedicated data-centric security system that covers as many different possibilities in terms of potential security risks as possible.