Share this article on:
Breaking news and updates daily. Subscribe to our Newsletter
Explore the advantages of adopting an ABAC security model for a more dynamic zero trust approach to access and data protection
The shift to hybrid and remote work in recent years has rendered the security controls we have spent years refining inadequate. With this shift becoming permanent, now is the time for organisations to review their data security practices and decide if a new approach that employs attribute-based access control (ABAC) is not just a nice to have, but a must have.
With data now being accessed from the office, home, coffee shops, and airports, evaluating your organisation’s access control protocols is essential. There are two common approaches organisations can deploy; role-based access control (RBAC) and attribute-based access control (ABAC). Understanding the differences between the two, and the common misconceptions about the newer ABAC model will enable you to assess which technology best matches your current needs now and into the future.
Role-based Access Control (RBAC)
RBAC is an access methodology that authorises a user based on their role. With RBAC, an IT administrator defines the parameters of access for that particular role. Depending on your position in the organisation, you will have a specific set of access permissions. Other roles will have different access rights.
Under this model, a user may be assigned multiple roles and have access to multiple files or data. For example, multiple teams within an organisation could be working on a joint project. The project manager will access contracts and edit the project plan. Meanwhile, the development team will only be allowed access to the programming files and won’t be able to access or modify the financial information or contract details for the project. Elsewhere, the HR team has access to all employee and financial data but cannot use the programming files.
Attribute-based Access Control (ABAC)
ABAC is a policy-based approach that utilises properties called attributes to determine access rights. These attributes can include a combination of user credentials (e.g., name, nationality, department, organisation, group), environment (e.g., location, device, time of day), and file properties (e.g., sensitivity level, classification, author, etc.). The ABAC methodology allows for more granular and dynamic access control than RBAC by matching the condition of a user and the data to grant or deny access to the file. The policies can also be used to apply additional security trimmings to restrict usage to further secure data.
For example, instead of the project manager always being able to modify contract files from any device in any location, ABAC policies can limit risk by restricting access to only office hours and locations or encrypting the document when accessed from an unprotected mobile device or unsecure network.
Implementing ABAC can reduce security issues and help with compliance and auditing processes. As ABAC references both the attributes of the user and the data before granting access, the existing RBAC attributes can be utilised to assist in creating granular policies..
The need for proper access control in a modern hybrid working environment cannot be overstated. According to the IBM 2022 Cost of a Data Breach Report, the average cost of a data breach in Australia is $2.29 million per breach. Those costs went up an average of almost $1 million greater in breaches where remote work was a factor. Many of these breaches can be avoided by employing better access control. So why are companies not choosing to implement a more dynamic approach to their data protection?
Mistakenly many organisations consider ABAC to be a complicated solution that requires additional time, budget and resources to manage over the more traditional RBAC approach. This is simply not true with modern ABAC technologies.
One ABAC rule can apply appropriate controls to address multiple access scenarios making it much easier to manage and get flexible, customised security without creating hundreds of roles or building thousands of rules to accommodate all the possible access and sharing scenarios. As ABAC can utilise an established RBAC policy, most of these rules will only require minor modifications to extend existing rulesets.
Additionally, early iterations of ABAC relied on agent-based enforcement. The software had to be running on an employee’s desktop to enforce rules and protect data. This agent-based architecture is no longer required. Agentless, service-based implementations allow companies to seamlessly transition their workforce to ABAC without the need for additional software to take up memory and hard-drive space on user laptops.
The pandemic has also brought a massive shift to how we work with our data, whether accessing from home environments, personal devices or using collaboration platforms such as Teams, Slack and Microsoft 365. As a result, organisations are producing content at a prolific rate, and this data is now accessible inside and outside the secure perimeter. With these changes, the concept of “Zero Trust” is quickly gaining attention as the preferred security methodology.
Zero Trust boils down to a simple concept: verify and validate each and every access attempt to data to satisfy the needs of the user and the business.
Using a data-centric zero-trust security approach enforced by ABAC ensures that appropriate validation is applied every time a user attempts to access an individual file. The rules are relevant to the sensitivity of the data – in the context of whatever the access or sharing scenario is to extend the zero trust concept from the network and application to the data layer itself.
With NC Protect from archTIS, organisations can quickly implement an ABAC solution that will effectively manage access control and data protection in Microsoft 365, Microsoft Teams, OneDrive and on-premises SharePoint Server and file share environments. NC Protect applies and enforces dynamic, policy-driven access and data protection controls that leverage both user and data attributes to ensure an organisation’s users and guests’ access, share and collaborate on sensitive information — securely.
NC Protect applies real-time ABAC-powered access, usage and protection policies to unstructured data. Whether the information is stored in a document or shared in a chat log or email, companies can enforce what a user can see when browsing or searching for files. When a user is granted access, it can be restricted to read-only versions using a secure application that also applies individualised dynamic watermarks to identify the user and device used to open the file. This is capability is useful if the scenario is considered more high risk or information is being accessed by a third-party guest user. A user may be also granted full control if the situation permits, but their activity is recorded in an audit trail that captures who accessed what, when and where, across the entire organisation.
NC Protect is simple to deploy, and it does not change the state of your data at rest. It can utilize existing RBAC policies to ensure faster onboarding and expand to ensure your employees only have access to content that they require. The platform will also consume metadata applied by other security applications, ensuring existing security policies are easily transitioned to a more dynamic access policy.
If you are considering implementing ABAC or zero trust, evaluate NC Protect. Whether you need to manage sensitive data securely within your Microsoft 365 applications, SharePoint Server or Windows file shares– archTIS can assist. archTIS puts you on the path to data-centric zero trust access and protection to safeguard your most valuable information. Contact us to learn more.
Comments powered by CComment