Share this article on:
With large numbers of staff working from home for the foreseeable future, many organisations are realising they may need to (finally) revise the digital authorisation methods they have in place, Steve Dillon of Ping Identity writes.
In many cases, organisations had been relying on role-based access control (RBAC) to determine who could gain access to IT resources. However, while this worked well when users and resources were within a corporate firewall, it does not provide sufficient protection in the post-COVID world of work.
Now, a, growing number are turning to a new approach termed attribute-based access control (ABAC). This combines centralised control with user-level context to make real-time decisions.
Under the hood of ABAC
ABAC significantly improves IT security by evaluating more than just a user’s role for authorisation decisions. It also involves examining the context of an access request to provide a more detailed view of the situation. For example, with more staff working from home, an organisation needs to be on the lookout for fraudulent attempts to gain access to applications and data using an employee’s stolen credentials. If additional attributes are also used, it becomes more likely that fraudulent activity will be spotted.
The approach is further strengthened with the addition of dynamic authorisation capabilities. This allows real-time enforcement of the fine-grained business logic around what users can see and do, in what context, and for what purpose. Dynamic authorisation begins with an application providing data to a central authorisation system that identifies the nature of the request. Examples could include a customer who wants to access their e-commerce account or an HR employee who wants to access confidential employee files.
The central authorisation system then takes responsibility for collecting the additional data required to make the appropriate authorisation decision. This additional data could include things such as the user’s current risk status, the context of their request, and the IP address from which the request was made.
Balancing security and customer experience
Many organisations are under increasing pressure to balance the need for strong security while providing a great customer experience. One approach is to adapt the user experience based on the level of trust in each user.
Thankfully, organisations tend to have numerous data sources and risk signals that can be used to determine whether access should be granted. Over time, an organisation can learn more about each customer and the typical patterns that exist within transactions.
This can help to lower fraud rates while also helping to reduce the number of false positives that need to be reviewed. It also helps to lower friction and make the customer experience exceptional.
An ABAC approach works well because it shifts authorisation policies away from application-level decisions to allow fraud teams to respond consistently and more quickly to issues as they occur. Ideally, customers won’t even realise that these protective measures are taking place.
Taking a multi-layered approach
Because cyber criminals are developing new techniques every day, taking a multi-layer approach to fraud prevention is an organisation’s best option. Layers can include developing strong policies and identifying risk signals, like monitoring for suspicious activity at a number of different points during a customer interaction.
Another layer to be considered is user education. Encourage both staff and customers to understand the types of risks that exist and the steps they can take to reduce their chances of falling victim. Topics to cover include email deception, phone-based scams, and online fraud and alerting them to tactics used by criminals who pretend to be trusted organisations.
Improved regulatory compliance
Having an ABAC strategy in place, strengthened by dynamic authorisation, will enable an organisation to better comply with government regulations such as those relating to personal privacy. Having a central authorisation capability will reduce the chance of data being illegally accessed or stolen, reducing the likelihood that an event will have to be reported to authorities.
A strategy of ABAC and dynamic authorisation can deliver significant benefits for an organisation’s staff and customers. It provides additional protection against threats that are constantly evolving.
Steve Dillon is head of APAC Architecture at Ping Identity.