Attributes is the new role?

By Sandeep Chopra.

“Attributes” is the new Role?

In the last Gartner Identity and Access Summit in Nov 2013, Gregg Kreizmann, Research VP in Gartner, made a prediction that by 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.

In Oct 2013, NIST published their report titled “Guide to Attribute-based Access Control Definition and Consideration”, which we discussed in an earlier blog. This is recognition that organizations, including the federal government, need to govern how information is shared across systems, applications, and organizations.

And last year, with the introduction of Windows Server 2012, Microsoft introduced their version of ABAC, called Dynamic Access Control (DAC). DAC is a new authorization model that greatly simplifies management of access to information resources. DAC gives companies the ability to define policies that control access to files based on their business value and risk, by considering the property of the data and user and device claims.

So why the sudden attention on ABAC?

Companies currently rely on user groups and specific permissions or roles to control access. But increasingly, data is moving between applications, from inside the enterprise to cloud, and users are increasingly requiring access from anywhere, any device. Group-based permissions and role-based access is no longer able to keep up; they require too many groups and roles to be created, and they change too often to allow sustainable management

Gartner describes this problem as the challenge of context, which “will play an ever-expanding role as people come to enterprise networks from all angles and devices.” ABAC allows finer grained control, at the data level, and handles complex contexts elegantly, as a combination of user, resource, and other attributes. ABAC can gather and evaluate these attributes dynamically, and multiple attribute sources can even be leveraged. This is why ABAC supports what Gartner refers to as the model of the “identity marketplace,” where external identity providers supply the user attributes “necessary to build context and define access control decisions.”

Another advantage as highlighted in the NIST report is that “ABAC enables object owners or administrators to apply access control policy without prior knowledge of the specific subject and for an unlimited number of subjects that might require access. As new subjects join the organization, rules and objects do not need to be modified. As long as the subject is assigned the attributes necessary for access to the required objects … no modifications to existing rules or object attributes are required.”

The diagram below summarizes it well:

TSCP Source Gartner Blog Image

(Source: TSCP)

ABAC is the most “systemic”, you can set up the access policies once and allow the system to determine at “runtime” who can get access to what. There is no need to keep adjusting the access rules as long as the attributes governing users and data are properly defined.

However, is ABAC ready for prime time?

The pain and business drivers are there. The standards and specifications exist. Analysts are taking notice. But are there commercial strength solutions that companies can adopt? Is enterprise-class policy definition (also called Policy Admin Points, PAPs) and policy enforcement (also called Policy Enforcement Points, PEPs) available? As these PAPs and PEPs become available, we believe Gartner may be right.

Do you agree with Gartner? Are you considering ABAC? What are your drivers and barriers?

Advertisements

4 thoughts on “Attributes is the new role?

  1. I agree. ABAC greatly simplifies the definition and maintenance of security controls for applications and data. However, it also greatly complicates Identity Governance. Answering the question of who has access to what becomes much more difficult and requires real-time evaluation. Also, if there are temporal, contextual or geographic policies the answer to who has acces to what ends up being, “it depends…”

    How do ask a manager to review and certify a user’s access to applications and data if there are no roles, entitlements or rights to show? If a manager disagrees with access permissions, how do you affect change on a policy without adversely effecting others or ending up with policy explosion?

    I’m excited to see how it all plays out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s