For many years one of the easiest ways to control access to data has been through the use of roles. Each user in an organization was traditionally assigned a ‘role’ by IT security and this role determined the amount of information and level of access granted to the employee. This has been an incredibly useful task for some time now, but times are changing quickly.
As a guest author on Tripwire.com as part of the series on the state of security, Adam Fisher writes that as well as the sum total of information stored increasing over time, so too has the amount of information stored digitally: from less than 1% in 1986 to over 93% just two decades later. With the increasing amount of data held digitally, there is an increasing need to secure that data and allow access to the appropriate individuals.
Data stored digitally is data shared digitally. The ability to access data anytime, anywhere has changed the way organizations need to secure their information. Basic, network security (i.e., access controlled by ‘roles’) is no longer sufficient. Transformation from a traditional security approach to an Identity Security approach is required – based not on your location (inside or outside a firewall), but on who you are.
To enable and adapt, organizations must transform the enterprise from a security of ‘No to know.’ By relying on a system of attributes consistently defined between organizations and Attribute Based Access Control (ABAC) avoids the need for explicit authorizations to be directly assigned to individual users prior to the request. This enables a flexibility in large organizations where management of access using the traditional Role Based Access Control (RBAC) method would be time-consuming and complex – the opposite of what is required by modern businesses where fast and reliable access to information is key.
Even as far back as 2009, the limitations of RBAC were becoming evident, leading to the FICAM V2.0 advocating ABAC as the recommended model in 2011. In fact, Gartner have predicted that by 2020 70% of all businesses will be using ABAC as the dominant mechanism to protect their critical information. This compares to a paltry 5% using this system in 2015.
With the demands on businesses today to expand and reach out to partners, customer and contractors it is more important than ever to have a flexible access control that is suitable to meet the growing needs for instant data. ABAC is extremely well-suited to large organizations. Indeed, the ABAC system has the flexibility to implement existing role based controls and support a migration from this to a more granular policy based on an individual’s characteristics. This should allow for seamless integration with minimal disruption. The main downside is that, in being amore comprehensive and flexible system, it may – at least at first – be more costly to implement and maintain than the current tried and true access control systems.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”