Attribute-based Access Control: Preparing For Implementation

By Author: Appsian
Total Articles: 115
Comment this article

Attribute-Based Access Control: Preparing For Implementation

Security is one of the pressing issues across enterprises worldwide. With an ever-increasing number of cyber-attacks being attempted every day coupled with the growing number of connected devices, it is understandable why it is vital for every company to maintain the best possible security measures in a layered approach.

Reviewing how you manage access to software, databases, big data, and APIs is one move you can take to protect your most important business assets. As the number of users and roles grow, legacy one-dimensional access control methods start to fail.

A perfect way to increase the layered security strategy is to incorporate an attribute-based access control (ABAC) approach. Here we outline how to prepare the enterprise for this new way of access control to be enforced.

Attribute-Based Access Control (ABAC)

ABAC implements enterprise-wide user access based on policies that are derived from data attributes and based on business and security rules. This form of contextual access control, also known as externalized fine-grained ...
... authorization, helps organizations address complicated issues around insider risks, national security, enforcement, privacy, and diverse business requirements.

ABAC is a model that can manage the complexities of the IT world today, where legacy role-based access controls are unable to adapt to the IT environment that is rapidly evolving. It operates by using attributes to construct policies that provide control of contextual, risk-aware access. ABAC may describe authorization in terms of multiple dimensions, e.g., the user and the resource being accessed, the relationship between the resource and the user, the behavior, and contextual details such as device, time, risk, and location, unlike RBAC, which is strictly identity-centric. Attributes may include organizational positions, teams, and place, time of day, account balance, risk ranking, care relationship, and much more within an organization. Usually, a key-value pair is an attribute, which means that attributes come in sets: an identifier and the value or values associated with it. The fact that we can use attributes that characterize almost anything makes ABAC multi-dimensional.

ABAC: Getting Started

Enterprises need to prepare, both technically and organizationally, for the change, as is the case with any solution that can cover your entire organization. Outlined here are some areas to consider:

Identify stakeholder roles for planning and implementation: Access management affects all departments of an enterprise, and with an ABAC model, you have the opportunity to lock down critical assets and, when necessary, open up collaboration. It is designed to allow a number of people to have access to the same information. When implementing an ABAC application, having all of your internal teams on board is a crucial move.

Document security and business scenarios: Since ABAC is mainly a security solution, in preparing, you would want to ensure that the different security and business applications you are currently running are accounted for. You will also be able to streamline the current security system and introduce more complex rules for authorization and compliance of policies.

Review technology needs that will support ABAC: Part of the strength of ABAC is due to its ability to centralize access control and help organizations quickly make and scale improvements over time. An audit of the infrastructure that is in place and scoping basic required additions to the current stack will help ensure a smooth transition as part of the initial implementation. ABAC, for instance, works well with federated identity solutions and integrates with API gateways seamlessly.

Select which applications should be secured first: You would want to select a pilot application as part of the test process to get the project underway to test and benchmark the results. In streamlining the enterprise-wide implementation, the application you select will set the norm that you apply going forward and represent immediate ROI.

Determine functional and nonfunctional requirements: The execution of your ABAC solution will be guided by practical requirements. The functional requirements entail regulatory and business guidelines on who gets to see what, when, and where. When it comes to nonfunctional specifications, IT leaders would have the most to say. This generally includes aspects such as hosting, disaster recovery plans, and general usability.

Teams involved in the initial rollout frequently see challenges to having the whole company on board. But once everyone is on board, the importance of ABAC can be seen in ROI relating to risk reduction, decreasing time-to-market, and freeing up time for your developers to concentrate on the features of the application. By preparing the project with training and the right mindset of teams, enterprises will be able to benefit from ABAC more efficiently while also ensuring that the most critical assets are secured.

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.