RBAC vs ABAC: Cloud Identity & Authorizations ManagementGal Helemski February 20, 2017
American hacker and security consultant Kevin Mitnick, known for his 1995 arrest and subsequent five-year prison term, is quoted as saying, “Hackers are breaking the system for profit. Before, it was about intellectual curiosity and the pursuit of knowledge, and now hacking is big business.”
This once brazen, perhaps even shocking statement is now so clearly true – that there’s no company out there that does not consider authorization processes, identity management, and the effective protection of digital information to be a key concern. As threat levels – internal and external – continue to rise and SaaS (software-as-a-service) and cloud-based applications become the norm, it becomes increasingly important for organizations to adopt strategies that ensure that authorization to access information is on a legitimate basis, in order to mitigate risk and protect data. The question of course is how best to do this, taking into account the initial cost investment of each method, its ease of maintenance, and savings in the long term.
Key approaches to Authorization and Identity Management:
- “Need to Know”
One common approach to authorization and identity management involves security groups and adoption of multiple project management tools for HR, Ops, accountant, etc. But these create a variety of problems and are expensive to maintain, requiring time-wasting efforts to grant or remove access when employees are hired, switch projects or change departments.
In companies with a high turnover, the issue is compounded and IT departments struggle to keep up with the changes in staff. In a survey of 200 global IT managers conducted by Stanford University and Hong Kong University of Science and Technology, nearly half of the companies that participated confessed it took more than two weeks to revoke network access for employees whose jobs were terminated. This kind of delay is a security risk that cannot be ignored.
- RBAC – All about the user roles
A common methodology to the authorizations conundrum is the popular RBAC, or role-based access control – a well known method that has been touted as providing lower maintenance costs. However, in many cases, RABC has turned out to be overly complex, which has only increased as organizations choose to adopt the cloud. SaaS and cloud-based applications have created a more complicated reality on the security front – a reality in which, for example, applications typically are hosted on third-party infrastructure and run third-party code. In this new, dynamic, and less controlled environment, authorizations are notably more complex and RBAC cannot always meet security needs.
The “anytime, anywhere” nature of SaaS is not only an increased convenience, but also a real and very different kind of a risk.
It seems that an increasing number of businesses are catching on – realizing that they must dramatically shift how they approach authorizations and data security. In a different generation, authorization was often granted based on predefined privileges – but that’s a thing of the past. A completely different strategy is to determine access privileges based on the here and now, that is the only natural way forward.
- ABAC – A Broader Approach
Enter ABAC, attribute-based access control technology, an emerging methodology that is providing a more comprehensive solution to 2017 authorizations and security challenges.
ABAC takes into account any piece of data (or attributes) that you have on the user, such as, job title, responsibility, projects he’s participating in and much more. Furthermore, the environmental data, time, location, authentication level, etc. is also added. It’s based on context, utilizing attributes as a primary means of authorization and thereby providing finer granularity. By facilitating authorization in dynamically changing environments, it facilitates faster deployment of new tools and, most significantly, can assist companies in avoiding access creep.
This is why Gartner has already predicted that, by 2020, an impressive 70% of all businesses will be using ABAC. Compare that to the 5% of businesses who are using it today, it’s a startling prediction. ABAC provides a much more practical standard that enables quicker and safer ways to add and remove access to applications and services.
It is a good fit for our new reality – the reality of a business environment without any physical perimeter. Platforms that use reliable authorization standards are built and designed with this major shift in mind, and with the knowledge that businesses today need to continue to maintain security, support a continuously changing pool of SaaS and cloud-based applications, and configure external user groups such as partners, customers, and contract workers. And in a time of increasing security concerns, the approach that ABAC provides is necessary for the protection, management, and sharing of data assets.
The numerous approaches and methodologies in dealing with authorization and identity management processes and protection of digital assets presents a daunting challenge to any CTO or business owner. The growing trend of SaaS and cloud-based platforms has further complicated the need to tighten control of identity management. With the right application of access standards and protocols, enterprises can ensure that they know who and when users are accessing company resources from all corners of the infrastructure. PlainID simplifies this with its Unified Authorization Platform, which reduces the confusion, giving you a clear understanding of every authorization level.