Image of lock over a laptop keyboard representing the use of attribute based access control instead of conventional access control
Conventional Access Control Death and the Birth of Attribute Based Access Control

Conventional Access Control Death and the Birth of Attribute Based Access Control

The question about what exactly defines cyber security is an important one, and one that many employees do not properly understand. This misunderstanding of the nature of just how important security is in the age of the Internet of Things (IoT) is an enormous liability for companies in the 21st century. And today’s conventional access control used to protect personal data may not be up to the challenge.

When we are talking about privacy, it is important to know that the three core security pillars are confidentiality, integrity, and availability. When we are talking about privacy, we are talking about making sure that you have the right measures to ensure privacy and to keep your data confidential, integral, and available at all times.

The challenge for the business owner is enormous. How exactly do you ensure the privacy of information related to your customers? In fact, if there is a mantra for the 21st century it might very well be ‘confidentiality is king.’

Your employee might leave one week after being hired with all the company’s confidential documents on his USB key – all because the business doesn’t have policies to enforce security. Putting in place a policy that will deny access on USB keys to the company’s data will allow it to keep the information safe on the network.

The control of access is the primary business challenge.

Access Control is Pivotal

The world has changed. A tsunami of technologies has arrived. Devices and data now permeate our business environment. Access is ever easier and the Cloud is part of our corporate lives. The way that people exchange data is going to become ever more seamless. Companies need to focus on how they control access to information across numerous devices.

That means that when an organisation sets access controls in place, the whole IoT environment should be taken into account. Questions such as where the person is accessing data from and how the person is accessing that data are incredibly important. In this environment scalability becomes an enormous challenge – as the number of devices increases so do the potential problems.

Control of access to data starts with a simple concept – organisations need to know the identity of each person who requests access – and they need to authenticate that identity and have a level of comfort that the person actually has the right to access that data. Approaches can vary from biometric controls and passwords.

The company is also faced with the issue of granularity – just how detailed do policies have to be?

Attribute Based Access Control

One of the popular ways to police access is known as Attribute Based Access Control (ABAC). This is a conditional based access control method. By taking in consideration the subject requesting the access, the object, what the requester is accessing, and the environment, companies can achieve a very dynamic level of access control, based on the environment and different conditions.

Gartner (one of the world’s leading information technology research and advisory companies) predicted that 70% of organisations will use Attribute Based Access Control by 2020.

Attribute Based Access Control is built on having different attributes related to three main pillars – subjects, objects, and the environment. The subject will be the person requesting the access, the object will be, for example, the customer information, and the environment will be all that is defined around that person.
Here’s how it works. The user will have some attributes, the environment will have attributes, and the resource and the documents will have some attributes. Access can be granted, provided that an evaluation of a group attributes indicates that it is necessary. This would depend on a variety of factors. When you are talking about attributes, it can be time, role, or IP address, or even the country where the function is based.
A nice simple example – an MPEG adult movie can only be streamed by users whose age is greater than 18. The organisation does not authorise a specific user, but rather users who are more than 18 years old. The movie here has also an attribute, which is an adult movie. This is not just a static policy, but a condition that can be applied very widely and not to some predefined users or predefined documents.

The advantage of the Attribute Based Access Control is that this allows you to have a dynamic approach, defined granularity, and real-time decision making capacity.

The challenge is that if you don’t have the right policies in place, Attribute Based Access Control will not help the organisation achieve effective access control. The most important aspect here is the willingness of the business to understand risks, threats, and then define these policies to allow access under the right conditions.

Overcoming Geographic and Cultural Limitations

This sort of access control allows the organisation to solve challenges around countries’ regulation differences and cultural perceptions. People mirror their perception when they perform real daily tasks. It’s not because it’s written out in policy guidelines that an employee will take the care to make sure that the policy is respected – there are other issues at play. He or she will act as they think best and mirror a cultural perception of privacy. Having a very dynamic approach to access control will allow an organisation to address that challenge.

Cultural differences are important and make a difference when it comes to data privacy. In North Africa for example, you can just go to someone’s house at any time and they will welcome you. They don’t require a meeting request beforehand, their house is open to anyone from outside – and the same applies to business.

Cultural understanding of privacy differs across the world. However, with legislation governing the privacy of data and data security evolving rapidly, each and every company needs to be aware that their policies should be both transparent and evolutionary in nature.

Conclusion

Conventional approaches to access control can no longer meet the diverse legislative and cultural requirements for data privacy. With Attribute Based Access Control, an organisation can take into account each and every employee’s need for data access and their cultural foundations which may influence their treatment of data. By adopting this approach, the organisation is safer – and more productive.