Organizations have either completely migrated to the cloud or are on the journey towards it. Granted that this migration gathered steam in order to rapidly adapt to the covid-ridden world and stay relevant, it is here to stay for the long haul. Organizations have gone remote, or rather hybrid and this essentially means a mix of employees and third party associates across the world requiring access to your systems and resources. Consequently, access control becomes a fundamental part of the security infrastructure of every enterprise. Access control models are aplenty and choosing the right one is crucial. In this article, we will explore the two most popular access control models, attribute based and role based, and how one of the two is more suited for the current scenario.
What is ABAC?
Attribute-based access control takes the approach of granting access based on a set of assigned attributes and policies specific to those attributes. Permissions are set by administrators based on a combination of user attributes like system and object information and environment conditions.
ABAC is designed in a way that grants different levels of permissions to the same person depending on their location, time of login or device information. It essentially broadens the concept of privileges, roles and users to include attributes. Which grouping of user and object attributes are needed to perform any action is specified by a central policy.
A good example of ABAC is when you have deemed a file to have sensitive data and each user in the system has assigned attributes like their location and time zone. An administrator can then construct an access policy that defines that any document with sensitive data can only be accessed by users affiliated with the organization between 10am and 6pm (IST) residing in Australia.
What is RBAC?
Role-based access control, also known as, role-based security takes the approach of restricting system access based on your role in the organization. In this mechanism, authorized users are granted or denied access according to predefined roles. Administrators set the parameters for which privileges and permissions are granted to users according to their responsibilities.
RBAC is designed in a way that every employee in an organization gets assigned a role and every role has a collection of authorizations as well as restrictions. Only if an employee’s role has applicable permissions in the system, they can access resources and execute actions accordingly. Permissions can also be inherited via a role hierarchy. The higher the position of a user in an enterprise, the more permissions they are granted.
In the RBAC framework, a role can have many users and a user can have many roles. A good example of RBAC is when a set of permissions allows some users to edit an article while others can only view it.
ABAC vs RBAC for cloud native security
While RBAC is straightforward and easier to configure than assigning attributes to individuals, it is easily the lesser of the two when it comes to a cloud native system.
1. Better control
Employing ABAC grants a better level of control to administrators so that they can clearly define and manage permissions on specific rules they set.
2. Decreases the chances of cyber crimes
In cloud native systems, there are multiple users spread across the world accessing the systems and resources of an organization. If a cyber criminal were to gain access to the credentials of any user on any level, they can use it to get access to the system and sensitive data in an RBAC model. ABAC eliminates this as it enables organizations to grant permissions according to the user, environment aspects and other attributes such as location and time zone of employees.
3. Requires fewer policies
ABAC requires fewer policies and in doing so eliminates the chances of role explosion. This means that there is no need to create different policies for different job functions unlike in RBAC, thus making it easier for administrators to manage organizational roles.
4. Granularity and centralization
ABAC provides granular permissions as it uses attributes as a key way of authorization. It also enables you to streamline access control capabilities across a multitude of cloud platforms.
5. Quick response time
In the ABAC model, policy changes are built right into the authorization service and sent to the runtime service so that enterprises can quickly respond to any policy modification requests.
6. Fits the current reality
Our current reality is an environment where a physical circumference does not exist. These systems are vastly distributed, dynamic and constantly need to accommodate third party associates. Therefore, they are constantly required to maintain security and ABAC comes through by providing an approach to be able to protect, manage and share data in the most secure way.
7. Future proof
The ABAC approach helps organizations future-proof their access control policies by providing greater flexibility over security controls as well as by enabling scaling.
Conclusion
Access management is an essential part of the security system of any cloud native infrastructure. Therefore, it is crucial to use a robust access management framework that enables organizations ensure they have a complete knowledge of who and when users are accessing their systems and resources from all corners of their ecosystem. ABAC proves to be a step towards figuring out what kind of access management system is the most secure and consequently the best fit for any organization.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to sales@amazic.com.