WHAT IS ATTRIBUTE-BASED ACCESS CONTROL?
Attribute-based Access Control (ABAC) is an advanced variant of role-based access control (RBAC). ABAC is a logical access control model which controls access to objects by evaluating rules against the specific attributes of the access requesting entity. There are typically 4 attribute types that ABAC uses to dynamically evaluate whether the access requested should be granted or not.
- Attributes of the subject
- Attributes of the object
- Environment conditions
- A formal relationship or access control rule which defines the permissible operations for subject-object attribute and environment condition combinations
If this may seem complicated, let’s understand ABAC by comparing it with RBAC. While RBAC is based on only the role of a particular access requester (based on organizational AD hierarchy), ABAC goes a step further and allows specific attributes (more than just the employee role) such as the location, department, or any customized properties that could define access privileges. For example, you can grant access to systems based on, say, an employee who is a R&D developer, who works on a specific project, a specific module, for a specific client, and during a specific duration can only gain access to protected information.
There are more filter levels and granular data checks in ABAC that make it harder to infiltrate as the intruder has to pass through all the attribute clearances before he’s allowed access. This is not exactly multi-level authentication, but is a more robust single level authentication that needs specific qualifying criteria based on multiple properties or metadata. It should be noted that, building an ABAC rule is not as simple as an RBAC one as you need to identify all the passing criteria for granting access, but the biggest advantage is you can tailor it to make your access provisioning more restricted to only the right people/system you deem authenticated for access.
ABAC is more flexible in security algorithm allowing more evaluation criteria and less manual intervention. Though the attribute data required to build access control rules for ABAC is wide-ranging and granular in detail, ABAC offers more dynamism and intelligent access controls for safeguarding confidential information and IT assets.
According to NIST, ABAC systems are capable of enforcing both Discretionary Access Control (DAC) and Mandatory Access Control (MAC) models. Moreover, ABAC systems can enable Risk-Adaptable Access Control (RAdAC) solutions, with risk values expressed as variable attributes. From the network perspective, network access control becomes stronger with ABAC as IT teams can use various attributes/AD properties/metadata to provide device and user access into the network.
If you are interested to learn about building a network whitelist and alerting when a network device or user outside the whitelist connects to your network, explore User Device Tracker.