Attribute-based Access Control (ABAC)
What is attribute-based access control?
Attribute-based access control (ABAC) is an authentication model that assesses attributes (or characteristics) instead of roles to verify access. ABAC aims to protect objects such as network devices, data, and IT resources from unauthorized users and actions—those that don’t align with “approved” characteristics as outlined by an organization’s security policies.
ABAC rose to fame as a form of logical access control in the past decade and evolved from simple access control lists and role-based access control (RBAC). As part of a project to assist federal organizations in improving their access control architectures, the Federal Chief Information Officers Council authorized ABAC in 2011. ABAC is the suggested model for organizations to share information securely.
This post will delve into greater depth to analyze how attribute-based access control works and how adopting ABAC could benefit your organization.
What is Attribute Based Access Control used for?
Attribute Based Access Control aims to protect objects such as data, network devices, and IT resources from unauthorized users and actions—those that don’t align with “approved” characteristics as outlined by an organization’s security policies.
In traditional access control models, such as role-based access control (RBAC), access decisions are typically based on the user’s role or group membership. ABAC, on the other hand, considers a wider range of attributes that can include not only the user’s role but also their personal attributes, environmental factors, resource characteristics, and more.
In ABAC, access control decisions are made by evaluating a set of policies that define the relationships between attributes and permissions. These policies are typically expressed in a logical language and can be quite flexible and expressive. The attributes used in ABAC can include various pieces of information such as user attributes (e.g., job title, department, location), environmental attributes (e.g., time of day, network location), and resource attributes (e.g., sensitivity, classification).
The main advantages of ABAC include:
1. Fine-grained access control: ABAC allows for more granular control over access permissions by considering a broader range of attributes. This enables organizations to define access policies that are more closely aligned with their specific security and business requirements.
2. Dynamic access control: ABAC can support dynamic access control decisions based on real-time attribute values. For example, access can be granted or denied based on the user’s current location, the sensitivity of the requested resource, or the time of day.
3. Policy-based administration: ABAC policies are typically defined and managed separately from the underlying systems and applications. This allows for centralized administration and easier policy updates, making it more flexible and scalable in large and complex environments.
4. Adaptability: ABAC can adapt to changing business requirements and evolving security needs. As attributes and policies can be easily modified or extended, ABAC provides flexibility in managing access control as the organization grows or its requirements change.
Overall, Attribute-Based Access Control offers a more flexible and fine-grained approach to access control by considering multiple attributes in access decisions, enabling organizations to implement more dynamic and adaptable security policies.
Where is ABAC used?
Applications. The model of ABAC can be applied at any level of the enterprise infrastructure or technology stack. For example, an organization can use ABAC at the firewall, server, application, database, and data layer.
How do you implement attribute-based access control?
Here is how AWS ABAC works:
– It uses attributes as tags and attaches them to IAM resources and entities such as roles and users.
– Create a single or a set of ABAC policies to comply with IAM principles.
– Configure AWS ABAC policies to conduct operations when a principal’s tag matches a resource tag.
What are the advantages of ABAC over RBAC?
In most cases, ABAC has plenty more control variables than RBAC. Since ABAC can control security and access on a fine-grained basis, it’s mainly implemented to reduce risks arising from unauthorized access.
What is the difference between PBAC and ABAC?