Defining ABAC

Defining ABAC

As Forrester’s Sean Ryan reports in his musically-oriented blog, Rock ‘N’ Role, the use for role-based access controls won’t be going away, but it’s no longer sufficient to deal with all of the contextual and dynamic needs of today’s business. Rather than proliferating the number of roles to manage (or accepting the increasing risks presented by digital business), additional elements are needed for making access control decisions. Here’s where attribute-based access controls come into play; ABAC is capable of everything RBAC can do, plus so much more.

ABAC goes beyond just users and roles to perform a comprehensive evaluation across multiple vectors: What type of data is it? Where is it located? Where is the subject requesting access located? How is access being requested? Over what network? What’s the security profile of that network? Is it under attack? What’s the risk profile of the subject or device involved? 

Attribute Based Access Control (ABAC): An access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.

NIST Special Publication 800-162
Diagram shows basic ABAC scenario; 1) Subject, which can be an End User or Service, requests access to an Object, also known as a Resource. 2) Access Control Mechanism evaluates Subject Attributes, Object Attributes, and Environment Conditions Attributes to compute a decision. 3) Subject is given access to object if authorized.
ABAC Mechanisms

In NIST terminology, a subject could be a human user or a non-human entity or service who is requesting access to perform some sort of operation (read, write, edit, execute, modify, copy, or delete). Objects, sometimes called resources, can really be anything from an unstructured file to a structured database, from a command-line interface to a compute service, from source code to test suites, from medical devices to video streams. The environmental conditions enable situational and contextual awareness.

Subjects, objects, and environmental contexts all possess multi-valued attributes that describe them. Policies are the written rules and relationships that govern when access can be granted based on attributes of the three. Hopefully, it’s now abundantly clear how roles can be implemented in ABAC as subject attribute values. Authentication is still required, but access–authorization–is no longer automatically granted.

Policies constructed against multiple attributes can express more complex Boolean rule sets and conditional access with IF/THEN statements. This makes them ideal for handling the dynamic and contextual needs of cloud environments with precision. In fact, you may hear ABAC referred to as policy-based access control (PBAC) or contextual policy. Terms are proliferating to describe this new phenomenon of policy becoming the new perimeter around the value that we are trying to protect.

Part 3/7 ABAC Blog Series: Policy is the New Perimeter