Implementing ABAC Policy with Machina (under heading, laptop is pictured with screen showing Data Policy example)

Implementing ABAC Policy with Machina

As we’ve seen, organizations traditionally streamline provisioning through sets of templates that are packaged together as “roles” and are used to grant access in an RBAC model. These templates are relatively rigid and do not respond well to edge cases or dynamic business changes.

MachinaTM consolidates policy fragments into a centralized attribute-based access control system that goes beyond the traditional RBAC model to also evaluate data identity and request context. Leveraging additional attributes when rendering an access control decision adds flexibility to handle edge cases, new business contexts, regulatory changes, and much more.

Machina includes a number of components by default that enterprises often attempt to cobble together on their own, but they can only integrate a subset of these capabilities, usually confined to a few isolated silos. No other solution on the market today delivers a massively scalable key management system with a data attribute store, a highly flexible attribute-based policy engine capable of making just-in-time decisions, and an extensive set of SDKs and APIs to simplify consistent data handling across a complex hybrid landscape. There’s no longer any need to manage policy and protection separately in every silo.

  • When it comes to the risks outlined in the prior section, Machina feeds real-time intelligence about every access request into governance efforts, which can make data-driven decisions based on how access is actually functioning instead of speaking in hypotheticals.
  • The perceived complexity of scaling and managing an ABAC model is just that: a perception. RBAC models, which require a tremendous amount of planning to think through every potential edge case in advance, are fundamentally a different beast. ABAC models require you to just describe the facts, not forecast an uncertain future.
  • And although handling multiple variables in an access decision gives the appearance of complexity, Machina customers report that they manage fewer policies in fewer places much more simply than they ever did before. Machina makes precise policy easy for administrators to write by translating natural language policies into XACML-compliant code that can be enforced dynamically in complex, real-time environments.

Access decisions often involve decrypting data under the right circumstances, but with Machina, encryption is just one form of access control. Building a policy-based access control engine around a key management system makes dynamic decisions possible at scale with high performance. The keys travel with the data, but unlike traditional key management services or hardware security modules, access controlled by Machina leverages the key’s attributes, not the key itself. Instead of defining policies based on access to a key, with Machina I can describe my data using attributes and then use those attributes when writing policy. 

This innovative approach to controlling access policy decisions through attribute-based key release has led to integrations with AWS, Google Cloud, and Microsoft Azure. With these and other well-known partners, Machina integrates to enrich real-time decision-making with external attributes, function as an externalized or step-up authorization framework to provide a policy decision point over other enforcement mechanisms, and provide dynamic authorization to data and resources. Machina integrates easily with authoritative data sources through standards like SAML, SCIM, and OAuth, and it’s important to note that customers can use their existing IAM or key management service with Machina as desired through the strength of these partnerships. 

It’s also important to note how Machina represents an improvement on template-based approaches to security. Template models require big, up-front, granular decisions that lock organizations into a framework identified some time ago that likely no longer matches the dynamic state of today’s business. Policy can be changed based on a group or an individual template, but data cannot be removed from that template. To effect a change, administrators must deny access, reclassify, and reissue the data. This is exceedingly challenging for operational teams and end users.

Our clients tell me that template-based models–and most RBAC models leverage templates–can’t scale. Their users are perhaps sophisticated enough to choose from four templates, but what the organization really needs to handle the dynamic complexity of its business are four thousand templates. With a data identity store, Machina allows organizations to customize attributes, adding or changing and dynamically enforcing those changes as the business evolves.

Machina also provides visibility into the way access is actually being granted–not just how it is supposed to be granted. This real-time feedback is exactly what is needed to create roles of any stripe, but RBAC-based solutions are challenged when it comes to providing this level of visibility.

Machina Architecture Diagram shows solution components: Policy, Attributes, Decision, Console, and Tools. In a single, highly-automated framework, Machina combines all the solution components required to scale data protection – across clouds, environments, applications, and data silos. Policy: A framework for storing and retrieving rich, contextual data access policies leveraging attribute-based access control (ABAC) – federated across identities, resources, data stores, applications, and workloads. Attributes: Intelligent system that couples a rich set of user, device, service, and data attributes with automated machine-scale key management - independent of applications, scalable to trillions of keys, and fully controlled by your organization. Decision: An API-driven service layer that enables just-in-time enforcement of data access policies – by evaluating user, device, service, environment, and data attributes, to determine whether to allow or deny the request. Console: An interface providing configuration, auditing, and analytics capabilities for policies, as well as comprehensive, real-time visibility into how users are accessing and handling sensitive data, over the lifetime of every data element. Tools: A robust set of developer tools (SDKs and APIs) provides easy-to-use integration between Machina data protection services and their diverse applications, enabled with only a few lines of code (or with Connectors, i.e.: Machina SDK Connectors for AWS, GCP, and Azure). Attributes can be pulled from external Policy Information Points such as IdP, DLP, CASB, and others. Data logs can be exported from the Console to SIEMs.
Machina Architecture Natively Supports ABAC

With Machina Decision–an API-driven service layer–customers enable just-in-time enforcement of attribute-based policies across applications and repositories. Machina Console logs every transaction request, providing extensive visibility into access granted or denied. Users typically ingest these logs into a SIEM or other event or alerting tool to learn from actual access behavior patterns. 

Changes to Machina policy can be made just-in-time (JIT) to increase security or reduce risk based on observations; this policy dynamically affects data handling rules across a complex landscape without requiring new security templates, new roles, or application logic changes.

Implementing Machina into an application is as easy for a developer as using Stripe or Twilio to handle payments or messaging, and it’s free and easy to get started. The few lines of Machina code abstract complex business logic out of the application so it can be managed centrally by administrators. 

When it comes to authoring access policy–like the examples below that come from the use cases discussed previously in this series–Machina Console supports full separation of duties, provides simulation capabilities to understand projected impacts, and captures detailed versioning and visibility to audit every policy and rule change. Some customers grant supply chain vendors the ability to write–but not implement–policy in shared applications to standardize access control rules within a federated use case and reduce supply chain risk.

Machina Console screenshot shows Data Policies tab is selected; screen shows details of "Court System Access Control Policy". Rules include: Allow access when com.acme.device-mgmt.risk-score is less than or equal to 25. Allow access when com.acme.case-mgmt.active-cases contains com.acme.case-mgmt.allowed-cases. Allow access when user is at the IP address 10.10.1.0/16. Applies to All data.
Machina Console Screenshot: “Court System Access Control Policy” demonstrates a use case example from ABAC Blog Series Part 5
Machina Console screenshot shows details of "Remote Access Policy". Rules include: Allow access when user is in any of the locations United States of America, Germany, France, or United Kingdom of Great Britain and Northern Ireland; and user is at the IP address 10.10.1.0/16; and user is at the IP address 192.168.1.0/24. Allow access when authentication_level is greater than or equal to min_auth_level. Allow access when MDM_Compliance_Score is greater than or equal to 90; and User_risk_score is less than or equal to 50. Applies to All data.
Machina Console Screenshot: “Remote Access Policy” demonstrates a use case example from ABAC Blog Series Part 5
Machina Console screenshot shows Simulation Result for "HIPAA / Healthcare". Policy Results: 1 Policy Allowed: HIPAA / Healthcare (Allow access when user is in the group Healthcare Providers). 3 Policies Not Applied: 1) Allow Internal Employees (Allow access when user is in the group Employees; or device enrollment source type is SAML); 2) Global Deny (Deny access when user is in the group Global Deny); 3) EmployeeRecords - user consent (Deny access when employee-id equals 80,82.). 8 Policies Not Relevant: N/A (ionic-expire-policy), N/A (Data Privacy - Personal Data), etc. (others cut off in screenshot). Policies Applied: 12 of 25. Policy Simulation can be run again or deleted.
Machina Console Screenshot: “HIPAA / Healthcare” Simulation run by an admin to test Policy results

The landscape of our world had changed. It’s no longer sufficient, or even reasonable to continue doing the same things we’ve always depended upon. The network firewall has crumbled, cloud is the new normal, and policy is now the new perimeter we must enforce around the assets we value. Address a changed and changing world by implementing the attribute-based access controls of Machina.

Part 7/7 ABAC Blog Series: Policy is the New Perimeter

Get a free consultation. Let’s do this!