PBAC vs ABAC: What are the differences?
With the rapid advancement in technology, there has been a massive migration of industries and large organizations to the cloud. Almost every one of the industries’ resources, data, and other IT entities is now transferred and stored on the cloud. With this new development, it is almost imperative also to have increased and more effective security measures in place to deter any form of cloud security threats.
PBAC (Policy Based Access Control) and ABAC (Attribute Based Access Control) are access control measures that provide security in these regards. But what and how exactly do they provide security? How are they any different from one another? This article will comprehensively discuss the relationship between the two access control measures.
Policy Based Access Control
What are the components of PBAC?
PBAC, like any other access control measure, affects these three basic elements: subject, object, and request or action. The subject is the user requesting access to the secured file or system. The subject is determined based on the title, division, qualifications, certifications, or training. The object is the resource or entity that the subject wants to access. It could be a project, a file or document, or even money. The request/action is the operation that is being carried out. It could be access, purchase, or grant. Then, for PBAC, the policies would be the principles that the organization has laid down whenever a secured entity is to be accessed.
So, if in a company, the policy says only team leaders who’ve been in the post for five years can access a secured file, that means that the subject has to be a team leader (Title), the object is the secured file, and the action is Access. All three elements are in check; however, if the team leader has only been so for three years, their access to the file is denied because of the policy, even though they meet the criteria for the basic elements.
The policy established by the company or organization is therefore a decisive factor in the implementation of a PBAC strategy.
Attribute Based Access Control
Attribute-Based Access Control, or ABAC, is another access control strategy that grants access based on the user’s attributes. This control strategy contains three elements: subject, object, and action. The environment is also part of its elements and could include location, device or time.
ABAC allows access based on the user's attributes, and instead of manually marching the relationship between a subject and an object, it is pretty automated. Once a subject's attributes change, the subject's access changes as well.
In a company, all team members can access a secured project file from 9-5 every day, but only a team leader can access it beyond 5 and till 9.
This means that, in the first case, the subject is the team members, the object is the secured file, the action is access, and the environmental factor is time (9-5). This implies that you can’t access the file until you fulfill the first three elements. You have to be a team member requesting permission to a particular secured file, and all you want is to access it. Then, you have a permit to access the file from 9-5; anything beyond that is not allowed unless the subject is a team leader.
If perhaps, one of the team members now becomes a team leader, the attribute has changed so that the access will change too automatically. The new team leader can now access the file beyond 5. The security experts don’t have to adjust the permission of new team members manually. All they have to do is change the attribute.
Effectiveness and limitations of PBAC and ABAC
ABAC, a powerful system in many ways
- Automation: With ABAC, you don’t have to manage access control manually. Once the control system is set up and all the attributes of every person in the organization are defined, ABAC becomes automated. So, instead of manually changing access when roles or rules, or policies change, previous access is revoked for the subject once their attributes are modified. Corresponding permission is granted automatically.
- Granularity: Once set up, ABAC is not as complicated or complex to control. If any changes were to occur in the system, they would be changes in the subject’s attributes. It is easier to maintain without having to create and modify roles constantly.
- Security/Privacy Elements: The security level of ABAC is up to par. It can be used in large companies and organizations to protect corporate and clients’ files and resources by limiting and controlling their access.
ABAC, a complex model with limited visibility
- Complexity: ABAC is not a complex access control strategy once the setup is in place. However, putting the setup in place is where the complexity lies. It consumes time, effort, and energy to gather attributes of every person and then structure towards the other elements that fit their description to attain precision and accuracy without any errors.
- Lack of transparency and visibility: ABAC lacks the transparency and visibility that other access control measures have. It is quite hard to point out and identify each resource that a user can enter; unlike RBAC, which uses roles and PBAC, policies, ABAC requires a thorough verification to know what subject can access what resource.
PBAC, a flexible model with high adaptability
- Flexibility: PBAC is flexible to use on whatever technology, device, or application. All you need to keep in check is the policy, which will reflect in all aspects of the secured system and apply to every user who wants to gain access.
- Scalability: It is quite scalable and not too complex to use. You only have to write a policy once, and it will affect every aspect every time a user requests access. You don’t have to depend on the IT team to take control solely; the policy laid down can easily be implemented by the users with authorized access. The policy applies for the ongoing project, the next, and the next until there is a change in the organization’s policy.
PBAC compatibility issues
As exciting and easy to implement as it sounds, PBAC might not be compatible with all organizations. This is because not all of them can lay down policies that would affect access to sensitive resources without compromising security. It is not every company’s cup of tea.
PBAC vs ABAC: Which solution should I choose for my organization?
As far as security is concerned, both solutions are up to the task and are quite effective in keeping cyber threats at bay. However, ABAC allows for a higher level of security and other access control models. It is also quite elaborate and is used in larger organizations because of its complexity and the cost of setting it up.
PBAC and ABAC can be supplemented or even replaced by a Persona-based approach. The new version of the TrustBuilder IAM solution offers this evolution.
Policy Based Access Control, or PBAC, is an access control strategy that integrates a user’s role with the policies set by the organization to grant authorized access to the system. PBAC, like any other access control measure, affects these three basic elements: subject, object, and request or action.
ABAC (Attribute-Based Access Control) is an access control strategy containing 3 elements : subject, object and action. ABAC allows access based on the user’s attributes, and instead of manually marching the relationship between a subject and an object, it is pretty automated. Once a subject’s attributes change, the subject’s access changes as well.
In a fast-growing digital world, large organizations and businesses are increasingly relying on the cloud to store their resources, data and other IT entities. An effective and appropriate access control strategy is therefore essential to prevent any form of threat to cloud security.
