Harnessing the power of Policy-based access control: advantages and opportunities
Identity and Access Management is an information security framework that has been around for longer than most of us. As digitization evolved, the need to protect resources and identities increased and IAM became more complex. Fortunately, new methods and methodologies are also making life easier for users and administrators. Policy-based access control (PBAC) is a relatively new concept that does away with the traditional disadvantages of Role-based access control (RBAC) and Attribute-based access control (ABAC). TrustBuilder’s vision on PBAC even augments its advantages.
What is the importance of access control?
Access control to applications, data and services has become a pivotal aspect of modern business operations, ensuring that only authorized individuals can interact with sensitive information. Historically, organizations only used on-premise systems, where control was maintained within a physical location or a proprietary network. However, the shift towards cloud services and Software-as-a-Service (SaaS) applications has dramatically changed access control. Web-based applications bring the advantage of offering access to a wider audience, for instance not only to employees, but also to customers. On the other hand, they make access control even more important, as data and applications become more easily accessible.
In the case of on-premise systems, access control was fairly easy and based on the role an employee had: a finance manager had access to financial reports, other employees did not. Sales managers had access to an application to make quotes, other employees did not. As more applications became available online, it became more difficult to match the applications to roles inside an organization, and the coarse-grained type of access control was no longer sufficient. And as companies work together with a growing number of partners that also require access to these applications, the need for fine-grained access control becomes even more crucial. The core principle remains that only the right people get access to specific resources.
What is Role-based access control?
Role-based access control (RBAC) is a method for regulating access to computer or network resources. In RBAC, access permissions are tied to roles, and users are assigned to different roles. A role encapsulates the permissions needed to perform a specific function within an organization. When a user is assigned to a role, they receive the access rights it confers, enabling them to perform certain tasks. In RBAC, roles are placed in the application and organizations will need to copy those roles to their Active Directory or any other Identity Provider (IdP) they are using, so they get a match between the application and the user, based on their role. This simplifies things: all an organization needs to do is provide the same roles in the IdP as in the application (in IAM terminology also called Service Provider). RBAC is a good system for employee access to on-premise applications and for simple use cases.
In the case of customer access, this is more complicated: you don’t know the user when he onboards, so you will need to identify the customer and will only grant access to resources after you have checked a number of variables.
What is Attribute-based access control?
Contrary to Role-based access control, Attribute-based access control does not give access based on technical roles, but based on attributes. Attributes are characteristics or properties that can be associated with users, objects, actions, or the environment. These attributes can be combined to create complex access control rules, ensuring that only authorized individuals can perform specific actions on particular resources under certain conditions. Examples of attributes are:
- User Attributes: Role, department, title, security clearance, etc.
- Resource Attributes: Type of file, classification level, owner, etc.
- Action Attributes: Read, write, delete, update, etc.
- Environmental Attributes: Time, location, device type, network connection, etc.
These attributes are stored in a Customer Identity and Access Management (CIAM) system.
What are the potential shortcomings of RBAC and ABAC?
As our society and the way businesses operate becomes more complex, the shortcomings of Role-based access control and Attribute-based access control are becoming apparent.
- RBAC may lead to role explosion, making the system cumbersome to manage. RBAC assigns permissions to roles, and not directly to users, which can make managing individual user permissions cumbersome in complex environments. This rigidity may lead to role explosion, where numerous roles must be created to cater to specific user needs. It can also complicate scenarios where exceptions are required to become more fine-grained, as this typically necessitates the creation of a new role.
- As roles are inherent to an application, additional roles need to be created for specific application, which increases the danger of role explosion and contradictions within those roles.
- When users change business roles, the technical roles need to be adapted as well, and the complexity might lead to unauthorized access in certain cases.
- ABAC, while providing a more nuanced approach through attributes, has its own flaws. Its complexity can lead to increased overhead in both managing and evaluating policies, demanding careful planning and continuous monitoring. Unlike RBAC, where roles are predefined, ABAC’s flexibility in allowing conditions to be applied to any attribute requires a lot of upfront consideration and configuration to set up correctly. To deliver fine-grained security, many attributes may be required, making the system difficult to configure.
What is Policy-based access control?
Policy-based access control (PBAC) manages user access to resources using predefined policies. These policies specify who can access what, under which circumstances. Declarative policies make management simpler by using standard language or syntax to express rules, allowing for easy creation, modification, and management. Declarative policies streamline the process of adding new applications by letting administrators define access rules in a more human-readable form, reducing complexity and increasing efficiency in maintaining the access controls.
As an example, if the CIAM of your accounting application needs to define which accountant can manage what customer accounts, you can ensure the accounts that he is responsible for, matches those specific account names. Compare that to RBAC, where you would need to make a new role per customer account. In ABAC, you would need many more attributes to manage this.
In a declarative policy, you can also add the time period in which people can access accounts.
What are use cases for Policy-based access control?
PBAC will typically be used in organizations with a complex role structure, for instance when companies work together with external partners. One and the same person can be a developer working at his company, but taking up the role of project manager in the consortium that different companies are working in. This project management role requires more access privileges than the developer role. PBAC enables the establishment of complex policies that govern access based on roles, relationships, or other attributes.
Other use cases include:
- Regulatory compliance: Many industries are subject to regulations like GDPR, HIPAA, or SOX, which mandate strict control over access to sensitive information. PBAC allows organizations to define policies that ensure only authorized individuals can access specific data, thereby helping in compliance with legal requirements.
- Dynamic business environments: Modern businesses often need to adapt quickly to changing conditions. PBAC’s flexibility in defining access controls can be tailored to various scenarios, such as remote work or sudden organizational changes. This dynamic adaptability ensures that security remains intact without hindering the agility of the business operations.
How does TrustBuilder augment the power of PBAC?
Several CIAM vendors have discovered the advantages of Policy-based access control. As an innovator in the market, TrustBuilder makes PBAC even stronger for its customers by adding extra capabilities such as personas, session-based management and delegated administration.
- Personas: TrustBuilder fundamentally believes that every user only needs one profile, instead of having a separate profile per role that a user takes on. To realize this in CIAM, TrustBuilder uses the notion of persona: a persona reflects the aspect of someone as a user of a digital system or service and allows these activities to be clearly segregated, for reasons of user convenience and/or for reasons of security. Check out this long read for more information on personas.
- Session-based management: our policies do not only allow you to define the time-to-live (TTL) or hop limit to restrict the length of a session, but also outline the Access Control Rule (ACR) which can manage a session based on the Authentication Method Level (AML). Based on the AML needed, the policy can allow or not allow the use of Single Sign-on when moving from one application to another, in conjunction with time limitations. When the user wants to access an application for which the AML does not meet the requirements set by the ACR, step-up authentication is needed.
- Delegated administration: the persona concept also makes it easier to delegate administration to another user, who can then perform certain tasks during a defined period of time. An example of this in financial services is when an elderly person can delegate all financial transactions to her daughter and the bank needs to be certain that the daughter is allowed to act as her proxy.
In the near future, RBAC, ABAC and PBAC will certainly all have their use cases. In simple organizations, Role-based access control is an easy-to-implement solution. But as organizations are increasingly complex and work in the spirit of open collaboration with other partner companies, Policy-based access control will definitely get ever more attractive to keep organizations safe while also guaranteeing a good customer experience. Needless to say, that TrustBuilder, as a modern end-to-end IAM solution, supports both RBAC, ABAC and PBAC, raising the bar on each of these systems.
Role-Based Access Control (RBAC) is a security method where access permissions are tied to roles within an organization. Users are assigned roles, each encompassing necessary permissions for specific functions. It simplifies access management, especially in straightforward scenarios like employee access to corporate applications.
Attribute-Based Access Control (ABAC) grants access based on a combination of user, object, action, and environmental attributes. It creates rules ensuring authorized individuals perform specific actions under certain conditions, offering fine-grained access control for diverse and dynamic business requirements.
Policy-Based Access Control (PBAC) is a method of managing user access to resources through predefined policies. These policies dictate who can access what resources and under which conditions, using a standard language for easy rule creation and management, enhancing security and efficiency in complex digital environments.