According to NIST,ABACis defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”
ABAC is referred to as thenext generation of authorizationin that it gives access to users based on their attributes (who they are) not just their actions (what they do).
These attributes are the unique characteristics or value of a component involved in the access request.
In an ABAC implementation,security policies are premised on a combination of attributes or characteristics. These configured security policies are what determines whether access is granted or denied.
ABAC is adynamic, context-aware, risk-intelligent access controlmechanism that purposes to protect objects such as data, devices, and resources from unauthorized users and actions.
ABAC policies are easier to apply with granularity in large enterprises where users are many and geographically sparse, while also reducing security risks to ensure privacy and security compliance.
The key components involved in an attribute-based access control includes
Subject- The user attributes. Examples include name, ID, job title, role and group membership
Object- The resource or asset to be accessed. Examples include application, file, and system
Operation- The access the user requests for. Examples include read, write, execute, copy and paste
Environment- The context of the access request. Examples include time, location, behavior and protocol
Policy- The rules or relationship determine if access is given or denied.
Security Implementations of ABAC
The implementation of ABAC consists of four major components.
Policy Decision Point (PDP)
Policy Enforcement Point (PEP)
Policy Information Point (PIP)
Policy Administration Point (PAP)
Policy Decision Pointmakes access decisions based on the subject and object attributes, operations and environmental variables.
Policy Enforcement Pointenforces the policy decisions made by PDP.
Policy Information Pointfeeds PDP with the necessary information or attributes to make decisions.
Policy Administration Pointprovides an interactive user interface for creating, managing, and testing the security policies.
ABAC Use Cases
Data Breach Alerts
When a staff log in after business hours and is accessing a sensitive customer or company information from an unrecognized IP address, a warning email is sent automatically to system administrators.
User Provisioning and Management
A staff that is reassigned to a new department should automatically access information and resources related to the new department but not the previous one.
A contractor can only view certain information needed for his/her job within a defined window of time.
Based on staff attributes, time, location, and sensitivity of information, a remote staff is presented with different levels of authentication–based on 1-factor, 2-factor, or physical token for information or resources with different levels of security.
ABACis recommended for large organizations that require deep, specific access control capabilities while ensuring privacy and regulatory compliance.