https://www.linkedin.com/pulse/attribute-based-access-control-abac-modupe-cissp-cism-ceh-cobit/
According to NIST, ABAC is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”
ABAC is referred to as the next generation of authorization in that it gives access to users based on their attributes (who they are) not just their actions (what they do).
These attributes are the unique characteristics or value of a component involved in the access request.
In an ABAC implementation, security policies are premised on a combination of attributes or characteristics. These configured security policies are what determines whether access is granted or denied.
ABAC is a dynamic, context-aware, risk-intelligent access control mechanism that purposes to protect objects such as data, devices, and resources from unauthorized users and actions.
ABAC policies are easier to apply with granularity in large enterprises where users are many and geographically sparse, while also reducing security risks to ensure privacy and security compliance.
The key components involved in an attribute-based access control includes
- Subject - The user attributes. Examples include name, ID, job title, role and group membership
- Object - The resource or asset to be accessed. Examples include application, file, and system
- Operation - The access the user requests for. Examples include read, write, execute, copy and paste
- Environment - The context of the access request. Examples include time, location, behavior and protocol
- Policy - The rules or relationship determine if access is given or denied.
Security Implementations of ABAC
The implementation of ABAC consists of four major components.
- Policy Decision Point (PDP)
- Policy Enforcement Point (PEP)
- Policy Information Point (PIP)
- Policy Administration Point (PAP)
Policy Decision Point makes access decisions based on the subject and object attributes, operations and environmental variables.
Policy Enforcement Point enforces the policy decisions made by PDP.
Policy Information Point feeds PDP with the necessary information or attributes to make decisions.
Policy Administration Point provides an interactive user interface for creating, managing, and testing the security policies.
ABAC Use Cases
When a staff log in after business hours and is accessing a sensitive customer or company information from an unrecognized IP address, a warning email is sent automatically to system administrators.
- User Provisioning and Management
A staff that is reassigned to a new department should automatically access information and resources related to the new department but not the previous one.
A contractor can only view certain information needed for his/her job within a defined window of time.
Based on staff attributes, time, location, and sensitivity of information, a remote staff is presented with different levels of authentication–based on 1-factor, 2-factor, or physical token for information or resources with different levels of security.
ABAC is recommended for large organizations that require deep, specific access control capabilities while ensuring privacy and regulatory compliance.
Reference
https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
https://www.linkedin.com/pulse/attribute-based-access-control-abac-modupe-cissp-cism-ceh-cobit/
