The evolution of authorisation

Stuart Hodkinson at PlainID explores how authentication has changed over the years, from RBAC to ABAC to PBAC

 

Many years ago, cyber-security was significantly less complex, hackers were less sophisticated and monitoring them was not a 24/7 job.

 

Gone are the days when data used to be far simpler and there was much less data circulating, which meant the data that was circulating had a limited perimeter. Today’s modern working practices now demand complex data in huge amounts to be shared across organisations and across borders, as part of day-to-day activity. 

 

Today, we know that all that looks very different. The rapid proliferation of multi-cloud computing, SaaS applications, microservices, API gateways, and more over the last decade has exponentially increased every organisation’s digital environment, and therefore, potential sabotage-points for hackers that have evolved to meet the moment.

 

Credential theft continues to be a thorn in the side of IT teams. Recent findings by Verizon found that 83% of breaches this year involved external actors with most attacks being financially motivated. 49% of these breaches involved the use of stolen credentials.

 

The global average cost of a data breach in 2023 was $4.45 million, according to IBM’s Cost of a Data Breach Report, which is 15% more than in 2020. This is concerning, as exploiting pre-approved authorisation, such as passwords remains the primary way in which bad actors gain access to complex environments. A single password dump unrelated to your company could become its downfall.

 

Therefore, it’s no surprise that more organisations are turning to identity management solutions to secure their systems. However, Role-Based Access Control (RBAC), and more recently Attribute-Based Access Control (ABAC), can no longer be relied on for comprehensive protection. Only Policy-Based Access Control (PBAC) can grant businesses the flexibility and transparency needed to keep their assets out of the hands of bad actors.

 

Moving on from RBAC and ABAC

First invented in 1992, RBAC was steadily refined throughout to the early 2000’s. Once viewed as the gold standard in identity management, RBAC was widely deployed by some of the biggest multi-national organisations.

 

However, compared to modern standards, the technology was the digital equivalent of a rudimentary keycard. The employee inputs their username and password, and if their name is on the appropriate list, they are granted access. It is a blunt tool, indifferent to the rapidly evolving facts on the ground—all it can do, essentially, is say "yes" or "no" based on permissions assigned days or months in advance. For obvious reasons, RBAC is no longer fit for purpose. 

 

Recently, ABAC has become a popular alternative for organisations looking to enhance their authorisation related security. Compared to RBAC, ABAC is a more sophisticated, fine-grained technology, with the ability to factor in attributes such as user, resource and environment when making permissions decisions. At a minimum, businesses should be deploying ABAC over RBAC.

 

However, ABAC comes with a major flaw - its complexity. When assigning rules, they must be written in eXtensible Access Control Markup Language (XACML), which makes ABAC far too complicated for anyone outside of the IT department to use properly. This is especially problematic when time is of the essence during a cyber-attack – the longer it takes for an IT department to change permission and isolate the threat, the more sensitive data can be taken.

 

PBAC – the best of both worlds

Policy-based access control (PBAC) helps to bridge the gap between RBAC and ABAC. It offers varying levels of access controls, depending on the sensitivity of content, making it more flexible to the needs of the business.

 

It also considers the context in which access requests are made, for example, it factors in environmental and contextual factors such as time of day, the employee’s location and the asset they’re attempting to access – allowing managers greater oversight into what files are being accessed and can potentially prevent insider threats before they even occur. 

 

One of the main benefits to PBAC is its user-friendliness. Instead of having to input commands in XACML, managers can use a Graphical User Interface (GUI) to code policies in plain language, which means complex policies can be written, revised, and put into practice without the need for extensive IT knowledge. This allows managers to be more involved in the permissions process, which is especially important when teams are still working in hybrid settings and flexibility is needed when accessing company resources.

 

In addition, PBAC can interact at every level of the technology stack, from data lakes and warehouses to APIs and beyond. 

 

Identity management solutions have changed significantly, even in the last few years, and PBAC should be considered as the next chapter in identity management. 

 

Over the decades, we have seen how identity management solutions have changed significantly and become increasingly granular, with access becoming more centralised to accommodate the growing complexity of organisations.

 

As every other aspect of the digital sphere evolves so do our access management solutions and it’s fair to say that PBAC should be considered as the next chapter in identity management for those organisations looking to improve their existing digital infrastructure and bring their solutions into the twenty-first century.

 

---

 

Stuart Hodkinson is VP EMEA at PlainID

 

Main image courtesy of iStockPhoto.com