What is ABAC?
Attribute-based Access Control (ABAC) is a security model that enables organizations to control access to data based on various attributes, such as user roles, clearance levels, location, and citizenship, among others…
Why use ABAC?
- Flexible and adaptable approach to access control, which can better align with the needs of modern organizations.
- Reduces the risk of data breaches and other security incidents by ensuring that only authorized individuals have access to sensitive resources.
- Simplifies the management of access control policies by allowing for the use of standardized and easily manageable attributes, which can be easily modified as organizational needs evolve.
This whitepaper discusses SecuPi’s approach to ABAC, which offers highly customizable and adaptable policy logic for data access control, without the need for changes to the underlying data sources or application code.
SecuPi Approach to Data Protection Using ABAC
With ABAC, data access can be controlled based on a variety of attribute variable types including User attributes, Object attributes, and Behavioral attributes…
- User Attributes: This customization leverages the current values of Attribute Variables associated with the querying user, such as their User ID, workday role, Active Directory and LDAP groups, clearance level, location, citizenship, customer consent/classification, and more.
- Object Attributes: takes into account the current values of Attribute Variables for the data being accessed, including the authorization/clearance level required to access the data and the data’s location, among others.
- Behavioral Attributes: considers User ID behavioral attributes, such as the current risk level of data usage, the device in use, and self and peer-comparisons with normal, accepted access patterns.
This approach ensures that data protection measures are highly adaptable and can be fine-tuned to meet specific security and privacy requirements.
- Fine-grained dynamic masking
- Row-level filtering (e.g., excluding customers with VIP status)
- Format-preserving encryption (FPE), Type-preserving encryption
- and more…
SecuPi offers numerous advantages that set it apart from other solutions available in the market. SecuPi provides robust support for both Cloud and On-premises environments, and seamlessly caters to a diverse array of applications, including operational functions such as HR and accounting, as well as analytical tools like Tableau and Qlik…
Other tools on the market fall short in key areas and require either:
- Changing source-code to call an API -They typically necessitate changes to source code, requiring the integration of an API…
- Creating views in the data source – The common approach of creating views within the data source leads to changes in existing queries running on the base table, which subsequently demand recoding to function with the new views…
- Configuring an orchestration layer – Some solutions opt for configuring an orchestration layer, often based on technologies like Presto or PostgreSQL. While this may enable ABAC enforcement, it introduces an additional layer that degrades performance, particularly for operational applications and large reporting environments where performance and simplicity are paramount…
Comparing SecuPi to Other ABAC Solutions on the Market