The Essential Elements for a Successful ABAC Implementation

In today’s complex and data-driven world, organizations must prioritize securing their sensitive data while providing access to authorized users. Attribute Based Access Control (ABAC) and Policy Based Access Control (PBAC) have emerged as effective approaches for implementing fine-grained authorization policies. In this blog post, we will explore three essential elements that organizations need to consider when implementing ABAC/PBAC.

1. Attribute Collection and Operationalization

The foundation of ABAC/PBAC lies in collecting and operationalizing attributes that define user identities and data sensitivity. There are two types of attributes to consider:

a) User Attributes: User attributes encompass identity-related information such as the user’s location, department, and job title. These attributes can be sourced from Identity, Governance, and Administration (IGA) systems like Savynt, Sailpoint, or authentication sources like Azure AD and Okta. Additionally, authoritative sources like Human Resources systems (e.g., SAP HR, Peoplesoft) can provide these attributes.

b) Data Attributes: Data attributes refer to metadata about the data being protected. In the context of databases or data platforms, classification of databases, tables, and columns with sensitivity metadata is necessary. Row-level metadata can provide additional information such as VIP status, sovereignty/location, and data sharing consent. Data catalogs (e.g., Alation, Collibra) or discovery solutions (e.g., BigID, Securiti.ai) can be utilized to establish these classifications.

To ensure optimal performance, an ABAC platform requires a dedicated centralized processor capable of pulling attributes at specified conditions and time intervals. This processor parses and normalizes attribute information, transforming it into a usable structure. The attributes are then pushed down to the Policy Enforcement Points (PEPs), ideally located as close as possible to the applications and databases. The availability of user and data attributes in memory is crucial for preventing performance degradation and achieving linear scalability.

2. Access Control Enforcement Functionality

To effectively enforce access control policies, organizations must employ diverse enforcement actions designed with data protection in mind. The following capabilities should be considered:

a) Column and Row De-identification: Techniques such as dynamic masking and row filtering can be applied to both SQL requests and result sets within applications and databases.

b) Encryption and Tokenization: Implementing Format Preserving Encryption (FPE), type-safe encryption, and tokenization techniques enhances privacy and security.

c) Coarse-grained Access Control: Controlling access to databases, schemas, or tables is essential for maintaining data security.

d) User Activity Monitoring: Monitoring and classifying user activity enable behavior analytics, allowing organizations to detect anomalies and refine ABAC policies. It also helps in making dynamic risk-based decisions and alerting.

3. Implementation Effort and Cost

The successful implementation of ABAC/PBAC involves considering the effort and cost associated with various components, particularly the Policy Enforcement Points (PEPs) and integration with applications and data platforms. The choice of ABAC provider and deployment options plays a crucial role. Some factors to consider include:

a) Native Integration: Cloud analytics platforms like Snowflake may provide native ABAC policies, simplifying integration. However, this approach may not be applicable to all applications or common environments like SQL Server, Oracle, and NoSQL data stores.

b) Central Server Integration: Legacy ABAC providers often require coding API calls to their policy server. This approach may not be feasible for packaged applications (e.g., Power BI) or applications with complex architectures. It also introduces a potential bottleneck with a central Policy Decision Point (PDP) for each application.

c) No-Code Deployment Options: Considering at least four no-code deployment options can provide flexibility. These options include instrumenting data applications, enforcing policies on SQL and NoSQL environments (both on-premises and in the cloud), using gateways, and employing callouts.

Implementing Attribute Based Access Control (ABAC) and Policy Based Access Control (PBAC) is crucial for organizations seeking to protect their sensitive data while allowing authorized access. By carefully considering attribute collection and operationalization, access control enforcement functionality, and implementation effort and cost, organizations can lay the foundation for a successful ABAC/PBAC implementation. With these elements in place, organizations can enhance data security, streamline access control, and meet compliance requirements in today’s evolving digital landscape.