Boost privacy protections with attribute-based access control
Download as PPTX, PDF0 likes35 views
This document discusses attribute-based access control (ABAC) as an evolution beyond role-based access control (RBAC). It defines ABAC and its components, such as the policy enforcement point (PEP) and policy decision point (PDP). The document recommends using attributes like subject, action, object, and context to define access control policies and rules. It suggests industries and applications that could benefit from ABAC. Finally, it outlines some of the pros and cons of implementing ABAC, such as added complexity but also more flexible security based on attributes rather than static roles.
Boost privacy protections with attribute-based access control
- 1. 1
- 2. Boost Privacy Protections with Attribute-Based Access Control Taking the Next Step Beyond Role-Based Access Controls
- 3. Raoul Miller Director, Content Strategy & Advisory TEAM IM raoul.miller@teamim.com @ECM_Raoul 3
- 4. TEAM IM • Content and unstructured data specialists since 1999 • Oracle, M-Files, Microsoft, Elasticsearch, HelloSign, Frevvo, ABBYY, Smartlogic partners • Operate in US, Canada, Australia and New Zealand • Advisory and Strategy practice is one part of what we do. 4 © Raoul Miller
- 5. 5 Agenda • Different types of access control • Which attributes to use? • Who should use ABAC? • How to implement ABAC • Some pros and cons (© Raoul Miller)
- 6. 6 A good programmer is someone who always looks both ways before crossing a one-way street.‘’ -- Doug Linder, Author, Lawyer, Professor
- 7. Access Control • “Selective Restriction of Access to a Place or Resource” • Authentication –Who are you? • Authorization – What can you do? • Many different models – most common: • ACL • RBAC • ABAC 7 (© Raoul Miller) (© Raoul Miller)
- 8. Role-Based Access Control • Most common method for most enterprise systems • Person -> Role -> Permissions • Usually integrated with directory and groups • More scalable than ACLs (may be combined) 8 (© Raoul Miller)
- 9. Attribute–Based Access Control • Evolved from RBAC • Policy-based rather than static • Next generation compared to RBAC • Boolean logic (IF,THEN) in rules 9 (© Raoul Miller)
- 10. Components of ABAC • PEP – Policy Enforcement Point • Equivalent toWeb Gate • PDP – Policy Decision Point • Where requests are processed • Returns a permit / deny • PIP – Policy Information Point • Bridges from PDP to external attribute sources 10 (© Raoul Miller)
- 11. Which Attributes to Use? • Subject attributes • Clearance, age, role • Action attributes • Read, delete, view • Object / resource attributes • Object type, department, location, classification • Contextual (environment) attributes • Time, location, IP address, device 11 (© Raoul Miller)
- 12. Who Should Use ABAC? • Defense / National Security • Medical • Financial • Legal • Anywhere that data security is key • CMS • ERP • Database 12(© Raoul Miller)
- 13. How to Implement ABAC • Buy a COTS product • Axiomatics, PlainID, NextLabs, Symphonic • Use XACML to integrate into solutions • Web frameworks, middleware code • Enable for certain applications • Windows Server 2012 • Hadoop, Oracle • Spring (expression-based access control) 13 (© Raoul Miller)
- 14. Some Pros and Cons of ABAC • Complexity • It’s a new thing and not standard • Defining rules • Adds data to audit trail • Privacy • Decision is allow/deny, data in PDP/PIP • Consistency 14(© Raoul Miller)
- 15. Key Takeaways 15 • You should consider ABAC for sensitive data or content • Understanding the process of defining and implementing ABAC • Pros and cons • There is overlap between RBAC and ABAC (© Raoul Miller)
- 16. Questions? Raoul Miller Director, Content Strategy and Advisory TEAM IM raoul.miller@teamim.com @ECM_Raoul (Twitter)