Try Business for freedownload
Blog
Recent
Blog
Recent
Industry News
LastPass For Admins
LastPass Labs
Product Updates
Tips And Tricks
bg
Security Tips

Attribute-Based Access Control (ABAC)

LastPassSeptember 05, 2024
Attribute-Based Access Control (ABAC)

Insider threats are rising – and your business is at risk. According to the Securonix 2024 Insider Threat report, 76% of organizations detected insider threat activity over the past five years, but only 30% believed they had the right tools to handle them. The situation is dire, but there’s a dependable solution. It’s called attribute-based access control (ABAC). 

With the dynamic nature of insider threats, traditional DLP (data loss prevention) is no longer sufficient. DLP tools often rely on static, predefined rules that don’t account for the complex nature of insider threats. 

With ABAC, you can cultivate an identity-centric security posture that secures both your peace of mind and business. Below, we explain how to do this. 

Understanding Attribute-Based Access Control 

Definition and explanation of ABAC 

First, what does ABAC do or what is the purpose of ABAC? 

In a nutshell, attribute-based access control (ABAC) is an authorization system where access decisions are made by evaluating attributes like job roles, actions, and environmental conditions. 

Currently, the global access control market is experiencing record growth, with a projected rise from USD $11.17 billion to USD $20.02 billion by 2027. 

The key drivers for this growth are the rise in new security threats, the need for regulatory compliance, and the shift towards cloud-based operations. 

Key components of ABAC 

The main components of ABAC include: 

1. Attributes 

  • User attributes: job roles, employment status (full-time, part-time, contractor), security clearance levels, departments, certifications, qualifications, years of experience 
  • Environmental attributes: location, time of access attempt, threat level, time zone, IP address, device type, temperature, authentication method 
  • Resource attributes: data category, compliance requirements, data sensitivity, classification level, creation date, classification level 
  • Action attributes: time of action, frequency of action, the volume of data being transferred, operation type (read, write, delete, edit), encryption type for the action 

2. Policies: This defines what actions are allowed, what privileges users have, how resources are to be protected, and under which environmental conditions. 

  • Policy Decision Point (PDP): The PDP computes access decisions by referencing the appropriate digital and meta policies. 
  • Policy Enforcement Point (PEP): The PEP enforces policy decisions in response to a user (subject) requesting access to a protected object (resource). 

How ABAC uses attributes to enforce access control 

First, what is an ABAC example? 

In ABAC, an access control mechanism evaluates policies against attributes to make an access decision.  

The access control mechanism uses a context handler or workflow coordinator to compile the group of attributes necessary to make a decision. It then employs a PDP to render a decision and a PEP to enforce the decision. 

For example, a policy may state that only users in the Sales Department (user attribute) can access documents like sales reports, training modules, playbooks, and client contracts (resource attributes) during the hours of 7am to 6pm from Mondays to Fridays (environmental attributes).  

So, if a user (subject) belongs to the Sales Department and satisfies all other attributes of the policy, the access control mechanism will grant the access requested.  

Advantages of ABAC 

Enhanced flexibility in access control 

We’re often asked, “What are the benefits of ABAC?” 

In our experience, its main benefits are flexibility, granular control, and support for dynamic environments. 

First, ABAC can incorporate a wide range of attributes and contexts. This flexibility is particularly useful in environments where access needs frequently change. 

Ultimately, ABAC provides context-aware identity and access management. Take for example, a typical day in a hospital: 

Dr. Adams, a cardiologist (user attribute) wants to review and update (action attribute) cardiac-related inpatient records (resource attribute) during the hours of 8am to 8pm on hospital premises, using hospital-approved devices (environmental attributes). 

With ABAC, access rights automatically adjust in line with shift and patient changes. So, staff cardiologists can access the records needed during their work hours.  

But that’s not all. 

During emergency situations, the AC-ABAC (Acute Care-ABAC) model grants our cardiologist and his peers access to patient EMR records, even if they’re located outside the hospital’s treating boundaries. This enhances operating room decision-making in life and death situations. 

Granular control over user permissions 

Second, ABAC allows permissions to be defined with a high degree of specificity. This granular control ensures that the right users can access the right resources at the right time. 

For example, our cardiologist can only access cardiac-related patient records during his working hours. ABAC prevents unauthorized access to unrelated medical data. In addition, Dr. Adams can only access the records of patients assigned to him. This prevents him from modifying the records of other patients.  

Support for dynamic and evolving environments 

Finally, ABAC’s ability to incorporate diverse attributes helps you meet evolving business and security needs, without requiring extensive system modifications. 

For example, our cardiologist may be called for consultation purposes during a 3am emergency. That’s outside his normal shift, and Dr. Adams is at home. ABAC will temporarily grant our cardiologist access rights to the patient’s records from an approved home device.  

Likewise, if an unforeseen complication arises with another doctor’s patient, AC-ABAC can grant Dr. Adams temporary access based on the urgency attribute, his credentials, and the specific emergency. 

Choosing the Right Access Control Model 

Comparison of ABAC with other access control models 

ABAC versus PBAC (policy-based access control): PBAC combines both RBAC and ABAC concepts. Like ABAC, it can handle dynamic, ever-evolving scenarios.  

However, unlike ABAC (which is written in XAMCL), PBAC is written in plain language and managed through a user-friendly interface. As a result, PBAC facilitates the ease of policy adjustments and can be managed without reliance on trained IT staff to modify XAMCL language. 

PBAC can also enforce dynamic Segregation of Duty rules, which isn’t entirely feasible in ABAC.  

With PBAC, Dr. Adams can access patient records relating to his expertise during office hours. However, he can’t access billing or patient admission records. This prevents our cardiologist from making care decisions based on administrative data, which is a conflict of interest.  

ABAC versus RBAC (role-based access control):  A popular question we get asked is, "How is ABAC different from RBAC?”  

Ultimately, people want to know when to use RBAC or ABAC. 

Here’s our answer: While ABAC can accommodate dynamic, ever-evolving situations, traditional RBAC is more static in nature. If you have relatively static roles to map to resources, RBAC is your best bet. 

However, in complex environments like healthcare, RBAC may lead to the explosion of newly created roles to accommodate every possible scenario. ABAC avoids this complication by using attributes (instead of roles) to grant access to requested resources. 

ABAC’s flexibility allows our cardiologist access to the pertinent patient records, whether he’s on-call, attending an emergency, or collaborating with healthcare providers in other departments. 

ABAC versus DAC (discretionary access control) versus MAC (mandatory access control): Security clearances are a key part of MAC, where users are assigned clearance levels and resources are given classification levels (confidential, secret, and top secret). 

Meanwhile, DAC allows the owner of a resource to set permissions for accessing that resource. ABAC may be more relevant for a hospital setting, however, as it allows for granular, dynamic access control. Here’s how: ABAC uses Boolean logic to evaluate access requests containing multiple attributes.  

Roughly, ABAC policies use IF-THEN statements to grant access to resources: 

IF the user is a cardiologist using a hospital-approved device AND making a request between 8am and 8pm, THEN allow access to cardiology patient records. 

Ultimately, MAC may be too restrictive for a hospital setting, while DAC may not provide the granular control needed to keep PII (personally identifiable information) data safe. However, ABAC is an optimal choice because of its ability to make context-aware access decisions. 

Considerations for selecting the appropriate model 

According to NIST Special Publication 800-162, there are several key considerations for selecting the right access control model: 

  • Granular control and interoperability: NIST emphasizes the need for fine-grained flexibility and security while promoting collaboration between diverse platforms. ABAC is well-suited for enterprises with complex structures, such as hospitals and financial institutions with evolving compliance requirements and dynamic environments. 
  • Scalability: As hospitals (or financial institutions) scale or merge with other organizations, access policies must accommodate more complex environments. According to NIST, ABAC is more robust, resilient, and scalable than RBAC for such environments.  
  • Compliance with regulations: Healthcare, finance, and defense are highly regulated industries. ABAC’s before-the-fact audit capabilities allow organizations in these industries to demonstrate compliance to industry rules and regulations. 
  • Separation of duties: ABAC enforces separation of duties, which guards against fraud and/or injury. In a bank setting, opening a safe deposit box may require two authorized employees if the customer is not present. This is done only under special circumstances, such as in response to a court order, bank closure, account delinquency, or search warrant. Meanwhile, in a hospital setting, a nurse can request medication, but a doctor must approve that request. 
  • Cost: According to NIST 800-162, the cost of transitioning away from old access control models could be prohibitive, especially if your organization has complex operational requirements and attributes from many logically and physically dispersed attribute sources. In such an instance, it may be more practical to implement PBAC rather than ABAC

Aligning access control with organizational security goals 

NIST 800-162 suggests that organizations should define access control policies that reflect their security needs before implementing them with ABAC.  

The publication also highlights the benefits of centralized policy management in ABAC and how it helps organizations maintain consistent security policies across their entire business infrastructure.  

It notes that ABAC can align with evolving security needs better than other access control models like RBAC and DAC. 

Finally, NIST advocates for a multi-layered approach to security, combining ABAC authorization with other controls like user authentication, intrusion detection & response, and security configuration management. The latter is especially important as data breaches related to misconfigurations cost an average $4.14 million to remediate. 

How to Leverage ABAC for Organizational Security 

Benefits of ABAC in enhancing security posture 

ABAC enhances security by enabling precise, context-aware access control decisions. 

Take for example, a financial institution that offers home, auto, and personal loans. It wants to ensure that loan decisions are made discreetly and appropriately.  

So, it might have an ABAC policy like this: Only loan officers with 10+ years of experience can approve jumbo mortgage loans and only during business hours from bank-approved devices. 

Mitigating insider threats with attribute-based policies 

By using detailed policies based on multiple attributes, ABAC helps mitigate insider threats. 

For example, the defense industry and its industrial base of 220,000 companies is a repository for highly sensitive state secrets. Thus, it’s an attractive target for malicious actors – both inside and outside the base.  

An ABAC framework that prioritizes Zero Trust allows the Department of Defense (DOD) to implement adaptive access policies based on critical attributes like clearance level and device security status. 

Enforcing least privilege and segregation of duties 

It's no secret that cloud adoption is fueling record innovation and growth. In 2024, worldwide spending on cloud computing architecture will top $1 trillion (about $3,100 per person in the US) for the first time. 

And according to Gartner, cloud computing will be the key driver of business innovation by 2027. 

However -- great innovation comes with great risks. This is where ABAC comes in. 

But how do you implement ABAC in a cloud environment? 

The best way to do this is by implementing the NIST Zero Trust framework and the DOD’s 45 Zero Trust capabilities as described below. 

ABAC is particularly useful for enforcing Zero Trust principles like least privilege and segregation of duties, which is critical for a strong security posture. 

In particular, it supports risk-based access control, relying on timely, relevant, authoritative, and reliable attributes to make access decisions. This aligns with the Zero Trust focus on minimizing risk. 

Federal agencies and large enterprises are already using Zero Trust: in 2021, the White House issued an Executive Order to require all federal agencies to move towards Zero Trust infrastructure for all cloud-based services.  

This Zero Trust framework rests on seven tenets specified in NIST Special Publication 800-207. In addition, the DOD has identified 45 capabilities across these seven tenets to help implement Zero Trust across its entire IT infrastructure. The DOD plans to achieve Target Level Zero Trust by 2027 and Advanced Level Zero Trust by 2032. 

The capabilities include XDR (Extended Endpoint Detection & Response), mobile device management (MDM), Software Defined Networking that enables dynamic provisioning and de-provisioning of network connections, identity federation, MFA (multi-factor authentication), and continuous monitoring.  

This will help identify unusual access patterns that may be indicative of insider threats. 

Challenges in Implementing ABAC 

Complexity of defining attribute-based policies 

Creating and managing attribute-based policies can be a complex process. It requires a thorough understanding of the basic principles of logical access control, your inventory of resources & their protection requirements, and the relationship between attributes.  

Without a proper understanding of the above, it will be difficult to create the proper ABAC policies for your organization, and the PDP may render a decision based on faulty logic. 

Integration with existing access control systems 

Integrating ABAC with your current access control systems can be another complex process.  

NIST suggests that a gradual implementation may be judicious. In addition, some ABAC solutions like NC Protect lets you add ABAC capabilities to Microsoft 365, including its GCC High apps for secure government and defense-related collaborations. 

This ensures that only the right people can access the right information at the right time, in line with Zero Trust principles

Ensuring attribute accuracy and integrity 

The success of any ABAC implementation will depend on the accuracy and reliability of the attributes used to make access decisions.  

If you’ve never implemented ABAC before, your organization may currently rely on Natural Language Policies (NLPs) to make access control decisions.  

To implement ABAC, these NLPs must be translated into machine-enforceable ABAC policies. Remember that ABAC uses XACML, an XML-based language, so this won’t be a straightforward process.  

It will involve identifying all attribute combinations and their allowable operations and then converting them into a machine-enforceable format. 

Implementing ABAC With LastPass 

How LastPass supports ABAC implementation 

Enforcing identity-centric security allows you to protect data based on the identity of those accessing it. 

If you’ve implemented ABAC for this purpose, LastPass supports you by serving as an additional layer of security.  

With our seamless federated login, you and your employees can securely authenticate using existing credentials from an IdP (Identity Provider).  

This initial authentication establishes user identities and provides a set of attributes that can be shared with your ABAC system

As users interact with resources, your ABAC system will continually evaluate their attributes in real-time.  

If suspicious activity is detected i.e., users try to perform unauthorized high-risk actions, your ABAC system will immediately revoke access and require re-authentication through our secure federated login platform. 

Integration steps and best practices 

To enjoy this level of increased security, you’ll want to configure LastPass to use federated login with your existing IdP.  

LastPass integrates with all major IdPs including Microsoft Active Directory, Azure AD, Okta, OneLogin, Google Workspace, and Ping Federate.  

You’ll want to map your existing attributes from your IdP to LastPass. Next, set up LastPass to insert these attributes into SAML assertions during the authentication process. 

Finally, configure your ABAC system to use these attributes from LastPass to monitor access when someone logs in.  

In short, you’re setting up LastPass to share attributes with your ABAC system. This helps the ABAC system make more informed decisions about who should have continued access to your resources. It’s like giving your bodyguard a live, up-to-the-minute list of who’s allowed to approach and interact with you. 

Utilizing LastPass for secure cloud platform access 

As mentioned above, LastPass ensures that access to your cloud resources is managed according to your defined attributes.  

But here are two more powerful benefits:  

First, LastPass provides easy and safe access to your cloud resources with SSO (single sign-on), which means you only need one set of credentials to access resources across multiple platforms. And if you set up passwordless authentication with us, you won’t even need to remember any passwords.  

Second, LastPass offers FIDO2 phishing-resistant MFA -- as recommended by CISA. So, don’t wait: enjoy secure cloud platform access by signing up for a free, no-obligation LastPass Business account today. 

bg

Get started with LastPass Business

14-day free LastPass Business trial. No credit card required.