In June 2024, UNC5537 (a threat actor group) used infostealer malware for a credential-based attack on 100 Snowflake customers. In all, about 165 businesses (and their customers) were potentially exposed. The common factor among these businesses? A lack of multi-factor authentication (MFA) and other types of access controls.
Below, we discuss what policy-based access controls are and how they could have helped prevent this devastating attack.
What Is Policy-Based Access Control (PBAC)?
Definition and explanation of PBAC
What is policy-based access control (PBAC)?
Policy-based access control (PBAC) is an authorization access control. It uses dynamic policies to manage access to resources. It's often confused with RBAC, which prompts many people to ask, “What’s the difference between PBAC and RBAC?”
PBAC’s cousin, role-based access control (RBAC), relies on static or predefined permissions. While RBAC focuses on the user, PBAC focuses on the resource.
RBAC asks, “What users do I have, and what can they do in my environment?”
Meanwhile, PBAC asks, "What resources do I have, and how may they be accessed?”
PBAC is more resilient than RBAC and an extension of ABAC (attribute-based access control). It uses a wide range of contextual factors like time, location, device, and user attributes to determine access rights.
This facilitates access control that’s more nuanced and adaptable to your business needs.
Key components and elements of PBAC
There are three key aspects of PBAC that make it relevant in the face of credential-based attacks like the Snowflake incident:
- Contextual, dynamic control. PBAC relies on contextual information to grant access. This means your users are verified based on who they are, what device they’re using, when they’re accessing a resource, and where they’re located during logins. The Snowflake breach was successful because there were no access controls in place to allow only logins from trusted locations.
- Scalability and flexibility. PBAC is flexible enough to be deployed across all business systems and to accommodate changes due to evolving threats. It’s highly modular (1), which means permissions can be added, removed, or replaced without affecting the entire system.
- Regulatory compliance. PBAC allows adjustments in line with industry regulations. For example, a clinic allows doctors and other healthcare professionals involved in a patient’s care to access PHI (protected health information). Thus, a “certified provider status” attribute can be added in compliance with the HIPAA Privacy Rule. This means your organization will be aligned with current laws and you’ll avoid costly non-compliance penalties.
Advantages and benefits of PBAC
PBAC allows precise control over access rights and dynamic adjustment of policies based on real-time data and the current threat landscape.
Just days after the worldwide CrowdStrike outage, threat actors deployed infostealer malware to perpetrate credential-based attacks on businesses already reeling from the incident.
PBAC would have helped tighten access rights to protect these vulnerable businesses.
In addition, PBAC is highly extensible, which means it has high levels of interoperability and customizability. It can be modified as needed, which means it can accommodate new policies, rules, and attributes to meet evolving security needs.
It can also be integrated with other identity and access management platforms to provide an extra layer of security against credential-based attacks.
How Does Policy-Based Access Control (PBAC) Work?
Overview of PBAC workflow and decision process
PBAC operates by evaluating access requests against policies at the time of access. When a user tries to access a resource, the PBAC system considers contextual factors, and grants or denies access based on those factors.
The PBAC workflow typically involves:
- Access request submission. This is where users request access to protected resources.
- Policy evaluation. The request is intercepted by the PEP (Policy Enforcement Point), which acts as a gatekeeper. Next, the PEP forwards the request to the PDP (Policy Decision Point) for evaluation. The PDP references the PBAC policies on file. The PDP may also query the PIP (Policy Information Point) if it needs additional attribute information.
- Access decision. Finally, the PDP decides to permit or deny access. It sends its decision back to the PEP.
- Enforcement of the decision. The PEP enforces the PDP’s decision.
- Visibility & Analytics: All access attempts and decisions are logged to detect policy violations or anomalies.
This workflow supports a Zero Trust architecture that can protect your business from devastating credential-based attacks.
Role of policies and rules in PBAC
PBAC rules and policies incorporate multiple attributes and conditions to grant or deny access to resources.
Policies are based on:
- Subjects: users requesting access
- Actions: the actions that can be performed on resources
- Objects: the resources being accessed
- Context: the conditions under which access is granted
The role of policies and rules in PBAC is to allow for more granular control to reduce the risk of over-privileging users. For example, contextual evaluation ensures that access is only granted under certain conditions, such as time of day or completion of specific training or certifications.
PBAC rules also enable real-time evaluations, which prevents threat actors from using outdated permissions to carry out attacks.
Finally, PBAC supports the automation of access provisioning and deprovisioning. As compliance regulations change or employees leave their roles, access can be revoked automatically. This reduces administrative burdens and ensures a stronger security posture.
Policy enforcement and evaluation in PBAC
PBAC applies the relevant attributes and appropriate policies to make access decisions.
It supports dynamic attribute assessment, which means that changes in a user’s status, job code, or other attributes are immediately reflected in access decisions.
PBAC policies are also modular, allowing for independent evaluation of different access rules. This means changes in one policy won’t affect another.
Finally, PBAC systems evaluate permissions symmetrically. The same set of rules and policies are used to grant or deny access. Symmetric evaluation is consistent, ensuring that permissions are always aligned with current policies.
Why Is Policy-Based Access Control Important?
Enhancing security and risk management with PBAC
A key component of PBAC is its enforcement of Zero Trust through the principle of least privilege.
This ensures that users are granted only the minimum access necessary to perform their role functions, limiting potential damage from credential-based threats. According to the Cisco Talos Incident Response team, attackers primarily used compromised credentials to access valid accounts in Q1 2024.
By enforcing least privilege access, PBAC reduces the risk of such attacks.
Supporting compliance and regulatory requirements
Many industries must comply with strict regulations such as HIPAA, GDPR, and PCI-DSS. PBAC allows administrators to create policies that directly align with these regulatory requirements.
Primarily, PBAC’s auditing capabilities streamline your organization’s ability to demonstrate accountability and compliance in its data handling practices.
Scalability and flexibility of PBAC for growing organizations
PBAC promotes rapid updates and modifications without the need for complete system overhauls. This flexibility is valuable for businesses that want to expand into new markets or transition to a remote workforce.
For example, expansion into new territories or geographical regions is often accompanied by new regulations. PBAC ensures that access is granted according to local regulations and business requirements. It also supports the retention of key talent by ensuring that employees can access resources in diverse locations.
In the case of remote work, PBAC can dynamically adjust access rights based on changes in the user’s location, behavior, or device security posture.
PBAC Use Cases and Examples
Real-world scenarios showcasing PBAC in action
By now, you may be wondering, “What’s an example of PBAC?” or “What’s the purpose of PBAC?”
To understand PBAC in action, let’s consider two real-world scenarios.
Healthcare
Securing patient data is more critical than ever. Currently, 32.4 million patients in the United States have already been impacted by 275 data breaches, with the largest attacks suffered by the Kaiser Foundation Health Plan, Concentra Health Services, and INTEGRIS Health.
In a hospital, each department requires access to different types of patient data. Considering this, how can unauthorized users be prevented from breaking HIPAA laws?
This is where PBAC comes in. It ensures that only doctors and other healthcare professionals can access a patient’s full medical records. This includes diagnoses, treatment plans, lab results, and medication charts.
Thus, any access attempts that violate HIPAA or GDPR regulations will trigger alerts for investigation. This is likely how a member of staff at a London clinic was discovered accessing Princess Kate’s medical records after her abdominal surgery.
Government
A government agency like the Pentagon handles sensitive data related to national security.
PBAC ensures that only personnel with the appropriate clearance levels can access classified documents. Access to these documents can also be made conditional on the user’s location, need-to-know privileges, and possession of approved non-disclosure agreements.
Industry-specific use cases for PBAC
So, how does policy-based access control (PBAC) enhance data security?
Let's go back to our hospital. It wants to conduct a clinical trial to assess the potential benefits of semaglutide in the treatment of heart disease, Type II diabetes, and kidney disease.
PBAC policies can restrict access to clinical trial data based on a user’s role, the phase of the trial, and data sensitivity. Thus, only clinical trial sponsors (usually pharmaceutical companies or universities), researchers, the FDA, and participating healthcare providers can access proprietary drug data and patient information.
Patients or trial participants also have the right to their own clinical trial data. Ultimately, PBAC ensures compliance with HIPAA and GDPR rules on data privacy.
Next, a government agency like CISA (Cybersecurity and Infrastructure Security Agency) investigates Russian threat actors targeting critical infrastructure sectors in North America and Europe.
PBAC policies ensure that classified information can only be accessed by clearance levels, project involvement, and current assignments.
Success stories and case studies of PBAC implementation
In 2024, IBM is on track to leverage automation and generative AI to facilitate continuous compliance and stronger security postures for organizations.
It accomplishes this through dynamic PBAC policies that adapt to changes in user behavior and data sensitivity in multi-cloud environments.
Meanwhile, Microsoft’s new Azure Policy improvements makes policy definitions more agile and adaptable. For example, users can now specify which policy definitions they’d like to be assessed against at the time of assignment.
Implementing Policy-Based Access Control (PBAC)
Best practices for PBAC implementation
So, how do you implement policy-based access control in an enterprise environment?
To implement PBAC successfully, consider these best practices:
- Use a centralized policy management system to streamline policy creation, deployment, and maintenance.
- Ensure PBAC policies are well-documented and understood by employees, vendors, and customers.
- Define clear attributes and how they factor into access decisions.
- Use LLMs (Large Language Models) to interpret natural language descriptions of access requirements and translate them into formal policies.
- Use LLMs to continually analyze access patterns to suggest policy updates. LLMs can also make more context-aware access decisions and be trained on regulatory standards to ensure PBAC policies remain compliant.
- Conduct regular reviews and incorporate user feedback to adapt to changing regulations, threat environment, and business goals.
- Cultivate a culture of security with comprehensive training on PBAC policies.
Considerations for integrating PBAC into existing systems
One of the first considerations would be a thorough assessment of your existing IT infrastructure to identify potential integration points.
PBAC integration with existing systems and other identity and access management (IAM) tools is critical to enterprise security.
However, merging all the above is daunting, and the prospect of digital sprawl must be considered. To that end, deploying a scalable LLM security solution that adds no “weight” to the infrastructure and combines all access controls may be a viable solution.
Common challenges and solutions in PBAC implementation
Although PBAC comes with many advantages, its implementation may be fraught with complexities. Below, we list four roadblocks and their solutions:
- Resistance to change. Many employees balk at new policies due to a sense of overwhelm or fear of the unknown. Solution. Provide adequate training and open forums to address concerns and instill confidence in PBAC adoption.
- Policy conflicts. Do your new PBAC policies contradict your current rules? Conflicting policies can lead to unintended permission denials. Solution. Implement regular audits for policy analysis and conflict detection.
- Administrative burdens. Successful large-scale implementations require extensive care and time. Solution. Automate provisioning and deprovisioning to simplify user lifecycle management (1).
- Complexity in auditing policy implementations. Implementing granular, comprehensive policies correctly can be a time-consuming process. Solution. Use Large Language Models (LLMs) to automate policy implementation and to check if the implemented access controls match the intended policy written in natural language.
As identity-based attacks proliferate, RBAC and ABAC are no longer enough. Here’s why: Although ABAC can factor in attributes for access control, its rules can’t be written in normal prose.
Instead, they must be written in eXtensible Access Control Markup Language (XACML), which makes it inaccessible to anyone without IT expertise. With PBAC, you can deploy changes yourself, as security threats arise.
PBAC policies can also dictate which users have access to password manager vaults, which provides an extra layer of security when it comes to sensitive login credentials.
So, don’t let your business become a victim: adopt PBAC and sign up for a free, no-obligation LastPass Business password vault today.
