In a previous blog post we discussed how the Axiomatics Data Access Filter for Multiple Databases lets you define and enforce fine-grained, policy-based access control on data at the time it's inserted into the database. This ability is fundamental if you want to provide any guarantees on data quality. Obviously, guaranteeing data quality is a complex task that involves taking care of the many ways in which data can come to reside in the database. For instance, it’s not enough to be able to control who inserts data into the database, but also who can modify it, and how.
Database access control is not only about controlling who can read the data, but also about making sure that the right people get to generate it. You may say that they are two sides of the same coin. It’s not only important to restrict how data is extracted from the database. You need to make sure that the data stored in the database comes from the right sources.
In 1668, when Thomas Hobbes wrote ‘knowledge is power’* for the first time ever, it is unlikely he was thinking of knowledge in terms of information. Nonetheless the aphorism has kept its weight in the Information Age. For us, knowledge means acquired information, and its power emanates from our ability to share or withhold information.
Information is carried by data, thus protecting who has access to data is crucial to businesses and organizations alike. At the same time, project-specific requirements, corporate rules, national laws and regulations, all contribute to a constantly changing universe of policies which demand increasingly finer controls over how data is manipulated.
While you can always implement access control policies to data stored in (relational) databases using stored procedures and views, it is a fine art to get the approach to work, scale-up and comply with the ever-varying high-level requirements dictated by management, while maintaining policy visibility and keeping change costs on a leash.
“How can I protect the data stored in my database without having to disconnect it completely from the world?”
If this sounds familiar, then you probably own or are responsible for a piece of sensitive information. You cherish it and understand that it’s to your advantage to keep it safe. At the same time, you would like to share the information with people you trust --even from outside the organization-- so that they may put it to good and profitable use.
That the information happens to be stored in a relational database is something you find very convenient: it is easy to connect to the database and query the information using SQL; anyone that has access can analyze it, write reports on it and even build applications with it.
But this is far from easy. Laws and regulations of various sorts put limits on how to share information. Business requirements change rapidly, so whoever was allowed to access the data yesterday may not be allowed to access it today. Concurrent regulations and/or business needs get combined into increasingly complex and dynamic policies. Also the granularity of access has changed, from the database to the table to the row and finally to the cell level. To complicate matters even further, there is on-going explosion of data volumes. Changing the way we develop applications from now on can help, but we still need to take care of legacy applications, where retrofitting access policies may turn out to be close to impossible.
In the previous blog post we reviewed the concept of access review and discussed how well access control models deal with it. Also, at the end of that first part, we took note of the commonly-held concern that Attribute-Based Access Control (ABAC) complicates access reviews to the point that they become virtually impossible to do. If true, this is perhaps one of the most serious obstacles that could prevent wide adoption of the ABAC model.
Here we examine this issue futher with the intention of showing that the concern above is founded on a way of thinking that need not apply to ABAC, and that by coming out of that frame of thought we can find ways to implement well-performing access reviews for ABAC.
We start by describing the standard mindset that stems from access control models prior to ABAC.
This is a two-parts blog post on the difficulties of doing access reviews with Attribute-Based Access Control (ABAC) and how to work around them.
In this post we discuss what an access review is, what it is used for, how it’s performed depending on the access control model and notice that it’s hard to do an access review with ABAC.