Auditors use frameworks such as Cobit or ISO 27000, which emphasize two related aspects of information security: 1) Asset Management and 2) Access Control. The inventory of information assets and their classification is part of the former of these disciplines. User privileges and how they are assigned belong to the latter. Although they are highly related corresponding procedures are in practice difficult to bring together. Attribute Based Access Control (ABAC) profoundly changes this.
Attribute Based Access Control (ABAC) binds maintenance of data classification and access control to one and the same procedure. User permissions are evaluated in real-time based on policies. The policies in turn use attributes and meta data about sensitive information assets to define access control rules.
The effect: information security and auditing can be achieved faster, easier, more transparent and with better quality.
A policy not only defines who should be granted access to what, where, when, why and how, but it also represents a data classification statement. Thus, the primary aim of Attribute Based Access Control (ABAC) is to make fine-grained authorization more efficient but the switch to ABAC also provides new possibilities for information security managers and auditors.
- By reviewing policies which are maintained at a central point you do a preventive audit of user permissions. You can catch potential security and compliance breaches before any harm is
- The focus on policies which use attributes to define what information assets are sensitive means data classification and access control remain aligned at all times.
- When authorization is externalized from individual applications, security checks and audits can be made at the central point rather than having to be repeated for each single system.
- Since the system depends on explicit policy definitions, IT governance principles become transparent and easier to monitor.
- Rather than having to assess how system owners have interpreted corporate directives in their respective systems, you focus on assessing that the intentions of your management has been appropriately captured in the policies of the system.