If you are the owner of business processes which depend on staff members’ ability to collaborate among themselves or with external parties such as customers or partners, you may have an urgent business case for Attribute Based Access Control (ABAC). Collaboration depends on information exchange and when sensitive information is at stake the ability to protect data from unauthorized access becomes a pre-requisite.
The problem is that most IT services use outdated access control techniques. Continuing like in the past is asking for trouble. In fact, many of the spectacular data leakage and financial fraud incidents of recent years are the consequence of inadequate authorization techniques. It is time to rethink.
Modern cars built for high-speed highways come with disc brakes, airbags and other security features. Speeding on the Autobahn with old-fashioned drum brakes is a bad idea. By the same token, internet-era collaboration is not appropriately served with pre-internet authorization techniques. Nonetheless, that is what most IT systems still use.
For further details about the technical impacts of this shift, see why Attribute Based Access Control (ABAC) is replacing Role Based Access Control (RBAC).
Business Challenges Addressed:
To summarize, these are the main business challenges addressed by ABAC. The corresponding business objectives can be expressed in terms of hard or soft ROI.
|Business Challenges||Solution||Business Objectives|
|Collaboration requires sharing of sensitive data||Secure Collaboration
|Gaining a competitive advantage & enabling new revenue streams through secure information sharing|
|Risks in financial transactions||Rapid and Secure Transactions
|Reducing financial losses or damaged reputation through risk-aware controls|
|Regulatory compliance and IT governance||Effective Compliance and Governance
|Remediation of audit findings and avoiding compliance breaches through consistent policy enforcement|
|Time-to-market for in-house development||Efficient Software Development||Improving quality and speeding up delivery of new online services by externalizing authorization from applications|
Policies and Attributes
To enable the shift towards dynamic and risk-aware authorization, solutions from Axiomatics use policies. The policy language reflects a natural language and uses the attributes of your business in the definition of business rules.
Example – to control authorization in a purchase order workflow the policy uses the terminology of the business process:
“Some categories of requisitions require prior approval before the requisition can be submitted: Hazardous material is Restricted which applies to radioactive commodities, refrigeration, ethyl alcohol, lasers, etc. They require prior approval by a senior department manager. Capital Equipment are goods valued above $5,000 which require approval by the property management in the Controller’s Office. Vehicles must be approved by Risk Management …”.
The highlighted words in this real-world example are used as attributes in the corresponding policy which automates the approval workflow through real-time authorization. The attributes describe the subject, the action, the information asset or function and the context in which access requests are made.