2016 was a rough year not only for enterprises but also for federal agencies when it comes to cyberattacks. These attacks weren’t just occurring in the United States, but all around the globe.
In 2016, we saw the Department of Justice’s database breached by cybercriminals, releasing nearly 10,000 Department of Homeland Security employees’ information in one day, and then releasing data on 20,000 FBI employees the next day.
We saw a breach of the database for the Philippine Commission on Elections, which resulted in the loss of personal information on every single voter in the Philippines. In fact, the Pentagon alone reports getting 10 million attempts a day, the energy company BP says it suffers 50,000 attempts of cyber intrusion a day, and the state of Utah says it faces 20 million attempts a day.
Most recently, we saw the U.S. intelligence community report on attempted interference in the U.S. presidential election by hacking into major political party websites and email accounts.
Now that 2017 is here, IT teams are scrambling to ensure that critical and sensitive data are secure across enterprise, cloud, mobile devices and big data environments.
But with millions of hack attempts a day, combined with the increasing number of connected devices, it is crucial to enact the best security measures that exist.
Most organizations already have firewalls implemented, encrypted critical data assets, and monitor network activity as part of an overall cybersecurity plan, but there is another line of defense that can provide additional value: the use of attribute based access control (ABAC) to reduce the threat surface, thereby improving overall security as well as mitigating risks associated with breaches.
Attribute-based access control (ABAC)
ABAC enforces enterprisewide user access to data based on business and security policies that are built from attributes. Also known as fine-grained authorization, this kind of contextual access control helps federal agencies solve complex issues around insider threat, national security, compliance and privacy.
ABAC is a model for the authorization of access requests that can handle the complexity of today’s IT environment, where we’re seeing legacy role-based access control fail.
So how does it work?
An attribute is a piece of information that can be used to describe someone or something. Attributes can include roles within an organization, departments in an organization, position within an organization, and much more. An attribute is typically a key-value pair, meaning that attributes come in sets: an identifier (or key) and the value or values identified with it. The attribute identified as “role” could, for example, have values such as “research analyst,” “brigade commander,” “intelligence officer,” etc.
ABAC can employ user attributes, action attributes, context attributes (such as time, device, and location) and much more. The fact that we can use attributes that describe virtually anything makes ABAC multidimensional. However, attributes alone simply are not enough, we must also implement policies to provide meaning and logic to the attribute data.
Complex government agencies require complete control over who, when and how their most sensitive data is accessed to reduce the risk of insider threat and maintain compliance with security directives and privacy laws.
For example, if you work for the Department of Defense, and within that department, you work for the Army at the Pentagon. How do we implement your authorization requirements based on those attributes? Is that enough information to implement appropriate access controls? Probably not, that is why we need a mechanism that will allow us to accommodate a wide range of security scenarios.
In ABAC, we use a policy language called the eXtensible Access Control Markup Language (XACML). Using this language, we can combine attributes to implement our policy requirements. Access to data and other resources may be determined by whether the user is military, a civilian employee or a contractor. Of course military personnel have a branch of service and rank and personnel may hold security clearances of different types that could be active or expired. Many, many other attributes can be incorporated in any combination within access policies, with the intention of providing the right level of access to authorized users, in the most efficient manner.
Using XACML, policies can be written to satisfy extremely complex requirements. For this reason, some have dubbed ABAC “policy-based access control.” XACML policies help to make ABAC extremely flexible and expressive to both share and lock down access as conditions dictate.
The evolution of access controls
Access controls have evolved to meet the changing security challenges federal agencies face in the digital age. ABAC is quickly becoming the standard model for federal agencies confronted by the need for a robust and flexible solution to today’s increasingly complex security demands.
Unlike earlier access control models, ABAC provides a multidimensional system that through its use of attributes and policies prevents role explosion, increases scalability, eliminates segregation of duty conflicts, and externalizes authorization for ease of management and control. Additionally, it allows organizations to comply with an ever-growing body of regulations in an increasingly demanding regulatory environment.
Gerry Gebel is the vice president of business development at Axiomatics.