In this hectic, modern world, too often many people feel reduced to the sum of their professional responsibilities. In a small way, this feeling is driven by our current IT methods to determine access to IT systems and applications. With ‘Role-based’ access control – you are literally no more than just your job! Essentially, your job is the sole arbiter of your access privileges.
We all cheer when we witness our wounded warrior heroes refuse to let their disabilities define themselves, and show their athletic or professional abilities in new-found ways. Analogously, applying our humanity to the binary world of technology – we can intuitively understand the benefit of a more dynamic form of access control. It is time to move our IT systems and applications to authenticate users based on a wide array of attributes: their hardware & software, and local environment surrounding them.
Today, we’re witnessing a big step forward in this effort. The National Cybersecurity Center of Excellence (NCCoE) – part of the Federal government’s National Institute of Standards and Technology (NIST) – is releasing a draft NIST Cybersecurity Practice Guide SP 1800-3, demonstrating the use of Attribute Based Access Control (ABAC).
With this game-changing access security “building block” organizations can evolve their IT infrastructure away from the binary, less effective, and less secure role-based access methodology. If you’re not familiar with the National Cybersecurity Center of Excellence, it might be time to take a look. The NCCoE is an innovative forum where the public and private sectors collaborate to demonstrate practical solutions to real-world security problems facing businesses. RSA has been a proud partner of the NCCoE from shortly after its foundation.
How did we get here? The road to ABAC.
In the early days of computing, application owners could simply make an access control list called an ACL. This list specifically identified the sole users who were allowed access to their application. As you can imagine, this became impractical as the number of applications and users exploded. The industry then pivoted to where we are today – with an access determination based on an individual’s role.
Unfortunately, the IT world has only become more complex as we’ve absorbed disruptive IT evolution such as cloud-based applications, and users demanding access from devices of all kinds, including their mobile devices. In this environment, Access Control needed to be more contextual and ABAC provides a good framework for this approach. In an ABAC system, attributes about a user, the object the users is accessing, and the environment in which access is being granted are all combined in a dynamic way to make a risk-based access determination.
RSA is proud to be part of the NCCoE ABAC building block architecture.
RSA has been a pioneer in ABAC risk-based security for years. One example is our Adaptive Authentication offering. We are proud that the NCCoE included RSA Adaptive Authentication in the ABAC building block.* Their ABAC project utilizes our product to perform the initial authentication during which contextual data is collected. As summarized above, this data includes the user’s device profile, location, communications protocol, as well as any related fraudulent activity. This is not a ‘one-and-done’ approach: it also includes a running statistical model of the user’s behavior.
All of this data can be combined to accept, reject, or demand more proof of an individuals claimed identity. RSA Adaptive Authentication is often used to determine when stronger authentication is necessary by demanding a second factor such as RSA’s SecurID or an out of band password (like and SMS text message). In the ABAC building block Adaptive Authentication passes the environmental attributes it collects to the Attribute Based Access Control machinery used on the back end.
Consider ABAC for your organization.
The ABAC approach offers a more comprehensive (and intuitively fairer) process than role based systems. It is a closer approximation of how we as humans size up situations. The NCCOE’s ABAC effort is a big step to encourage organizations to update their access control paradigm. As IT security has moved from the back room, to the boardroom (and now, even to the bedroom) – we hope you and your company will consider embracing this powerful innovation.
* While the example solution uses RSA products, the NCCoE does not endorse these products in particular. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.
The post “I’m more than just my job!” appeared first on Speaking of Security - The RSA Blog and Podcast.