×

IDMWORKS Blog

Attribute Based Access Control (ABAC) – The Next Big Piece of the Puzzle


Identity Management is a very important part of today’s responsive IT environment. For about the last dozen years or so we have all been working diligently to connect each of our disparate systems and provision everything that we could get our connectors attached to. Identity Management continues to be a huge issue for many organizations. How does a large multi-national company maintain the tens of thousands of identities that access their systems each day. Or how does a medium sized company with a lean staffed IT department maintain their internal identities and also manage the B2B relationships and systems accesses that come along with them?

Identity Management is a very important part of today’s responsive IT environment.  For about the last dozen years or so we have all been working diligently to connect each of our disparate systems and provision everything that we could get our connectors attached to.  Identity Management continues to be a huge issue for many organizations.  How does a large multi-national company maintain the tens of thousands of identities that access their systems each day.  Or how does a medium sized company with a lean staffed IT department maintain their internal identities and also manage the B2B relationships and systems accesses that come along with them?

But now that we’ve got identities provisioned and accesses granted to the key systems what do we do with all of that great information we’ve been gathering about the users?  We grant and/or deny access to services with it. As a result we moved into the realm of role based access control.  When a user had a change of role within an organization we reflected that in their digital identity.  From there we may provision a change to a downstream system or application that changes their access to an application or other data source.  This approach provided us a much more dynamic environment that reacted to the ever changing roles within an organization but it still had one big issue, the applications security needed to be tightly integrated to the system of record whether that be Active Directory, Oracle or some other authoritative system.  This approach is very costly and time consuming, especially in today’s dynamic IT environment.

Through Identity Management we effectively made Identity as a Service (IDaaS) to be consumed by the disparate systems in the enterprise.  Access management has accomplished the same thing for authentication.  But authorization has continued to be heavily the burden of the application itself.  This is where Attribute Based Access Control (ABAC) and the XACML standard become part of the complete security picture.  ABAC effectively takes the burden of authentication away from the application and provides it as a service within the organization to be consumed by any application or data source that needs protection.  XACML makes this idea a reality by providing a standard by which the different components can effectively speak the same language for authorization services.

An ABAC deployment has several advantages which include dynamic access to critical data based on an individuals attributes instead of a preset ACL or provisioned access.  Access is evaluated at the time of request and either granted or denied based on the requester’s attributes.  This has particular advantage in a federated environment where the owner of the system may not own the identity that is requesting the resource.  It is not the job of the authorization service to establish the identity, that is handled by the identity and authentication services.  It is simply the job of the authorization service to determine if the authenticated identity is granted access to the protected resource based on a policy that is interpreted at the time of the request.

There are a number of components that make up an ABAC solution.  These components include, but are not limited to, a Policy Decision Service (PDS) also known as a Policy Decision Point (PDP), a Policy Enforcement Point (PEP), and an Attribute Service (AS) also known as a Policy Information Point (PIP).  When implemented according to standards these components may be provided by a single vendor or chosen across multiple vendors based on best in class technology.  There are a number of vendors that provide these services including, but not limited to; Axiomatics, Bitkoo, Oracle, CA, Jericho Systems,Vordel, Cisco, Siemens, Epok, Layer 7, Quest, Pericore, NextLabs and IBM. Each of these vendors, and others, provide standards based (XACML) solutions that allow the application developers to concentrate on implementing the business logic of the application and allow the authorization to be handled externally.

While the level of integration with the application varies across the vendors along with the back end systems/data sources varies as well, it is clear that a large step has been taken with ABAC and XACML moving toward Authorization as a Service.  While there is still some work to be done (some of which is very clearly addressed in the XACML 3.0 specification) this is a solution that is ready for wide adoption.  I think it can be confidently stated that Attribute Based Access Control is truly the next big piece of the puzzle for many service hungry IT environments.

As always, questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *