Dynamic Authorization: The Natural Evolution of Access Control
Access Control has been around ever since there has been the need to protect valuable assets. Sentries were posted and moats were built. Still, history is littered with access breaches, many of which, such as the Trojan horse, have gone down in folklore.
Comparably, data access control is still in its infancy (although many of the major breaches are equally renowned). And growth of data – both the amount and the importance of it – has seen access control become a key security issue for individuals, organizations and public entities alike.
But how did we get to where we are today? The history of data access control can be summed up in three stages. First, we had access control lists (ACL), an early form of digital access control that is still in use today, typically in content management systems. ACLs allow access to data based on user identity.
In the early 90’s, when greater protection of data was required, Role Based Access Control (RBAC) was developed. RBAC enabled administrators to allocate users to different roles or groups with specific access rights. This was great until organizations grew and the amount of data increased exponentially – so much that the number of roles required became unmanageable. The result was role explosion and segregation of duty failures.
Finally, a new form of access control evolved – in part from Axiomatics. It could handle the ever-increasing importance of data as well as the changing world of IT, connectivity and multi-device usage. This new school of thought revolved around attributes and was aptly named Attribute Based Access Control (ABAC). ABAC provides relationship and policy-based access to data. Multiple attributes, such as a user’s role and location, the time of day, the resource being accessed, the device in use, the purpose of use and the company policy, are all taken in account before access is granted or denied.
Now we’ve got you hooked – and you’ll want to read more. Get the full story on the evolution of access control from a static to a dynamic ABAC model.
You may also want to watch our recent webinar, on the basics of ABAC.