The Physics of Coarse- and Fine-grained Authorization
In his recent blog, Homan Farahmand of Gartner discussed the differences between coarse-grained and fine-grained authorization, likening them to the study of classical and quantum physics. As somebody who has been working with fine-grained authorization for the past ten years, I can relate to this comparison but from a slightly different angle. Back in the 1990s (and before), coarse-grained authorization models, such as RBAC, were the chosen (or should I say classic) method of managing access control at large enterprises and government agencies. Fine-grained authorization models, such as ABAC (Attribute Based Access Control) were a quantum leap away. There were a few mavericks out there practicing it, but these solutions were mainly developed in-house.
Today however, fine-grained authorization is a well-established method of managing access to your most sensitive data – and is quickly becoming the obvious choice. Which is why we are seeing more and more Fortune 1000 companies and federal agencies deploying ABAC solutions.
From my days on the IAM research team at the Burton Group (where Homan and I were colleagues) to my current role at Axiomatics, it’s been encouraging to witness the evolution and uptake of fine-grained authorization. Particularly as RBAC and ABAC were once considered opposing ways of safeguarding data, but are now accepted as the perfect partnership – RBAC for coarse grained protection of non-sensitive data, and ABAC for fine-grained protection of sensitive, mission-critical assets and data. In fact, the vast majority of ABAC deployments utilize roles as a primary attribute, further illustrating the close relationship between the two approaches.
You will still need to do the groundwork if you choose to shift to ABAC. With guidance from a firm like Axiomatics and the right tools to help, most organizations can identify the essential attributes and create the policies that are required for safeguarding sensitive, business critical data.
Just as there will always be a need for classic physics (go gravitational waves!) and quantum physics, so to, will there alway be a need to apply both coarse-grained and fine-grained authorization. Helping you get the balance right is where we can help at Axiomatics.
To see just how much we believe in the RBAC/ABAC partnership you can watch our latest webinar.