Attribute Based Access Control

An organization’s applications provide access to protected data, such as financial records, intellectual property, health records, and other sensitive information. Each application, or set of applications, must therefore enforce which users can access which resources.

However, as well as being difficult to manage, the legacy approach of embedding entitlement within applications has major security implications. After authenticating a user, there is a reliance on course-grained access control, which leaves resources vulnerable to unauthorized access and data breaches.

Authentication and Authorization
Security vulnerabilities include…
  • Insider threats
  • Increased attack surface
  • Privilege escalation
  • Data leakage
  • Overprivileged access

  • Inadequate compliance

Solution: ViewDS Access Sentinel

Access Sentinel is an authorization server that centralizes access control and strengthens security.

It provides a mechanism to impose policy-based authorization. The natural language of an organization’s security policy, describing who should have access to what and when, is defined in rules using the next level of access control, Attribute Based Access Control (ABAC).

ABAC goes beyond simply defining who has access to which resources by also considering the why, when and where of entitlement.

It controls access to resources according to various attributes or conditions, such as user roles, resource attributes, time of access, location, and more. Entitlement becomes a more precise and tailored mechanism, delivering a high level of security and flexibility.

This deeper level of fine-grained authorization:

  • mitigates security vulnerabilities by providing exact control over access rights

  • reduces the risk of unauthorized access and data breaches
  • ensures compliance with security and privacy regulations
Example of ABAC authorization

ABAC Mitigates Vulnerabilities

The fine-grained authorization provided by Access Sentinel overcomes many potential security vulnerabilities.

Coarse-grained authorization can grant users more permissions than they actually need to perform their tasks. This can result in users having unnecessary access to sensitive resources, increasing the attack surface for potential exploitation.

With course-grained access control, insiders with legitimate access to certain resources might misuse their privileges for malicious reasons, leading to data leaks or unauthorized activity.

Without granular control over access, attackers might exploit vulnerabilities to escalate their privileges from low-level access to higher levels with more significant privileges, allowing them to access sensitive resources or to perform critical actions.

Fine-grained authorization delivers strict separation of duties, ensuring that certain critical actions require multiple approvals or are restricted to specific users. Without this, the risk of fraudulent activities or unauthorized access to resources increases.

Many regulatory frameworks (for example, GDPR, HIPAA, PCI DSS) require strict access-control and data-protection mechanisms. Without fine-grained authorization, it can be very challenging to comply with these regulations, exposing organizations to legal and financial consequences.

Coarse-grained authorization might not consider context, such as the user’s location, time of day, or the device being used. Fine-grained authorization enables more dynamic and context-aware access control, reducing the risk of unauthorized access based on changing circumstances.

Coarse-grained authorization can lead to rigid access-control policies, which make it very difficult to accommodate specific use cases or to adapt to evolving business needs.

With broader access permissions, the likelihood of attackers finding exploitable vulnerabilities within the system increases, potentially leading to a successful breach.

Access Sentinel’s XACML Framework

Access Sentinel uses a standardized framework – eXtensible Access Control Markup Language, or simply XACML – to deliver ABAC. The framework provides an architecture, processing model and markup language, that extends access control to include attributes and resource metadata, such as a user’s identity data, their environment, and actions.

  • 1

    Policy Enforcement Point (PEP), a lightweight component external to each application, intercepts a user’s attempted access.

  • 2

    PEP asks the Policy Decision Point (PDP) to make an authorization decision.

  • 3

    PDP assesses the attribute-based access controls (stored as XACML in the PAP), which may also involve considering identity data (in the PIP) such as the user’s security level, job title, or location.

  • 4

    PDP makes its decision and tells the PEP to permit or deny access.

How does Attribute Based Access Control work

A unique feature of Access Sentinel is that the PDP, PAP and PIP constitute a single component. Consequently, as the XACML policy and identity data reside in a single repository, an admin user can manage the access controls and identity data from a single user interface.