With an advent of a “work anywhere, anytime” environment, enterprises face a rapid expansion of diverse users alongside an influx of applications, devices, APIs and microservices. Additionally, the amount of data created and consumed by these users, devices and services continues to explode, creating extraordinary security and compliance challenges.
Formalized by NIST in 1992, role-based access control (RBAC) has long been a standard approach to managing access to critical assets and data, particularly for enterprises managing more than 500 employees. However, to ensure secure access, enterprises can no longer afford to define authorization policies based solely on a user’s role.
Axiomatics has identified four limitations to an RBAC-centric security approach and suggests enterprises evolve their RBAC model to an attribute-based access control (ABAC) model. ABAC is recognized by NIST as a model that can “improve information sharing within organizations and between organizations while maintaining control of that information,” and is at the core of modern security approaches, including zero trust.
Four RBAC limitations
- Role explosion
- Toxic combinations
- Management nightmares
- No context
ABAC is the future of access control
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. creating a single ABAC policy or small set of policies for all IAM principals. ABAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome.
- ABAC adds context
- ABAC permissions scale with innovation.
- ABAC requires fewer policies.
- Using ABAC, teams can change and grow quickly
- Granular permissions are possible using ABAC.
- Use employee attributes from your corporate directory with ABAC.
By evolving RBAC with ABAC, administrators provide well-rounded access control that builds on RBAC while harnessing ABAC’s context to address today’s requirements and future needs