Chris Greenlee is the vice president of trusted products at Two Six Technologies, where he leverages collaboration and innovation to solve customer challenges and create solutions that elevate the company’s approach.
In Every Organization, People Wear Many Hats
When we go to work we tend to think in terms of roles – job titles and organization charts of part and parcel of working in a corporate environment. It’s a natural leap from this to implementing role-based access control. But, efficiency often means people wear multiple hats and have responsibilities that cross role boundaries. If your security policies are written with roles in mind, they often can’t account for these very common situations – which means that granting someone the access they need to do their job often means granting them more access than they need. However, this counters a basic premise of Zero Trust: the principle of Least Privilege, or “only give someone the minimum amount of access needed to do their job.”
Roles vs Attributes
The solution to this problem isn’t new, but it also isn’t widely adopted (for reasons I’ll discuss in a moment). Attribute Based Access Control (ABAC) changes the paradigm from “I get access because of my role” to “I get access because I need it.” In the Defense and Intelligence world this maps well to the concept of “need to know,” where you and the person next to you may need to know different things to perform the same job functions. This doesn’t mean you don’t have access to many of the same resources; it just might be that one HR professional needs access to health care information while another needs access to performance reviews.
But That Sounds Complicated
The most common objection to ABAC is that it leads to complexity and challenges managing the variety of attributes in your organization that determine what people can access. In a Role-Based Access Control (RBAC) world, you can usually identify a set of roles that work for your organization just by looking at job titles or organizational structure. In large organizations that still might seem daunting, but it’s nothing compared to the individual attributes you would need – or so the objection goes. But it’s important to remember that roles are nothing more than a logical grouping of permissions – they always were. There is nothing to prevent you from organizing attributes in the same way. This is nothing but a tooling problem: you need tools that make working with attributes straightforward.
Attributes Don’t Have to be Permissions
Another reason attributes seem complicated is that people often conflate attributes with permissions. In a modern enterprise, which realistically blends on-premise and cloud-based services, the number of technology-specific permissions identified by well-meaning engineers is mind-boggling. Don’t fall into the trap of mapping attributes to permissions one to one. If an HR user can see salary data, maybe that’s an attribute – but the individual permissions needed to let them see salary data in your HRM system, Payroll system, and so forth aren’t attributes. This is important to a successful ABAC implementation: your organizational access control policies and the attributes used to make decisions shouldn’t be derived from your tools (in most cases). Most software products on the market today claiming they support ABAC really support their own pre-defined attributes that govern operations internal to their products, not the attributes that matter to your business.
How Do You Eat an Elephant?
“One bite at a time,” says the proverb. In the transition to ABAC and least privilege you can’t expect every part of your organization to transform overnight. Choose your first bite carefully. Identify your most critical resources – databases, file shares, object storage, and so forth. Then catalog how you are controlling access to them. What tools do you use? How many different places are you capturing security policies, and what do they look like? Look for opportunities to simplify where it makes sense by solving for the minimal set of tools, policy implementations, and attributes needed to protect those resources. Then take the next bite.
October is National Cybersecurity Awareness Month. WashingtonExec is sharing OpEds from industry experts on critical cyber topics, and how GovCons and government can work together to secure critical missions.