Tip of the ABAC Iceberg? Guiding and Managing the Implementation of Attribute Based Access Control
Business demands information management that meets their needs. From an IT perspective, it means that stakeholders are demanding access to information services that reach far beyond the boundaries of the organisation. At the same time, they are also expecting the IT department to protect their high-value information assets and intellectual property.
How can you ensure that enabling remote and mobile access to your protected information services will not compromise your high-value information assets?
When implemented as part of a broader assured identity and information sharing capability, attribute-based access control (ABAC) enables fine-grained, mandatory, dynamic access control that supports the sharing of information within and between organisations. It sets the conditions under which access can be granted to data, a device, or system, within any given context. For large enterprises, it presents them with the ability to consistently and dynamically allow, track and restrict access to information based on an entity’s attributes such as: organisation, role, citizenship, geographic location, device being used, security clearance, need-to-know, authorities, and time.
On its own, ABAC is not a ‘plug and play’ solution. It is the access technology through which the organisation’s information management ‘rules’ are implemented and enforced. To ensure its effectiveness, an access control solution needs to be part of the ICT enterprise architecture so that it aligns with the broader organisational context – its mission, objectives, and risk appetite – and works seamlessly with all information management systems and information workflows. ABAC can only benefit the business if it can articulate what it needs to know, what it has, what it wants to secure/use/delete, who should have it, where they need it, when and via which kinds of devices.