Should we rely on trust to access and share sensitive information?
Trust by definition is someone in which confidence is placed. In IT terms a ‘trusted insider’ is anyone who has been given access to a business’s systems: past and current employees, contractors, partners, suppliers and other third parties. When it comes to data security, trust alone is not viable option to combat modern threats including hackers, malware, nation-state threats—even our ‘trusted insiders’. In order to protect sensitive and classified data, we need to ensure that it is accessed and shared securely and appropriately, while also protecting against misuse and theft. To do this effectively, we must re-think the traditional models of information protection and trust, and instead look to modern security paradigms such as attribute-based access control (ABAC).
Rethinking trust for information protection
Effective digital transformation brings the greatest value when data can be utilised in an effective way – meaning the right information, being used at the right time, in the right way, by the right entities, based on the sensitivity of the information.
When we share information with colleagues, partners, and suppliers we inherently assess the level of comfort we have in trusting they will handle the information appropriately. One it leaves our custody we can’t control or gain insight into whether or not:
- They knowingly share it with others that should not have access
- They accidentally share it with another party
- They misuse the information
- They take a copy of it for their own malicious purposes
This is just part of the challenge of sharing sensitive information between people, companies, government departments, and countries. Traditional security solutions don’t assess and prevent actions that trusted users take with information. They simply verify with or not the users should have access to the information. Then other solutions may be layered on to monitor behaviour of users. These solutions alert you to a potential problem after the fact – and are therefore ‘reactive’ and not preventative.
So how do we enable systems to enforce the rules and caveats that we need, to ensure trusted users only share information with those that should have access and have control over what users and information recipients can do with that information—proactively?
A new security model is needed to enable this. A model that allows information owners to easily set access and sharing conditions (policies) on the content, and dynamically control whether other users can edit their information, share it, or discover it through search.
Attribute-Based Access Control Provides a More Secure Information Protection and Sharing
Attribute-based access control (ABAC) provides a solution to the secure information sharing challenge. It defines an access control methodology where access rights are granted to users through the use of policies combining attributes together. The policies can use numerous characteristics or attributes including:
- User attributes: user name, role, organization, ID, and security clearance
- Environmental attributes: time of access, location of the data, and current organizational threat levels
- Resource attributes: creation date, resource owner, file name, and data sensitivity level
The ABAC methodology is designed to reduce risks due to unauthorized access, and control security and access on a more fine-grained basis. For example, instead of a user always being able to access sensitive information based on their security clearance, ABAC can place further limits on their access, such as only allowing it during certain times of day or only if they are in a certain country. This can reduce security issues and can also help with auditing processes later.
Unlike role-based access control (RBAC), which employs pre-defined roles that carry a specific set of privileges associated with them and to which subjects are assigned, the key difference with ABAC is the concept of policies that express a complex Boolean rule set that can evaluate many different attributes:
- Attribute values can be set-valued or atomic-valued
- Set-valued attributes contain more than one atomic value; and
- Atomic-valued attributes contain only one atomic value
Secure ABAC Driven Collaboration & Sharing with Kojensi
Kojensi is a highly secure and trusted platform for sharing sensitive and classified files and document collaboration. It employs ABAC policies to ensure only authorized users have access to information under the right conditions and controls what they can do with that information. Organisations no longer need to add layers of security as an afterthought, which slows productivity and complicates processes. With Kojensi, create, co-author and share documents in real-time, all in a secure and intuitive platform that empowers collaboration and is highly secure-by-design.
Explore this whitepaper to learn how the accredited Kojensi platform leverages the ABAC security model to empower users to securely collaborate on and share sensitive, classified and top secret information.