Thought Leadership

Encryption on Steroids – Attribute Based Access Control (ABAC)

By Jim Sanford

How many data breaches need to occur before companies take real preventative action? While hotel chains, retail stores, and Facebook are likely to grab headlines, companies of all sizes, across all industries, face the same threats. If you work with intellectual property, handle sensitive materials, or are subject to regulatory compliance, you need to safeguard your digital assets.

Pernicious attacks don’t always come from the outside. According to JAMA Internal Medicine, 53 percent of the 1,138 instances of a data breach at medical facilities they analyzed originated from inside the organization. Overall, 15.1 million patient records were compromised in 2018, a near three-fold uptick from 2017.

Unprepared companies find themselves on newsfeeds for both negligence in combatting a breach and the resulting punishment levied by regulating bodies. Despite this, most companies trying to manage their data are using increasingly unreliable methods such as:

  • Putting up a firewall around the application. Despite amazing progress with firewalls and network security, a malicious attack or internal leak (whether intentional or inadvertent) will result in compromised data.
  • Using an Access Control List (ACL). Sadly, this static method of protecting who can touch data doesn’t work in today’s modern, dynamic, and globally distributed environment.
  • Applying Role-Based Access Control (RBAC). Using authentication schemes, location, network, risk, and individual characteristics can work for one-time access, but today’s environment is dynamic, making RBAC impossible to keep updated.

Chasing dynamic data with static security models will not support a fast-moving company. As more data becomes available for sharing across a variety of networks, these security measures are proving ineffective at stopping data breaches. Using a network, an ACL, or RBAC simply can’t stop malicious attacks or internal threats.

The paradigm is shifting to Attribute-Based Access Control (ABAC) to redefine data protection. ABAC has been developed to address the most stringent security requirements of the most important government entities on the planet. ABAC is the platform of choice for the US DoD, the UK MoD, and has quickly become a NIST standard.

At its basic level, ABAC uses an ‘IF/THEN/AND’ model to protect the data itself. This model is then applied to data via policy, checking attributes and applying the appropriate permissions (aka “digital rights”).

A Starbucks in Slovakia

Imagine a US State Department official carrying a laptop into a foreign country notorious for its ability to hack and steal data from the open web. This official heads into a Starbucks, opens his or her laptop, and connects to the public WiFi. It’s hard to argue that this may be one of the easiest ways for data to be compromised, but if this official’s data is encrypted via ABAC, data safety is assured regardless of how open the network may be. Regardless of the location, encrypted data is protected by an ABAC schema that guarantees appropriate access or denial of access.

ABAC puts the encryption and safety measures inside the data itself, ensuring that even if hacked or flat-out stolen (e.g. a thumb drive stuck into the side of a laptop), the encryption prevents the data from being compromised and utilized outside of its intended use.

Live inside the data itself

Attributes are the foundation of ABAC. Factors such as program, citizenship, location, clearance level, even time of day, can be used to protect the data. If the user violates any parameter, the ability to access is lost.

Continuing from the above example about an official opening his or her files in a Starbucks in Slovakia, the policy may allow this user to access the data based on multi-factor authentication, United States location, and clearance level. The fact that the official is trying to access the data in another country violates the policy, which then denies access to the data and reports the attempted use to the policy management system. All elements of the policy must be met. This official could copy/paste the information into a separate application or right into their personal email address, but the encryption inside the data itself prevents their ability to access it and protects the information.

Moving information around the globe on a second-by-second basis while maintaining control of the intellectual property or sensitive data is more important than ever. An ABAC system can be set up as a centrally located security measure, independent of people, geography, and network perimeter security, and provide a single data safety infrastructure around multiple applications. Users will have persistent rights management regardless of the application they use to access ABAC-encrypted data.

When you put the encryption inside the data and metadata itself, companies can seize control of their data and prevent a breach from internal or external threats. The Department of Commerce has made this a mandatory practice and the adoption is spreading throughout several governmental and military agencies. There isn’t an industry that couldn’t benefit from implementing an ABAC solution, especially in a world where data is dynamic, information moves across the world in real-time, and breaches can ruin company reputation and trust.

To learn more about securing your data with digital rights management, please visit our Teamcenter DRM site.


About the Author

Jim Sanford leads the sales and delivery of NextLabs products through Siemens in all markets and all customers. 

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at https://blogs.sw.siemens.com/thought-leadership/2019/03/28/attribute-based-access-control-abac-encryption-on-steroids/