Attribute Based Access Control (ABAC) – Encryption on Steroids

How many more data breaches need to occur before companies take real preventative action? While hotel chains, retail stores and Facebook are likely to grab headlines, companies of all sizes, working with intellectual property, handling sensitive materials or are subject to regulation need to take action before their data is breached.

The attack doesn’t always come from the outside. According to JAMA Internal Medicine, 53 percent of the 1,138 instances of a data breach at medical facilities they analyzed originated from inside the organization. Overall, 15.1 million patient records were breached in 2018, a near three-fold uptick from 2017.

Companies then find themselves on newsfeeds for both negligence in combatting a breach and then the subsequent story of a multi-million dollar fine that a government plans to levy as punishment.

Most large companies trying to manage their data are using increasingly unreliable methods, such as:

  • Role-based access control (RBAC), which uses authentication schemes, location, network, risk and other factors is ideal for one-time access, but the data used today is dynamic making RBAC impossible to remain updated;

  • Access control lists, which is a static and near impossible process for managing across an extensive network, or;

  • Putting up a firewall around the application.

As more data becomes available for sharing across a variety of networks, these security measures are proving unworthy at stopping data breaches. 

What if the biggest challenge was simply the lack of technological capability. In fact, attribute-based access control (ABAC) is such a technology, which didn’t exist four years ago, and is redefining data protection.

It’s no wonder then that more and more companies, including every branch in the United States military, have started using ABAC. At its basic level, ABAC uses an ‘IF/THEN/AND’ model to protect the data itself rather than assigning data to a user who can take that information anywhere they please or give a hacker the ability to swipe the file.

A Starbucks in Slovakia

Imagine a state department official carrying a laptop into a foreign country notorious for its ability to hack and stealcoffee shop.jpg data from the open web. This state department official heads into a Starbucks, opens their laptop and connects to public Wi-Fi. It’s hard to argue that this may be one of the easiest ways for state secrets to be stolen, but if this official’s data is encrypted via ABAC, it can prevent the theft from happening. Regardless of the location, anything that needs to be encrypted, is encrypted.

ABAC puts the encryption and safety measures inside the data itself, ensuring the attribution is in alignment so, in essence, if hacked or openly being used, the encryption prevents the data from being stolen.

Living inside the data

These encryption attributes are the foundation of ABAC. Fundamental factors such as environment, citizenship, location, clearance level, even time of day, can be used to protect the data. If the user is outside any single one parameter or even tries to open it in a different application, the ability to access is lost.

Let’s continue with the state department official opening their files in a Starbucks in Slovakia. The ABAC policy may allow this user to access the data based on multiple authentication, United States location and clearance level. The fact that the official is trying to access the data in another country makes it so they cannot. All levels of the policy must be met. Even if this official copy/pastes the information into a separate application or right into their personal email address, the encryption inside the data prevents their ability to access it.

Even small companies often have multiple locations across various countries. 240_F_180549217_S72nUDNJFNTY021970Rg1oO3Jv05CMQV.jpgPortability of data is crucial for sharing information whether it’s to a research facility or manufacturer building the product. What’s commonly known as partnering for success, this system allows companies to move information around the globe on a second-by-second basis while maintaining control of the intellectual property or sensitive data.

As a centrally-located security measure, ABAC can be set up independent of people, geography, network perimeter security and more, and have a single data safety infrastructure around every application. Users also have persistent-rights management – to open ABAC-encrypted data even twenty years hence will be impossible.

When you put the encryption inside the data and metadata itself, companies can seize control of their data and prevent a breach from internal or external threats. The Department of Commerce has made this a mandatory practice and the adoption is spreading throughout several governmental and military agencies.

There isn’t an industry that couldn’t benefit from implementing an ABAC solution, especially in a world where data is dynamic, information spreads across the world in real-time, and breaches can ruin company reputation and trust.

About the author

Alisa Coffey is part of the Global Marketing Team for Siemens Industry Software and works closely with Aerospace, Defense, Federal and Marine in the Americas. In previous roles, she’s led projects for the Automotive and Aerospace Verticals within Siemens Digital Factory, the Factory Automation Original Equipment Manufacturers (OEM) group, and Siemens Mexico.  She is currently located in Atlanta, Georgia.

Leave a Reply