Authorization has experienced many approaches and models over the past few decades, with each new iteration striving to achieve less user friction while increasing security. These approaches fall under the umbrella of access control, involving identification, authentication and authorization. These controls are designed to protect resources from authorized access, while facilitating legitimate use.
There is a new type of access control emerging - but first, let’s take a stroll through the legacy models current security infrastructure has relied on over the years.
Often used to restrict unnecessary access and based on the principle of ‘least privilege’, RBAC has been a popular model since it's birth in 1990's. It is still in use today.
RBAC requires a system administrator to assign rights based on roles within an organization (rather than individuals). Each role is defined with a certain area and level of access based on three principles: role assignment, role authorization and permission authorization.
This means that individuals are only given access to what they need to do their job. Access can be defined based on several factors, such as authority, responsibility and job competency.
While popular, this approach runs into problems over time, with more roles than employees, employees with multiple roles, the cannibalization of roles and roles becoming obsolete or no longer relevant. Another limitation is that it is not an automatic process, it relies on manual input and constant maintenance, resulting in a high resource cost.
Attribute-based access control (ABAC) uses attributes (such as title, location, team, etc) rather than roles, to determine access. In this model, the system administrator sets approved characteristics to determine access.
This model allows for more granular access permissions than RBAC and proved popular in the 2010's.
While a step forward from RBAC, ABAC runs into challenges with the manual maintenance of a growing number of attributes and complexity that develops over time.
PBAC, often considered a form of ABAC, is a recent development and works by granting access to users based on the use of combined attributes that form policies.
Policies can consist of a variety of attributes, such as: name, organization, job title, security clearance, creation date, file type, location, time of day and sensitivity or threat level. Once these are combined to form policies, rules are established to evaluate who is requesting access, what they are requesting access to and the action determining access. PBAC gives administrators greater control than RBAC and can be high level or granular.
The effectiveness of the policy used in PBAC is entirely based on the quality of information provided as attributes and the combination.
At IndyKite, we see a significant opportunity around the use of knowledge to form the policies that govern access.
What if we applied machine learning and AI to the information? What if we used a flexible data structure to identify connections and patterns? What could this mean, not just for individual users but also for smart devices and IOT?
We’re calling it Knowledge Based Access Control (KBAC), where we employ knowledge harnessed by the underlying knowledge graph, to express relationships and context present in the real world, to create smarter, more adaptive and dynamic access control policies.
By interrogating the continuously changing context KBAC can unlock higher risk protection, better security, and uncover new insights for product creation or value realization.
Want to learn more? Check out the article, Knowledge forms the base of advanced authorization-as-a-service and register for our upcoming webinar on KBAC.