From RBAC to ABAC: The Evolution of Data Access Control

Parul Saxena

Parul Saxena

Senior editor

Parul Saxena

Chief editor

Last updated: June 23, 2021

The earliest data access control models didn’t give much power to administrators than the ability to tell certain users what they could and couldn’t do. Since they only had the simplest of tools to work with, administrators weren’t prepared to deal with the sort of problems that people run into thousands of times every day in the modern era. Problems have a tendency to mutate on a very fast basis now, which is why data access control tools are evolving so quickly. They have to in order to keep up with all of the kinds of problems that people see today. Over time, experts experimented with a number of different solutions.

Eventually, data scientists created the idea of multiple users with individual privileges so that people wouldn’t have to worry as much about information loss as well as prying eyes. Role-based access controls (RBAC) quickly took over the industry in every segment except home computing, where they’ve only made a major splash relatively recently. Many home users probably still aren’t exactly familiar with the idea of elevating permissions in order to manage administrative tasks, but this happens at least transparently on NT-based operating systems and is ubiquitous in the Unix world.

Computer industry insiders have since developed other methods of securing information. Attribute-Based Access Control (ABAC) schemes have quickly become popular, which has encouraged some people to take a new look at the way they’re locking down their data structures. Considering that one program has been in continuous use since 1971, it makes sense that experts would want to explore these new avenues.

Evolution of Data Access Control

1. Potential Replacements for RBAC Schemes

In a standard RBAC environment, each individual user’s account has a specialized role to play. One individual is an administrator, while another may exist as a maintainer who is able to approve tags and install certain types of hotfixes. The remaining individuals each have a more limited account that only gives them the ability to manipulate materials directly related to their own stored content and that which is publicly editable. This is of particular importance for firms that have migrated all of their material to a nebulous cloud database that everyone logs into.

Looking for Access Control Software? Check out SoftwareSuggest’s list of the best access control software solutions.

Attribute-based systems consider roles, but software that works along this paradigm would also monitor where a command came from. If a request came from a legitimate user running a web browser, it might pay attention to the user agent to see if that account could have been compromised. This approach also takes into consideration whether or not the resource attributes of the request make any sense. When they don’t seem like what someone would usually run, a security service may mark them questionable and refuse to carry out the orders.

Since all of these points could at least theoretically lead to a safer system, the debate over RBAC vs ABAC continues to rage on. Those who support more traditional solutions argue that ABAC approaches could cause undue stress for users who may have otherwise legitimate requests periodically denied because they don’t meet a predetermined series of attributes. On the other hand, an ABAC-focused approach could be much safer because it would prevent compromised accounts from executing arbitrary code.

There are certainly some drawbacks to working with the authorization engines that power most ABAC-style approaches, which has led to the creation of a new hybrid paradigm that takes the best of both worlds and melds it into a single technology.

2. The Rise of Entity Based Access Controls

Under an EBAC model, data scientists use a traditional RBAC engine that quickly determines whether or not a user is positioned in the right layer to make a request. They then instruct a machine-learning algorithm to make a request to an authorization engine, which checks whether or not the initial query seems valid or not.

This ensures that neither engine performs too slowly since they’re operating independently of one another. A properly constructed set of environment variables and ABAC-style filters can allow this style of governance to function as a firewall. Corporate networks that are protected by software-defined firewalls might see the most dramatic improvements from this kind of an installation. The rapid 18-19 percent growth of Python alone suggests that there’s a growing segment of the market that uses software-defined networking infrastructure.

3. Simpler Ways to Manage Access Controls

Small-to-medium sized businesses that use traditional network attached storage devices probably don’t have to worry as much about all of these advanced access control systems and might be able to prevent inadvertent data loss using a very simple technique like the manipulation of permissions. While those who use enterprise resource planning software may need ABAC or EBAC-focused applications, this may not be true of smaller firms.

Traditional Unix file system permissions date back to the earliest days of the operating system, and they’re now an integral part of GNU/Linux and all of the BSD-based platforms. That means you can take advantage of this on any network that runs everything from Ubuntu workstations to Macintosh laptops. It’s a simple way to develop your own RBAC protocol without installing special tools.

In this system, every storage object is classed as a file and each file is given an owner. Only users that match the ID number of the said owner are allowed total control over a particular file. All other users may manipulate the file based on their permissions assigned by three different metrics.

They can be granted read or write permissions as well as the ability to execute a file if it happens to be a program or a directory. Files don’t have to inherit the same permissions as the directories that they live in, so users can create public areas on a storage device that allows others to either read or write files as they wish. A creative software developer might be able to create a primitive form of ABAC data control tool using nothing more than these principles. Custom software development studios have been spearheading this kind of architecture for some time.

Another common technique is to use what is known as discrete access control lists. Due to their integration with various data structures, these have become common enough that they’re used on a variety of platforms. These normally consist of nothing but a list of users associated with different objects and what actions they’re permitted to take on said objects. If they’re not explicitly listed in a table of associations, then they’re not allowed to take any action at all.

This might seem like a rather strict solution, but it’s far simpler than developing an ABAC or EBAC-based solution. That being said, all of these tools should work well with any paradigm that’s based around traditional RBAC paradigms. In certain operating environments, users are added to a wheel-bit enabled group that allows them to gain root privileges when necessary. Users who aren’t part of this group won’t be able to manage data from an elevated point of view, thus reducing the risk of data loss even in situations where RBAC paradigms might seem a little too simplistic.

IS department staffers could put together some very interesting solutions using these tools.

4. Creating a Drop-off Area

Teachers who write their own courseware usually need to put together some way for students to hand in their digital paperwork. Healthcare providers who rely on cloud storage networks have to make sure that medical records can’t be tampered with after they’ve been written. In these cases, it might be best for IS personnel to create some designated area where people can send content without being able to edit it later on.

Regardless of what method they employ, it’s obvious that the needs for either ABAC or EBAC-based access limitations will continue to grow in nearly any industry that uses SaaS-based tools on a daily basis. The fact of the matter is that firms in pretty much every industry segment do now. SaaS tools are convenient and at least relatively simple to use, which makes them attractive to nearly any organization that has to manage data. Whether people want to section off a drop-off area or use complicated multi-user configurations that let them separate normal tasks from administrative ones, these tools should make it possible to do so. Considering that 55 percent of websites and 26 percent of all communications are done through some sort of SaaS platform, the need for these kinds of access controls will be growing.

Summing it Up

For the longest time, RBAC-based access controls were the only way to limit the flow of data, but computer scientists have rapidly brought major changes to the field. ABAC technology focuses not only on the roles that users play but also on the attributes given to their accounts. That can help stop abuses that are the result of compromised credentials or inside jobs. However, this technology does have drawbacks, so some organizations are using hybrid systems that take advantage of both approaches. While there’s continued debate over which technology is the most effective, it’s likely that both the RBAC and ABAC paradigms will continue to flourish for years to come.

Parul Saxena
Parul Saxena is a writer and editor with experience in various genres of writing in various industries. A content creator who loves to write on the latest technologies and their impact on businesses and everyday life.

Recent Posts

No posts found.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Captcha loading...