The Winning Formula for Effective Data Access Controls
Traditional access controls have focused primarily on a Role-Based Access Control (RBAC) model for securing sensitive assets. Organizations needed to predefine all potential functions and assign each user a certain level of security privileges, granting or denying access to data based entirely on their role. This rigid, one-size-fits-all method quickly becomes unwieldy and error-prone with significant security risks when deployed at scale.
Traditional access controls have focused primarily on a Role-Based Access Control (RBAC) model for securing sensitive assets. Organizations needed to predefine all potential functions and assign each user a certain level of security privileges, granting or denying access to data based entirely on their role. This rigid, one-size-fits-all method quickly becomes unwieldy and error-prone with significant security risks when deployed at scale.
The flipside of this, however, is an Attribute-Based Access Control (ABAC) model that allows for the use of fine-grained, centralized policies to govern whether a user can access the desired data. This new mindset allows organizations to share protected information, collaborate with confidence, and weave existing assets into an orchestrated security architecture.
Instead of rigid roles, ABAC leverages a wide variety of attributes as building blocks to construct meaningful policies. For example, a policy might dictate specific locations, approved devices, certain hours of the day, whitelisted IP addresses, security classifications, department membership, and many other contextual details. Access to the resource is denied if the circumstances fail any of the policy’s requirements.
In a time of increasing collaboration and sharing between enterprises and partners, dynamic and flexible access controls are a non-negotiable requirement for protecting critical assets.
The concept of “trust nothing and verify everything” has stood the test of time for a reason. And yet, authorization and access controls are frequently relegated to an afterthought when designing enterprise infrastructure. Implementing ABAC principles from the outset allows organizations to weave those powerful security benefits throughout all aspects of a Zero Trust architecture.
The NIST SP 800-162 document lays out requirements for ABAC access control mechanisms: “By evaluating each policy element against the available information, the access control mechanism often employs a Policy Decision Point (PDP) to render a decision, a Policy Enforcement Point (PEP) to enforce the decision, and some sort of context handler or workflow coordinator to manage the collection of attributes required for the decision.”
In the ABAC framework, attributes are generally grouped into four categories:
Subject — The user requesting access
Action — The operation being attempted
Object — The resource being accessed
Environment — Variables such as time, location, or other dynamic characteristics
Fornetix’s ABAC Trust Controller and ABAC Verification Point, part of the VaultCore ecosystem, are powerful policy orchestration tools enabling the flexible controls a true Zero Trust strategy requires.
The ABAC Trust Controller acts as a PDP within an attribute-based model evaluating all requests against the security policies currently in place. It quickly propagates policies that apply across multiple devices while still allowing granular policies at the node level.
The ABAC Verification Point acts as a PEP utilizing standards-based APIs to support enforcement of policy decisions across applications and services. Use cases include collaboration tools, databases, custom applications, messaging, PKI, and more.
Fornetix’s approach to ABAC, allowing you to put everything inside a FIPS 140-2 crypto boundary, is unique in the industry. This ensures the security benefits of ABAC while maintaining regulatory compliance.
Deploying Zero Trust architecture in a federal/military environment affords great flexibility to data security for onboarding partners, creating unified environments, secure collaboration, and policy enforcement. Here are two real-world use cases that are currently putting our technology into practice:
Secure Chat — Fornetix has developed chat services in tactical environments for information sharing using industry-standard XMPP chat service. It leverages ABAC Trust Controller to make decisions based on user, message, and chat target. ABAC Verification Point is embedded into XMPP server allowing for secure API calls into ABAC Trust Controller. Policy checks occur on every chat message. Policy decision and enforcement components are kept in core trusted infrastructure. Chat clients do not require modification.
Air Force Materiel Command — With operations in a sensitive environment and distributed IT resources, the Air Force chose to deploy VxRail because of the simplified management and maintenance. The missing piece to support their encryption strategy was a hardware encryption key. Fornetix fit the bill with a solution built on a Dell R240. The bundle was sold by Epoch to the Air Force as a Dell OEM ASKU. The customer now has automated key management in addition to powerful access controls and policy tools that enable ABAC methods. It proved to be easy to sell, implement, and operate even at a dark site.