Home | Community Forum | Blog

Managing Role and Group Explosion with Dynamic Authorization

Globalization trends and greater diversity in the business world drive the need for enterprises access management requirements with a more dynamic approach. This NextLabs white paper “Managing Role and Group Explosion with Dynamic Authorization” describes the current challenges companies face, why the traditional Role-Based Access Control (RBAC) should be enhanced with Attribute-Based Access Control (ABAC)some best practices to implement ABAC, and the NextLabs approach to address the challenges

Below is an overview of the paper. For the full explainer, click the button below. 

Current Trends Driving Access Management Requirement

The trend to adopt a more data-centric approach in access management is prompted by both regulations and business landscape.  

  • Adopting Zero Trust: The National Institute of Standards and Technology (NIST) has adopted as a recommendation (NIST 800-207) that organizations implement a Zero-Trust approach to their security. As the principle “Never Trust, Always Verify” suggests, users are no longer assumed to be trusted to have access to a network or system. Instead, every attempt to access is evaluated regardless of previous context, and users are given the least privileged access to the data and applications. Adopting this approach helps enterprises to update their security measures into a fine-grained system that centers around protecting sensitive and valuable data rather than the network.
  • Globalization and Diversified Workforce: The globalization of trade relations, business processes, and workforce requires enterprises to strike a delicate balance between effective business practices and data security. While communication and information sharing are key to successful international collaborations, they also pose challenges to securing sensitive data in cross-regional and cross-organizational practices. The diversification of workforce further increases the challenges in data security, as employees in various geographic locations will need to access the organizations’ data and resources from various environments, including a wide range of device types, different locations, and at many times of the day. Therefore, these trends of globalization make it imperative for companies to develop a flexible and reliable access management system to address these challenges.
  • Industry Consolidation: Facing the precarious business environment, companies go through various consolidations such as mergers, acquisitions, and establishing joint ventures to address needs to grow revenues or withstand risks. In these organizational changes, the flow of data and personnel in the old and new organizations are increasingly complicated, making it a crucial issue to make sure that only the authorized user has access to sensitive business-critical data.
  • IT Consolidation: To increase work efficiency and reduce management overheads, companies with globally distributed operations tend to adopt wide-reaching systems instead of smaller separate systems. As time of use is distributed across the day, the utilization of certifications and system capacity can be fully explored. While optimizing the IT system, it is crucial for enterprises to make sure that access management is in place.

Role and Group Explosion: How to Solve It

In traditional RBAC, each access combination would be specified by a specific role, and users of a system would be members of all the roles that cover the access that they require. Thus, RBAC approaches demand an exponential number of roles or user groups to be defined, leading to role and group explosion. RBAC intensifies the complexity of access management, especially when access control is implemented on a more granular level.

Integrating Attribute-Based Access Control (ABAC) with RBAC can greatly simplify the access management process and enhance the existing RBAC functions. ABAC is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, object, and environment conditions, and a set of policies that are specified in terms of those attributes and conditions.” The combination of attributes and environmental factors such as location and time of the day allow for easy and fine-grained access control that tailors to various business contexts and needs, and greatly reduces the number of role assignments. Applicable both on-premises and in hybrid cloud environment, combining ABAC with RBAC offers a future-ready identity and access management solution.

NextLabs' Zero-Trust Policy Platforms

A key component in implementing zero-trust security is to evaluate every access at the time of the request. Incorporating dynamic authorization with ABAC not only ensures that policies are dynamically evaluated at every access attempt, but also automatically integrate the latest changes in the evaluation and enforcement of policies. This both reduces the effort required to keep policies up to date as well as reduces the latency in any changes taking effect.

Using Dynamic Authorization to Implement ABAC

NextLabs’ Zero-Trust policy platforms utilize dynamic authorization in the definition and enforcement of ABAC policies, which enables organizations to grant fine-grained access and entitlement to resources, allowing users access to only what they need, and granting them the entitlements to only do what they should be authorized to do once they have that access.  

In addition, the NextLabs suite also utilizes centralized management of policies that allows a few policies to replace an exponential number of roles and streamlines access management across all applications and systems. Centralized management makes it easy for policy administrators to add or update policies and quickly deploy them across the enterprise. The NextLabs Zero Trust Data-Centric Security suite includes: 

  • CloudAz, a unified policy platform that centralizes administration and utilizes the “never trust, always verify” principle, ensuring data is protected at any access point. 
  • Data Access Enforcer (DAE) helps enterprises protect data access from anywhere, by securing access and protecting critical data stored in databases and data lakes. 
  • SkyDRM ensures persistent protection of critical files and documents to protect data on the move and at rest.
  • Application Enforcer can be used to secure applications, enforce data security controls, and simplify role management.

Download the whitepaper to learn more about how ABAC and dynamic authorization address role explosion, enhance access management, and meet Zero-Trust principles.

To comment on this post
Login to NextLabs Community

NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.