By Gerry Gebel, Vice President of Business Development at Axiomatics

Modern access control technologies like dynamic authorization can ensure information isn’t exposed to unauthorized users within an organization.

Businesses and government agencies worldwide hold information that, if it fell into the wrong hands, could cause widespread financial or reputational damage. Take a moment to think about all the proprietary information and intellectual property (IP) companies like Apple, Tesla, Google and Amazon hold about their algorithms and future technologies. What if the wrong person uncovered that information? They could damage the future of any one of those companies. This was highlighted recently when a disgruntled Tesla employee was able to access the Tesla Manufacturing Operating System and change code to sabotage operations.

Now think about all the information the U.S. government holds, data that contains personally identifiable information (PII) on federal employees and U.S. citizens, proprietary or export-controlled data and other sensitive information related to national security. The range of risk to citizens or government employees ranges from a relatively insignificant inconvenience to matters of national security.  

Both businesses and federal agencies are already investing heavily to protect data from hacking and other external threats, but insider threat poses a more intimate, internal challenge that must be addressed. Insiders (staff, contractors, partners, and so on) have legitimate access to the organization’s IT systems. The insider threat or risk occurs when legitimate users leverage their access for reasons other than their official duties, such as for personal profit, sabotaging systems or business opportunities, or other malicious purposes.

Addressing insider threats requires a diligent strategy when it comes to access control. The approach must meet ever-evolving security challenges in the digital age and enforce enterprise or agency-wide access based on specific organizational policies, guidelines and regulations.

Modernizing access control capabilities

With so much sensitive data at stake, legacy access control mechanisms don’t hold up in the digital age.

Historically, the principle of least privilege was used as guidance for implementing access control strategies. That is, a user should only have access to the minimum level of functions, data or other resources to accomplish the task at hand. While the theory is a sound one, the mechanisms used to implement this principle are often too blunt to achieve the goal.

Approaches such as access control lists, group lists, roles or other profiles are typically too imprecise to implement least privilege in most scenarios. We have often heard of information security officers frustrated that they have to “over-provision” access to accomplish a business objective, but thereby compromising operational risk because too much data or functionality is granted to the user. This illustrates a scenario where insiders can use the excess access for nefarious purposes.

The idea of least privilege, however, seems a bit counterintuitive against the backdrop of the current digital age. When you consider the amount of data generated, stored and analyzed in the enterprise today, there is a strong desire to share more data with more people—to improve business processes, enhance customer service and experience, speed up R&D, reduce costs, monetize data resources, and so on. We want to share more data than ever, but there are still boundaries that must be enforced for all the usual reasons: privacy regulations, intellectual property protection, business controls and other compliance and legal reasons.

To deal with current challenges, government agencies and private sector organizations are now turning to a more modern approach to address complex access control requirements. Enterprises are moving toward authorization models that utilize centrally managed policies and contextual attributes, moving away from a static model that use constructs like group lists and roles, plus custom access logic. This approach is known as Attribute Based Access Control (ABAC). Applied dynamically at runtime, ABAC policies provide an approach approved by the National Institute of Standards and Technology (NIST) where they also characterize ABAC as the latest evolution in access control that has developed over the last four decades.

Solving complex access control challenges with dynamic authorization

By leveraging dynamic authorization delivered with ABAC, business and government agencies can implement a granular, policy-based approach to access control to help protect sensitive data while still securely sharing information with authorized users. Unlike role-based models, ABAC can employ user attributes, action attributes, context attributes (such as time, device and location), resource attributes (a record’s sensitivity), and much more.

By leveraging contextual attributes instead of solely roles, policies can be built to control access in a way that’s dynamic, scalable and centralized. This ensures that sensitive information does not become discovered by unauthorized users, even under the most complex access control scenarios. Let’s take a look at an example.

Dynamic authorization in action

Federal agencies hold some of the most sensitive and confidential information that can pose a risk to security across the globe. Dynamic authorization delivered with ABAC can play a pivotal role in thwarting the risk of insider threat at federal agencies.

An example in the federal sector is one from 2010, in which a low-level Army intelligence analyst, Private Manning, was given unfettered access to one of the US militaries’ classified computer networks while deployed in Iraq. Private Manning went on to leak thousands of classified documents to Wikileaks which made them public.

Scenarios in which employees are given unnecessary accesses (or not properly adjusted as their status as an employee or changes, or their role shifts) are responsible for some highly publicized unauthorized disclosures of sensitive information as well as large scale security breaches, such as those outlined in a post by ObserveIT.

ABAC addresses this problem because it is more granular in allowing access so that information exposure can be controlled more precisely instead of allowing broad system access. ABAC works by considering the context of the access control request. Context is defined by using subject, resource, and geographical attributes in analyzing digital policies to return an access control decision dynamically and at run-time. This allows for the creation of complicated policy algorithms that can consider the who, what, when, where, why, and how of an access request, instead of just focusing on the who and the what.

In addition to filtering data and simply allowing or denying access to data, it can also mask or redact data based on these same policies, which is also vital for maintaining data security. Data masking is essential because it protects critical information while also allowing it to be shared and used. It works by obscuring or completely redacting sensitive data items, such as IP from datasets that are being retrieved. Access control queries that return datasets that in any way violate policies are altered on the go to redact or mask sensitive information.

Modern access control techniques are critical to secure access to sensitive information, to guard proprietary information and help protect against national security threats. By leveraging dynamic authorization, business and federal agencies can reduce the risk of insider threat, while still ensuring that information is widely shared and disseminated to the right people.

About the Author

Gerry Gebel is the VP of Business Development at Axiomatics, and in this role he supports our sales, marketing and product teams by managing strategic partnerships and alliances. Prior to joining Axiomatics, Gerry was Vice President and Service Director for Burton Group’s identity management practice. He covered topics such as authorization, federation, identity and access governance, user provisioning and other IAM topics. Gerry also has more than 15 years of experience in the financial services industry, focusing on security architecture, middleware support, and mainframe systems.



Company Website: