Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Remote access security: What is ABAC and can it protect my network?

Expert Joerg Hirschmann illustrates the need to supplement role-based access control with attribute-based access control to boost enterprise security.

What is attribute-based access control and how does it improve enterprise security?

Internal corporate networks are a lot like bank vaults. The information contained within them can be highly valuable and a prime target for criminals. Many modern-day bank vaults require two separate keys possessed by two different individuals in order to be opened. The idea here is that if one of those individuals is compromised or if one of the keys is stolen, thieves still won't be able to get their hands on your valuables.

When it comes to remote access security best practices, the same approach is being taken at corporate networks. For a long time, role-based access control (RBAC) has been used to grant remote access to data stored on corporate servers. User roles, defined in a specific database, dictate what an employee can access remotely. This approach helps to reduce the risk of cyber-breaches when mobile endpoints or unsecured networks are used by employees to connect with corporate servers.

RBAC doesn't eliminate all risks entirely

Unfortunately, RBAC only reduces those risks. It does not eliminate them entirely. As such, further steps need to be taken to devise reliable remote access security. This is where "identity" comes into play. In the context of remote access, two concepts -- device identity class (DIC) and user identity class (UIC) -- comprise the idea of identity information. By introducing a relationship registry that connects DIC and UIC data, user and device information can be recognized, correlated and used to add another level of granular control over network security. The result: Attribute-based access control (ABAC) can now be added to your existing network security infrastructure. What this means is that users with pre-defined roles will be granted remote access to specific sections of the internal corporate network, according to their specific DIC/UIC combination in the relationship registry. If any of the role or identity criteria set by IT are not met, the user's access may be greatly restricted or denied entirely.

ABAC enables much more robust security framework

This is a much more robust security method that specifically addresses issues introduced by growing remote access and bring-your-own-device (BYOD) trends. Corporate networks are only as strong as their weakest links, and mobile endpoints like smartphones, tablets and laptops are just that. By weaving together RBAC, ABAC and more detailed DIC/UIC information, including device state and strength, connectivity and various acceptable data access behaviors, the access that one has to a network when using an assigned device and a secured connection could be very different than that same user attempting to gain access via an unknown device or connection. That's actually a very good thing, considering that a hacker could be commandeering the user identity of a company employee to penetrate your network.

This was last published in January 2014

Dig Deeper on Network Access Control