The Battle Royale between RBAC vs ABAC vs PBAC

At the start of the millennium, cybersecurity was significantly less complex. Recent working practices now demand complex data in huge amounts, ready to share across organisations and across borders, as part of routine day-to-day activity. Back then, data was often straightforward, and the information that was circulated was severely restricted (gone are the days of server rooms located in your office). Plus, there were less sophisticated threat actors who weren’t able to attack with the complexity and speed that we witness today. 

All of that is a thing of the past. Multi-cloud computing, SaaS applications, microservices, API gateways and more – all, especially since the pandemic, have moved more data online, which has widened the attack area for each business’ digital environment. Just as concerning, hackers are increasingly advancing in skills and funding, sometimes sponsored by hostile states, meaning there is never any downtime against threats.

This year alone, 61% of all breaches involved compromised credentials, whether they are stolen via social engineering or hacked using brute force. This is concerning, as exploiting pre-approved authorisation is the primary way that bad actors gain access to secure networks, and as data will be the foundation of a business, a single password dump that contains that company’s access codes could lead to their downfall. Therefore, more organisations are turning to identity management solutions to secure their systems. However, Role-Based Access Control (RBAC), and more recently Attribute-Based Access Control (ABAC), can no longer be relied on for comprehensive protection. Only Policy-Based Access Control (PBAC) can grant businesses the flexibility and transparency needed to keep their assets out of the hands of bad actors.

The downsides to RBAC and ABAC

Just like double denim, RBAC should have been left in the 90s. First invented in 1992, and then refined throughout the early 2000s, RBAC used to be viewed as the best tool in identity management and was widely utilised by many large, multi-national organisations. However, compared to modern standards, the technology was the digital equivalent of a rudimentary keycard. The employee simply inputs their username and password, and if their name is on the appropriate list, they are granted access. It is a blunt tool, insensible to the rapidly shifting facts on the ground—all it can do, essentially, is say “yes” or “no” based on permissions assigned days or months in advance. For obvious reasons, RBAC is more than ready for retirement. 

In later years, more organisations turned to ABAC. Compared to RBAC, ABAC is significantly more sophisticated, allowing organisations to implement fine-grained technology that focuses on a user’s attributes. This could include the resource they’re trying to access and the context in which an access request is made. If I had to recommend deploying either ABAC or RBAC, at a minimum, businesses should be choosing ABAC.

However, ABAC is also not without its flaws, as it is complex. When assigning rules, they must be written in eXtensible Access Control Markup Language (XACML), making ABAC almost completely inaccessible to those without an IT degree. This is especially problematic when time is of the essence during a cyber-attack – the longer it takes for an IT department to change permission and isolate the threat, the more sensitive data can be taken.

PBAC – the best of both worlds

PBAC helps to bridge the gap between RBAC and ABAC. It offers varying levels of access controls, depending on the sensitivity of content, making it much more flexible to the needs of the business. It also considers the context in which access requests are made – allowing managers greater oversight into what files are being accessed and can potentially prevent insider threats before they even occur. 

Yet, the main benefit to PBAC is its user-friendliness. Rather than needing to input commands in XACML, managers can use a Graphical User Interface (GUI) to code policies in plain language, which means complex policies can be written, revised, and put into practice without the need for extensive IT knowledge. This allows managers to be even more involved in the permissions process, which is especially important when teams are still working in hybrid settings and there needs to be flexibility is needed when accessing company resources. In addition, PBAC can interact at every level of the technology stack, from data lakes and warehouses, to APIs and beyond. 

Whilst it had humble beginnings, think of PBAC as the next chapter in identity management. If there’s a plan to improve your existing digital infrastructure going forward, choose the twenty-first-century identity access management solution – PBAC.