The more important you are to a business, the more keys you have. As you work your way up, you’re given access to more and more resources, from the filing cabinets to the front door. Most people want to see their keyring grow, but the truth is dealing with twenty different keys isn’t a privilege—it’s a headache.
Just like physical spaces, access to digital information has to be managed, but like that bloated keyring, no one wants to juggle dozens of logins and passwords. The solution is identity access management (IAM), where IT determines which resources a given user should have access to, and manages it all centrally.
But which identity access control is right for your business? There are two popular and effective options: role-based access control (RBAC) and attribute-based access control (ABAC).
Role-based access control (RBAC) centers on small business
For years, RBAC has been IAM’s gold standard. This access control method delineates how a user can engage with digital infrastructure based on their position, privileges, and function within the organization. Every user is assigned a unique role, and that role comes with matching permissions and restrictions. Users can only perform operations or access data in the system if they have the required permissions. For instance, sales reps can access customer contact information, but can’t view the overall financial status of the company.
Roles are pre-programmed, and provisioning and deprovisioning are automatic. When a user moves from one role to another, their permissions automatically shift to accommodate the new position. This makes it incredibly easy to manage customers, partners, and outside contractors. However, each new role must be manually built, which can require a significant investment of time for large businesses.
For this reason, RBAC is best suited to small- and medium-sized businesses, with a manageable number of users and relatively simple workflows and hierarchy.
Go big with attribute-based access control (ABAC)
Gartner predicts that by 2020, 70% of organizations worldwide will have moved to the ABAC model. ABAC evolved from the RBAC model, but it has a different avenue of focus for determining who is a safe user; ABAC uses a combination of attributes (rather than roles) to determine access. Those attributes are grouped into three categories: users, resources, and environmental factors. These can include things like name and organization (user), data creation date (resources) and location of access or time of access (environment). ABAC allows for Boolean logic (if, then), creating a much more sophisticated interaction.
While ABAC is suitable for organizations of every size, it is at its best with large enterprises. Security administrators need to define attributes manually and assign them to individual system components, but once finished, they can be copied and reused for similar components and user positions.
Making the right choice is a matter of scale
Implementing RBAC for large enterprises, with thousands of employees, vendors, and contractors, can be a nightmare. IT departments end up assigning and describing thousands of roles, leading to “role explosion” and undermining the value of the system.
For a more finely-grained access control model, ABAC is the right choice. Although it requires more time to implement (especially during configuration and deployment), it allows for granular control and makes for easier IAM for a large number of employees. However, those complex startup requirements mean that for smaller businesses, or those with fewer outside users, RBAC is still the better choice.
Knowing your businesses is key to understanding which model of identity and access management is right for you. Either way, protecting the data of your users is the number one priority, and IAM is the way to get there.