Most businesses today use Role-Based Access Control (RBAC) to assign access to the network and systems based on job title or defined role. But if an employee changes roles or leaves the company, an administrator must manually change access rights accordingly—perhaps within several systems. As organizations expand and contract, partner with external entities, and modernize systems, this method of managing user access becomes increasingly difficult and inefficient.
To help address this growing cybersecurity challenge and support the next generation of identity management, security engineers at the National Cybersecurity Center of Excellence developed a reference design for an Attribute-Based Access Control (ABAC) system. ABAC is an advanced method for managing access rights for people and systems connecting to networks and assets, offering greater efficiency, flexibility, scalability and security.”
The example solution uses commercially available technologies to demonstrate a standards-based ABAC platform in which access rights to an organization’s network or assets are granted based on a user’s attributes, such as certifications, originating IP address, group, department, or employee status. Decisions on access are then made based on information that is available to systems across an organization, or among organizations, about a person, the action she wants to execute, and the resource she wants to access. ABAC enables the appropriate permissions and limitations for each user’s access request based on individual attributes and allows for the management of those permissions by multiple systems from a single platform, reducing administrative burden.
Enterprises can use some or all of the guide to implement an ABAC system using standards and industry best practices. Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.
Read our two-page fact sheet for a brief overview. For archival purposes, the original draft of SP 1800-3 is available for download (PDF).