Cookies
Close Cookie Preference Manager
Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Made by Flinch 77
Oops! Something went wrong while submitting the form.

The Comeback of Attribute Based Access Controls

ISO 27001 - the 2022 version. Security standards are now including privacy protection as a core part of new regulation updates. So what is changing, how big a part will Governance teams now play, and will this lead to some old frameworks reappearing?

How the risks of cloud adoption are mixing privacy and security standards on ABAC

I finally found a way to blend my love for Elvis with Data Access Management. How I’ve done it, that will become clear in an instant, so let me first start with an important update in the world of security standards. In the past month, ISO released the latest revised version of its famous security standard ISO/IEC 27001. ISO revisions are nothing remarkable, except this time around, ISO have extended their scope to include privacy protection. 

This fits within a broader industry trend to security standards including privacy within their suggestions and regulation. The continuous stream of data breaches and privacy issues featured as headline news have made it abundantly clear that privacy can no longer be an isolated area, and that it depends on good information security.

ISO/SE changes for 2022
The ISO/ISE changes for 2022

Cloud adoption has become the norm as companies of all sizes and industries become reliant on data as a competitive asset. The rate at which businesses are able to respond to change is recognised as the difference between those that thrive and those that collapse, especially in uncertain times like these. Cloud computing gives organisations the agility to respond to changes quickly, with flexible and scalable compute at relatively low costs. However, this results in large amounts of cloud data, which in combination with stricter privacy regulation and security standards, results in very tough and slow data access management workflows. These processes, in turn, can end up limiting their ability to respond as fast to change. Since Data Access Management workflows built around the traditional Access Control Lists and Role Based Access Controls tend to be slower, manual processes, organisations often have to choose between secure data access and accelerated data innovation. 

The blatant headlines on data breaches show how many companies consistently default to the risky side. 

In order to keep cloud data private and secure, we need to move towards a closer integration between privacy and security. Dynamic access controls that adapt to volume, variety and variance of cloud data are one of the ways to achieve this. This could mean the greatest comeback in history - since Elvis Presley’s ‘68 comeback special (when Raito raises its Series A, I’m covering this song. Suit and sideburns included…). 

In fact, a 20-year old framework might have the answers everyone is looking for. Introduced in 2000 through the XACML framework, Attribute Based Access Controls are not a new concept. ABAC is a logical access control where access is controlled through the relative attributes of the user, data and environment. This allows policies to be defined and dynamically enforced as data enters the cloud. An intellectually beautiful concept, it never really took off. Microsoft dabbled with it and decided to move away from it in 2009. Reasons ranged from too technical to too heavy. So is it time to go ‘back to the future’? With rising cloud adoption, we are seeing security standards increasingly introducing ABAC, or similar concepts where access is determined by meta-data. 

This article lists some of the revisions and additions to the major security standards, as well as a new standard that introduces the concept of attribute based access controls. It is not a comprehensive article of all privacy regulations and security standards. For instance,  GDPR introduced the concept of purpose limitation where data can only be used for specific purposes, and HIPAA and HiTrust both explicitly require access controls, but none make any mention of ABAC. However, in case I am missing something, please let us know.

International Organization for Standardization (ISO)

In addition to the update of ISO/IEC 27001 standard, we recently saw an update of the ISO/IEC 27002 standard changing its name to “Information Security, cybersecurity and privacy protection – Information Security Control”. This acknowledges the difference between information security and cybersecurity, while also formalising the synergy between privacy and security, and comes after earlier initiatives in that same direction. In 2019, ISO released the first version of ISO/IEC 27701 which extends ISO/IEC 27001 and ISO/IEC 27002 with security techniques for PII, assisting companies in establishing systems to support compliance with GDPR and other privacy regulations. 2015 saw the first version of ISO 27017 which extends ISO 27002 for information security controls specific to Cloud Services. Although there is no clear mention of ABAC, you can see a clear move from access at the perimeter to access at the data set, which can realistically only be achieved through ABAC. Some important articles are:

  • Art 8 Asset Management requires the organization to have an inventory of information assets, or data sets, stored in the cloud (8.1.1). These data sets need to be labeled (8.2.2) and have owners (8.1.2). 
  • Art 9 Access Controls requires that the organization manages access controls at the level of the dataset (9.4.1). It also refers to ISO 27040, which states that the organization needs to employ access controls that guard against unauthorized access from other cloud service users (tenants) while providing appropriate access privileges to users permitted to access the data. 

National Institute of Standards and Technology (NIST)

NIST, which defines the security standards for US Federal Agencies, has been tightening the relation between security and privacy since its 4th version NIST SP 800-53 in 2013. Its 5th revision, dating back to 2020, is particularly interesting because of the introduction of attribute based access controls, and privacy attributes for least privileged access management which further tightens the relationship between privacy and security.

This comes after an update of the NIST Guide to ABAC in 2019.

Cloud Data Management Capabilities (CDMC) Framework 

In September 2021, the major financial firms, cloud providers, and technology firms released the first version of Cloud Data Management Capabilities (CDMC) Framework which contains best practices for managing and controlling data in single, multiple, and hybrid cloud environments. 

It is aimed at helping financial institutions protect their customers’ privacy against the dramatic rise of cybersecurity threats, and help them address the increased scrutiny of supervisors. 

Similarly to ISO 27017, the standard requires that:

  • Datasets have owners who are responsible for cataloging their datasets and adding meta-data.
  • Datasets are sufficiently labeled, including a sensitivity classification
  • Access Controls migrate from application-centric entitlements to data-centric entitlements

The CDMC goes a step further than ISO 27017 by recommending that data access management is automated as much as possible based on the labels of the datasets, which resembles ABAC highly.

Being an initiative of the EDM Council, CDMC is the odd one out as the EDM Council is not security focused, but is more focused on defining the core capabilities for data management programs. Which brings me to what this means for Data Governance.

The role of Data Governance

The Data Governance team will play an important role in the implementation and management of ABAC and other dynamic data access controls. Historically, privacy teams have been more occupied with the legal aspects of data privacy such as drafting privacy policies and performing DPIA’s, while the information security team have been preoccupied with the technical aspects of information security such as protecting against viruses and system attacks. In the meantime, the Data Governance Team has been responsible for Data Security - which has been defined as the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets for quite a while now. Added to that, the meta-data that will go into the authorisation decisions made under ABAC and other dynamic access controls has always been under the responsibility of the Data Governance Team, and my best guess is that they will be accountable for the success of these frameworks.

However, with the privacy and security teams becoming increasingly more important stakeholders, we will have to update the data governance frameworks to support data governance teams. This will mean defining new processes, roles and responsibilities, SLA’s and SLI’s. It will also mean allocating more budget to Data Governance.

How Raito helps

Big enterprises and Big Tech have understood the competitive advantage of dynamic access management as a way to respond to change, early on and have been rolling out these frameworks to further cement their competitive position. It’s Raito’s mission to democratize these capabilities so that every company can respond to change in a fast, agile and secure way. We want to do this by investing in the 3 pillars of scalable data access management.

Observability

Raito provides a 360 degree view on data access & usage from the first moment you integrate Raito with your data source or BI tool. This helps you detect over-privileged users, unused data sets, and unused roles, from which you can incrementally improve your security posture at the dataset level.

Raito's observability dashboard for data source and BI tools
Raito's shows your 360-degree view

Collaboration

Raito wants to enable the collaboration between the Data Governance Team who define ABAC policies together with the privacy and security team, the Data Owners who will use ABAC policies to automate the approvals of data access requests, and the data engineers who have to enforce the access controls.

Raito enables collaboration with access request workflows
Raito shows your outstanding Access Request messages

Automation

Raito wants to let its customers define ABAC policies that are consistently enforced across all data sources and BI tools. Further automation will be achieved through the policy recommender that will detect issues such as missing, obsolete and conflicting access controls and will make recommendations for remediation actions that will automatically be implemented upon approval.

Raito's Policy view and access provider dashboard
Raito applies policies to be enforced across all data sources and BI tools