How attribute-based access control facilitates zero-trust security

Zero Trust - ABAC Access Control
Access Analytics / Access Chaos / Blog

How attribute-based access control facilitates zero-trust security

Today’s physical access control systems (PACS) are growing more out of touch with the evolving work landscape. New hybrid work models have removed the need for a traditional schedule of building access for employees. Organizations are also experiencing high turnover rates with a greater volume of resignations, new hires, and position backfills. At the same time, the dangers of physical security vulnerabilities are on the rise and have grown to include cyberthreats, with hackers bypassing digital controls and using direct physical access to a server or network to cause harm.

LEARN ABOUT HOW PACS CAN CREATE NEW RISKS

All of these changes put a strain on physical access control systems and the security operations teams that manage them. These evolving risks further expose the shortfalls in legacy physical access control systems, creating greater opportunities for threats to physically infiltrate a building and providing the false notion that a building is secure with an access control system present. To combat this challenge, smart organizations are now adopting a zero-trust approach to strengthen their physical security. Attribute-based access control (ABAC) can help to make this possible.

What is zero-trust?

The zero-trust security model functions under the premise of ”trust nothing by default” — in other words, access to one entrance should not include access to all entrances, and access at 9am on Monday should not translate to access at 2pm on Thursday. The concept of zero-trust security has long been used in the IT world to protect networks from threat actors operating inside or outside of an organization.

As applied to physical access, users must provide valid credentials each time they want to cross an entry point. Verification is conducted through authentication (proof of identity) and authorization (rights granted) functions. Under zero-trust, such verifications are performed continuously. Users’ credentials are checked for validity at every entry point and each time they request entry, even if they have been trusted at that point or others in the past.

What is attribute-based access control?

Attribute-Based Access Control (ABAC) is a means of granting access to a user within an access control system based on rules and policies that relate to characteristics or properties of each identity.

START DEFINING RULES AND POLICIES WITH THIS FREE CHECKLIST

ABAC is a more secure alternative to traditional access control lists, wherein access rights are granted directly to a user, and role-based access control, wherein roles are assigned to users and access rights are granted to those pre-defined roles.

For example, let’s say John Smith is an IT System Administrator working at ACME.

  1. List-based access control: John Smith has access to the ACME Data Center.

  2. Role-based access control: John Smith is an IT System Administrator and IT System Administrators have access.

  3. Attribute-based access control: Access is grated to identities with these attributes:

    • Active employee
    • Part of the IT organization
    • Passed the ISO 271001 training
    • Has an approved access request by the CIO
      John Smith has all these attributes and therefore has access.

How attribute-based access control enables zero-trust security at scale

ABAC users are never assumed to have authority, upholding the very principal that defines zero-trust. Access levels and credentials are only activated once authentication and authorization checks have been performed successfully. Activations are similarly limited in time, as some attributes are constantly changing, requiring users to re-authenticate even if previous access was provided.

Physical access control systems that employ list-based access control and role-based access control traditionally operate in a silo, separated from other business systems and requiring frequent manual inputs. Manual inputs are an opportunity for human error, which can directly, but unknowingly, impact an organization’s zero-trust policy. On the other hand, ABAC connects with other business systems such as HR, learning management and IT systems to constantly gather changing attributes.

By defining more strict, individualized access parameters and lessening manual inputs, you can make unauthorized facility penetration much more difficult. From a physical security and zero-trust perspective, that is a good thing.

Implementing attribute-based access control

RightCrowd Workforce Access allows your organization to easily implement attribute-based access control, ensuring every worker, visitor, and contractor has only the physical access they need to do their job.

Contact a RightCrowd security expert today to learn more.