RBAC vs. ABAC Models in the Issue of Data Access Control and Data Privacy

More than ever, people are concerned for their data privacy. This modern problem has ramifications for industries regarding data management, generating an important question: how do you responsibly leverage data in a world concerned about data privacy and safety? As risk and concern continues to increase surrounding data management, innovations towards legal and ethical management tools and standards intend to make way for establishing trust between company and data subjects.

DBTA hosted a webinar with Steve Touw, co-founder and CTO at Immuta, to discuss the issue of ethical data usage and how companies can navigate it.

The question is no longer how much data I can get, but how much data do I need?

Though previous decades’ top priorities were the quantity of data that could be mined, the modern issue now is concerned with data access and control. Breaking down the problem reveals two elements: rule complexity and user complexity.

When access control capabilities for data protection, or rules, are too coarse, the less usable data exists for the company. User complexity arises when expanding data use necessitates more user types, requiring more diverse roles and clearance levels; this creates a “house of cards” effect, where change is not so easily made to a pre-existing policy due to the exponential pyramid of increasing users and roles.

These issues are often caused by RBAC (Role-Based Access Control) models implemented into an organization’s data system. RBAC is a static system that requires pre-computed decisions regarding roles; any updates made to the policy must be manually input into the system to account for its existence, as well as removed when it no longer applies. With RBAC, there is no way to use Boolean logic due to its conflation with the role itself. In a company that experiences regular growth in its scale, RBAC systems quickly become unmanageable.

Touw poses ABAC (Attribute-Based Access Control) as the solution to the ethical data leverage problem. ABAC is a dynamic runtime decision system that decouples user metadata from the policy decision. Instead, ABAC employs a query-time decision to identify attributes at the moment of execution, rather than relying on pre-computed role configurations. In this way, ABAC systems become future-proof; policies can evolve due to ABAC’s assignment of attributes as opposed to roles.

”The key thing is you really need to think about your access control solutions holistically and not forget the management part of it,” said Touw.  “It goes well beyond the granularity of what your database vendor provides…that sets you up for failure if you’re not thinking about the management problems upfront.”

Immuta is able to provide ABAC systems to avoid issues of role explosion and embrace ethical data leverage in these steps:

  1. Discover and classify your data to centralize metadata, integrate any external metadata, and apply standard tagging
  2. Create and manage policies through author cross platform global policies, uniform row-, column-, and cell-level protection, as well as implementing easy to understand policies for any role
  3. Enforce and audit by transparent enforcement at query time, streamline data request workflows, restrict and log access based on purpose/intent, and through unified policy logs

ABAC systems simplify data intake and access control for any organization, and through Immuta, can be implemented into your pre-existing system.

An archived on-demand replay of this webinar is available here.