Attribute-Base Access Control: An Analysis Of RBAC And ABAC
1 Introduction
With the increase in human population, digital information is also increasing exponentially. In 2007, 97 percent of assessment showed that approximately 93 percent of information was stored digitally as opposed to less than 1% in 1986. With the amount of information stored digitally, there is an increasing need to share and allow access to the appropriate individuals [1]. As user populations of information system have expanded, the challenge of controlling access to resources using security policies has grown. Access Control is the process for proving authority to access the specific resources, applications and system.
Access to the data can be enforced through many access control models e.g. Attribute-Base Access Control(ABAC), …show more content…
3. ABAC model Overview [3]
4 DIFFERENCE BETWEEN RBAC AND ABAC
Since 1970s, RBAC is considered to be the standard approach for access control models. But ABAC being considered as a most prevailing mechanism for the future. And both RBAC and ABAC have their own weaknesses and benefits. Let's discuss their differences briefly on various aspects.
Role Structuring: RBAC trades-off the initial effort of structuring roles for advantages in administration and user permission, whereas ABAC reverses those, RBAC provides easier set-up and structuring, but complicating the ease of associated user permissions review.
Compatibility: RBAC is outdated, expensive to implement, and unable to accommodate real-time environmental states as access control parameters. Whereas ABAC is newer, simpler to implement, and accommodates real-time states as access control parameters.
Auditability: RBAC is inherently auditable. With RBAC assignments it is simple for business owners to check access granted to any end user. This contrasts with ABAC where the consequences of a rule are not easy to fully grasp. Potentially, an extremely large number of rules might need to be executed, and in exactly the same order in which the system applies them, to successfully determine access. As a result, it could be impossible to determine the risk exposure for any given employee position
With the increase in human population, digital information is also increasing exponentially. In 2007, 97 percent of assessment showed that approximately 93 percent of information was stored digitally as opposed to less than 1% in 1986. With the amount of information stored digitally, there is an increasing need to share and allow access to the appropriate individuals [1]. As user populations of information system have expanded, the challenge of controlling access to resources using security policies has grown. Access Control is the process for proving authority to access the specific resources, applications and system.
Access to the data can be enforced through many access control models e.g. Attribute-Base Access Control(ABAC), …show more content…
3. ABAC model Overview [3]
4 DIFFERENCE BETWEEN RBAC AND ABAC
Since 1970s, RBAC is considered to be the standard approach for access control models. But ABAC being considered as a most prevailing mechanism for the future. And both RBAC and ABAC have their own weaknesses and benefits. Let's discuss their differences briefly on various aspects.
Role Structuring: RBAC trades-off the initial effort of structuring roles for advantages in administration and user permission, whereas ABAC reverses those, RBAC provides easier set-up and structuring, but complicating the ease of associated user permissions review.
Compatibility: RBAC is outdated, expensive to implement, and unable to accommodate real-time environmental states as access control parameters. Whereas ABAC is newer, simpler to implement, and accommodates real-time states as access control parameters.
Auditability: RBAC is inherently auditable. With RBAC assignments it is simple for business owners to check access granted to any end user. This contrasts with ABAC where the consequences of a rule are not easy to fully grasp. Potentially, an extremely large number of rules might need to be executed, and in exactly the same order in which the system applies them, to successfully determine access. As a result, it could be impossible to determine the risk exposure for any given employee position