Understanding Attribute Based Access Control (ABAC)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey folks andrew here at all things i am so i'm gonna take a little bit of a different approach today and i'm asking you some powerpoint slides to really drive the message of what abac is i feel like it's just much more easier to visually show everybody what abac is rather than you looking at a camera and seeing me talk about abac because i don't think it really drives a message very well so let's begin so our back is a common authorization method today that we use to get roles we use the 80 20 rule or some other method top down or bob analysis to figure out what are those common access the problem is like i said earlier in my intro is what if we really need to dial down to particular areas of a location and that's where we have abac and we can use this as to really say hey you know what i want to be more specific in how i grant assets to people and look at more different attributes and that's kind of where abac brings into play so i'm gonna break this down into a couple areas the first thing about abac i'm talking about what is abac and then once i break that down we're gonna talk about where where excuse me when is the best way to implement abac and how it works like what's the engine that drives it then i'm going to talk about the pros and cons of abac and finally just give you a quick summary of what's going on because again you're going to have a lot of information at one time and summarizations are always great to really make sure you get the full picture or at least the big highlights of it so let's talk about what is abac so when you look at a back today and this is the the definition of abac and i know it's long and it's really just it's an access control method where subjects request to perform operations on objects are granted or denied based on assigned attributes of a subject assign attributes of an object environment conditions and a set of policies that are specific in terms of attributes and conditions yeah i just read that whole definition for you which is on the screen but i really wanted to just drive that message because this came from nist but i really really want you to focus on is that highlighted attributes and really what does that really mean so when we look at attributes what we're looking at is this so as defined by nist attributes are characteristics of a subject an object or an environmental conditions and you're singling well what is that think of it as this they could be a person their job title maybe what their clearance level is and for those who aren't aware it's really more for the federal government where you have clearance levels what what is their ip address which is in environment conditions these are this and some other attributes is really what that really means those makeup and models that really describe the individual or the bot or whatever that you want to really say i want to take all into account first before i really say yes or no about giving someone or something access to a location an area a file and so on so let's break it down just a little bit more so what's a subject when you think of a subject i want you to think of it as a human user or this friendly guy here a bot or what we like to call a non-person entity or an npe and people are very easy you obviously know the attributes like i said earlier job title name first name last name date of birth whatever you want to describe in person bots are interesting if you think about it so bots can do human actions but automatically and the easiest way for you to understand bots is when you go to a website and you get that little pop-up button the live chat you're not really talking to a live person you're talking to a bot for the most part and they'll ask you some common questions saying hey what's your order for example or how can i help you and then based on your responses and it drives you the next set of questions to get you the answer you want to do so it saves a lot of time for the most part i know you and i have all been there where we even called like verizon for example and you get a bot and just so frustrating and you're like human human human and that happens from time to time but that's really what a bot is so those are really what your subjects are when you look at the whole equation of abac so the next part of abac is objects and you're like what's an object so when you think of an object you can think of a couple things you can think of a file for example you think of a machine or a device and the third thing is you can think of like a database for example or even here it seemed even some kind of form of database or the table itself and there are some other parts that i haven't listed in here such as an object could also be a network even a program like a software program for example these are what we like to call objects and that really describes it so you have your subject now you have your object and then the the other part i want to talk about is an operation so we think of an operation it's very straightforward it could be rights so you have read writes you have write writes you have delete for example these are some common ones today copy execute modify these are all operations so we have now we have a subject we have an object and now we have what's the operation that you're trying to intend to do and then another part of abac is you want to talk about your policies and a policy is where you have a representation of rules or a relationship that makes the abac system really work and it looks at the pause to say what is the decision i am making based on some rules it takes to account a couple things number one like i said earlier it takes account the subject if it's a person the various attributes that make a person an mpe for example that's the first part policy can take to take a look at and then things look at the object what are you trying to grant to what's the what actions you're trying to get to and that's really what that is so policy takes to account the subject and then the object what are you trying to get access to and based on those criteria of the attributes of a subject and object you're trying to get access to it's gonna put them together and make a decision if you qualify or you meet the criteria then you get a positive access and you're gonna get grant access to wherever you wanna get to but if for some odd reason you don't meet that criteria then your access gets denied so pretty much think of a policy as your engine or your decision maker to make those decisions based on the attributes you're feeding it and then one last thing i want to talk about that i briefly talked over is environmental conditions what is that so environmental conditions could be a couple of things you can make it think about it could be time of day where basically you're when you request your access maybe there's a policy maybe within the policy there's rules saying hey only between these times or days you can request or get this access it doesn't fall within that range then access is denied another environment condition is location where are your questions from like for example your ip address if i'm based out of let's say maryland for example and all of a sudden i am there 10 minutes ago and then i get a request from let's say in california 10 minutes later you're like wait a minute that's weird why should i do that so in the policy you might have you know maybe a set of approved lists of locations or ip addresses saying that hey it must come from here or maybe it must come from the united states for example and it comes from another area or another country deny and then the third part is risk level so how risky is the object that you're trying to access to is it something that's that's low level sensitive or something that's very top secret and based on that those conditions when you request access again maybe you get it maybe you don't depend on the attribute attributes that you're pushing to say hey policy make a decision so that's really a nutshell all the different things they have there so that's about what is abac now let's talk about when do you want to use or when you want to implement abac so we talked about our back and we talked about the common use cases of our bag again what you want to do is you have all this different access so you have your ostriches five access workday some shared folder a vpn access today you realize that eighty percent of people have these these access today i'm gonna make into a roll and you'll see here is the role is assigned to a user and that's great and that that works and but what if within that shared folder i wanna only respect different locations within that folder and with our back i can't do that with our back i give you the whole folder if there are some files or directories in that folder that is not really for your consumption or you don't have the the highest level of access or your clearance level is low i can't stop you from from getting that file i can't stop you from copying it i can't stop you from saving it deleting it and sharing it and that's a problem and that's where our back really falls falls flat on his face and that's where we talk about if that's the issue which i talked about again here and i kind of jumped ahead of myself is that right there where i can't restrict there this is where abac comes in play saying you know what we have sensitive information we have access that we really want to be more specific or restrictive on and that's where we implement abac so i took this from nist 800 162 and this is a great easy simple scenario that i want to really help drive how abac really works the whole engine so let's say our jumpsuit here we'll call him joe joe joe has access to a database and when he requests access to the system the a the abac system or decision maker will look at the policy which is 2a and say hmm well i have these rules in play joe let me make sure you qualify before i give you access to that database so the access control policy or the policy itself will look at the attributes of joe's joe's attributes and also the attributes of the object which is the database that he's trying to access and it looks at that and says hey here's some here here are the rules that i have in my policy so within that policy maybe it says you can only get access monday through friday from the hours of 8 a.m and 5 pm eastern time which is a environmental condition then also it says you know what anybody requesting access okay you have have a particular set of of uh clearance levels for you to get that access so once we look at everything right there then we make a decision so we look at joe again so joe he meets your criteria but maybe he has a low level clearance and then the policy itself says okay now i have a particular rule within my policy that says if you meet this criteria maybe i only give you read access you know and that's what joe gets is that read access but joe will not get the ability to copy edit or delete something and that's and those are the operations right there that the abac engine can really dictate and drive where in our back for example i give joe a role and have joe has access to this database here he gets access to everything within the database which is a problem especially again if there are particular files directories or he shouldn't be able to delete copy or manipulate the database tables itself and that right there is how the abec engine works there are more complex scenarios out there and in that nist and i will link this in the description below this actual artifact it's a great read if you want to look into it there are some other great video diagrams not these diagrams excuse me more figures like this one that it's really complex i'm like i am going to bother to show that to you because i want to be very specific and just simply give you what abac really is so so now that we understand when to use our back um see on our excuse me when you use abac and the best approach what are the pros and cons of abac so when you look at abac it's not it's it's an advanced model so there are particular things that it does great and the first thing that abac does amazing to you in terms of pros it's it's fine grace as control it uses a various amounts of data or attributes to say hey if you meet this criteria i'm gonna give you access where in our back it's coarse grain or it's more 80 20 where if access to a roll then i'll give it to you but i can't restrict you within that access of that system or the application itself where an abac it's fine-grained so i can be very very very particular in what i want from you in terms of attributes before i grant you access and then when i grant you that access maybe i can restrict you a little further saying you can only read and write but you can't delete or copy that's that's the beauty of abac and find your ass control the second part it's scalable so when you look at it you really are just updating policies if you want to extend this to if you have a huge organization very well easily scalable versus our back where you're sitting there and you're just creating more and more roles and that can be cumbersome where an abac you're just taking a couple policies and maybe you're updating it and i'm being very you know simple high level and there are more and more particulars different scenarios as you expand or scale up but i want to keep it simple here and tell you that it's much more easier to scale enterprise wide versus our back and then the last part like i said earlier is it's if you make a change so let's talk about our back quickly you make a change in our back you're not changing something with with the with a person you're changing a role and most of the time you're just creating more and more roles so if something should change for example saying oh i want to add x y and z application or more particular things or um something changes i'm just creating more and more roles and that leads to roll explosion which which happens far often than none where in here in abac you're taking the policy and you're just updating the policy maybe i have more rules uh rules maybe i have more rules to simply dictate maybe i put some more environment controls on there all these different things and you're not changing anything all you're changing is the policy itself but you're not recreating another policy so it's not policy one a one b it's possibly one a and then you're updating a rule or you're updating particular criteria within that policy itself but the policy stays the same or the policy name itself stays as is which is nice because that just makes it much more easier and it's easier to be managed from that standpoint three things that are pros but obviously there are some cons when it comes to abac that we should be talking about so the first thing is the initial setup of abac is so time consuming it takes so much effort to get it going and what i mean by that is you have to have the right resource to talk to you identify the objects you want to do you need to identify the policies that you want to really create and that takes time this is not a 8 9 10 week project this is a years and years on project that you have to take the time understand what you're trying to really lock down and even make to considerations such as things such as hey you know what's the risk level and to be very honest with you you will not get everything all the time there is no way this does not have time and there should be a a time or a line the same where you're like you know what this is what we're gonna do in terms of knocking things down everything else will adjust accordingly which is convenient because it takes people are busy it takes a lot of time takes effort it takes money and resources to really get it set up so it takes a lot of time so that's one of the biggest cons there so if you have leadership who wants instant results it's not the case here for abac it's gonna take some time and once you get that initial set up that's where you'll reap the rewards that comes of abac the second thing i talked about earlier is you can't factor everything it's just impossible just so many nuances especially if you're a huge organization if you're a big organization and you're trying to do this it is mind numbing how much time you take to get that done is not possible you won't get results leadership that as we all know here in the business world they want results fast it's almost how like how agile was born but you cannot factor everything so it's really a decision what are we going to lock down what's the what's the standard for example privileged users how much of a produce are we going to lock down and then we go from there and let's start with this initial baseline first and then we progress as we mature as an organization and we get much much better of a back that's where we can go factoring everything else but really you just can't do it from the get-go you have to be very specific or it's never going to launch you can sit there in strategy hell forever and then the third part is if you're a small business organization abac really is not really the right approach for you it takes time and effort and being a small business i get the understanding that you want to really get get and go i feel like our back is more the better approach for you when it comes to that because um abac just so many nuances and i bet there's a lot you probably have a lot of big things that you're really managing because your small business and i'm not saying that stuff isn't true but really feel like abac is more for enterprise level organizations versus small business organizations that's a lot so let's talk about the summary so what do we what have we learned here about abac so the first thing we learned by abac is that you it's finder's ass control where you can be very specific in how you lock things down where in our back you're creating a role that could have eighty percent of people get this so i'm gonna give it to them and the the twenty percent i'll make it not requestable or they're gonna request it themselves but you just never know that you might get more access um and sometimes when you get that access to people you might be giving them access to everything we're not particular databases or folders or directories where in finder action control or an abac you can do that also you can use several factors so we talked about objects we talked about the subject we talked about the policies we talked about the environment control four things that you can take into account and various different combinations to make sure that you can grant access to there in terms of abac and then like i said earlier it's better for enterprise organizations because it's scalable you can make you can take it and build upon it bigger and bigger bigger with more policies and that that's really how it works so abec and nutshell is really better for bigger organizations to be more specific and how you want to grant access to things and that's that's we have it and again i didn't get into too much detail i want to be very hello because seriously this could be an hour plus video and you don't want to hear me talk for an hour plus trust me you'll like forget this guy we're done so i want to be very specific make it quick and short and talk to you really about the difference between abac our back and and what really what abac is from that show so there you have it that's a back in a nutshell and i really hoped you got a good idea of what abec is and how that works for you and in future videos i'll talk more about about different policies out there different authors and methods we have pbac we have dac discussion act control and we have some couple other ones right there in the pipeline too so thank you so much for your time really appreciate it if you liked everything that you heard today leave me a comment down below i read them all i want to respond to every single of them because i love to make these videos i want to make sure you're getting value from it if you like everything again subscribe like hit that like button and you'll get notified for more videos and as always like i always tell you everybody as i always tell everybody stay curious because you never know i'll see you next time stay tuned stay oh man it's been a day [Music]

Info

Channel: All Things IAM

Views: 13,168

Rating: undefined out of 5

Keywords: ABAC, attribute based access control, access control, IAM, Identity and access, identity and access management, Authorization

Id: IbghSht_tpA

Channel Id: undefined

Length: 20min 27sec (1227 seconds)

Published: Sun Mar 06 2022