PBAC: Why Policy-Based Access Control is the Future of Identity Management

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Oren Ohayon Harel of PlainID argues why RBAC and ABAC are dead, and PBAC is the future of identity management.

Ten or fifteen years ago, cybersecurity was a (relatively) placid affair. There was, for one thing, simply less data circulating, and the data that was circulating was doing so within a fairly limited perimeter: servers were more often than not located on premises. Hackers, meanwhile, were less sophisticated than they are today and evolved at what now looks like an almost leisurely pace— keeping up with their tactics was not a 24/7 job.

All of that, we know, is now different. The rapid proliferation of multi-cloud computing, SaaS applications, microservices, API gateways, and more over the last decade — and especially in the years since the pandemic — has exponentially increased each business’ potential sabotage points, and hackers have evolved to meet the moment. The IDSA reports that identity-related security breaches have affected 70 percent of enterprises in just the last two years—a harrowing statistic in light of the fact that the cost of the average data breach is now estimated at $9.44 million.

Passwords are the primary way through which bad actors access complex environments: a single password dump unrelated to your company can sow the seeds of your company’s demise. Given that fact, the standard identity management solutions that businesses have deployed over the years — primarily Role-Based Access Control (RBAC) and, more recently Attribute-Based Access Control (ABAC) — can no longer be relied on for comprehensive protection. Only Policy-Based Access Control (PBAC) can grant businesses the flexibility and transparency needed to keep their assets out of the hands of bad actors.

PBAC: Why Policy-Based Access Control is the Future of Identity Management

Why RBAC and ABAC No Longer Cut It When It Comes to Cybersecurity

RBAC was first invented in 1992 and was steadily refined through the start of this century. For decades, it has been the gold standard in identity management, widely deployed by some of the biggest businesses in the country. It is a coarse-grained, static approach, the digital equivalent of a rudimentary keycard—the employee inputs their username and password, and if their name is on the appropriate list, they are granted access. It is a blunt tool, insensible to the rapidly shifting facts on the ground—all it can do, essentially, is say “yes” or “no” based on permissions assigned days or months in advance. For obvious reasons, then, RBAC is more than ready for retirement.

In recent years. ABAC has become a popular alternative, and with good reason. ABAC is a significantly more sophisticated, fine-grained technology, able to factor in attributes like user, resource and environment when making permissions decisions. At a minimum, businesses should be deploying ABAC over RBAC. But ABAC comes with its own major problem: namely, its complexity. Its rules cannot be written in plain language— they have to be written in eXtensible Access Control Markup Language (XACML), which makes ABAC far too complicated for anyone outside of the IT department to properly use. Given the speed at which business moves — not to mention the speed at which security incidents occur. This is a real problem. Things will be slowed down significantly if a manager has to wait for the right IT department member to change this or that permission.

Why Policy-Based Access Control (PBAC) is the Solution

PBAC is a lot like ABAC: it offers fine-grained access control (or coarse-grained, when desired); it factors in environmental and contextual factors like the time of day, the employee’s location, and the asset they are attempting to access; it allows managers greater visibility into what people are accessing and when.

But it also comes with one key difference– namely, it does not require users to encode policies with XACML. Instead, users can use a Graphical User Interface (GUI) to code policies in plain language, which means complex policies can be written, revised, and put into practice without the need for extensive IT knowledge. This allows managers to assert much more control over the permissions process—no small thing at a time when more people than ever are working remotely and much more flexibility is needed when it comes to accessing company resources. It is important to note, too, that PBAC functions with every single component of the current technology stack, from data lakes and warehouses to APIs, microservices, cloud infrastructure, external and internal applications, and beyond.

Think of PBAC as the next chapter in the identity management solution story, a story that began many decades ago when the US Department of Defense first employed logical access control, and which is still ongoing today. Really, it would not make any sense if our identity management solutions had not changed significantly in even just the last few years alone. After all, every other aspect of the digital sphere has grown more complex— so why wouldn’t our access management solutions, too?