The ongoing digital transformation became a massive driver of change and improvement for many different industries and the arrival of the COVID-19 pandemic slightly shifted the main focus of that process. Remote work and collaboration became more important than ever, and it gave birth to plenty of different ways to work better, smarter, and even faster than before.
At the same time, the rapid expansion of remote work across the world quickly exposed the fact that legacy security systems are not exactly suited for protecting data that is shared outside of the physical borders of an organization’s internal system. Many different people work with sensitive and/or classified information on a regular basis, and accessing such information remotely with only a legacy security system in place is a massive security risk.
The rise of remote work created a whole new vector for digital threats and criminals to abuse in order to gain access to sensitive or classified information, and that vector is called “insider threat”. An insider threat is a threat to an organization, represented by a potentially malicious activity that could be performed by different people that have access to the internal company network – be it current employees, former employees, business associates, and even cybercriminals using impersonation to gain access to restricted data.
There are plenty of different scenarios that could lead to a data breach of sorts when it comes to remote work – from the ever-present “human error” factor to cybercriminals and malicious employees. As such, a modern security system has to be capable of protecting not only from external threats but also from internal ones.
This kind of drastic change to the status quo means that a new solution is necessary to keep up with the changes in the industry, being capable of protecting company data no matter where it is located or where it is accessed from. The solution to this problem is called ABAC, or Attribute-Based Access Control.
Attribute-Based Access Control (ABAC) is a completely new approach to data security, it represents a data-centric approach to security based on dynamic policies to have constant control over what data can be accessed at any given point. ABAC access control creates policies based on a wealth of different attributes – including practically anything, from the current user location to the contents of the data that is accessed.
Mixing and matching different attributes is how ABAC can be used to dynamically modify access permissions of every file for every user in accordance with two important attribute categories – content and context. Content is the nature of the data that is getting accessed, including how sensitive it is and how many people should be able to access it in the first place. Context is every other parameter that is not connected with the data itself, it is used to determine whether the current context of a specific user accessing a specific file is safe and secure before deciding on providing access to that single data piece.
ABAC is a great way to ensure that a company’s data can only be accessed by the right people in the right circumstances. The main driving points of ABAC are attributes, and there are quite a lot of them that can be used to determine whether to allow or deny access. Here are five general categories of ABAC attributes:
Data – Metadata, Security level, Document type, Document classification, etc.
Device – Device name, Device class, MAC address, Device credentials
Location – Country, City, Street
Network – Network classification, Network credentials, Name of the network
User – User group, User security clearance, User nationality, User name, Organization name
Attribute-Based Access Control may seem like a complete overkill for smaller companies, but there are also plenty of industries and use cases that find ABAC to be the best possible way to safeguard their data, including:
Financial service organizations – better protection for client information, including compliance
Defense industry – protection of TOP SECRET information and granular control over who can access data necessary for critical Defense-related operations
Government facilities – facilitating inter-agency or even multinational collaboration with security and productivity in mind
Legal documentation – a necessary part of upholding important justice processes by protecting confidential information in the legal field
Critical infrastructure – better productivity and easier collaboration for massive infrastructure-related projects
Healthcare industry – both the regular health-related information about citizens and the security of healthcare-related developments and services
While general data security is an important task on its own, there is another factor that ABAC greatly helps with, and that is compliance. With more and more government-level regulations appearing on a regular basis, staying compliant with each and every one of them is not an easy task for a lot of companies – especially when it comes to some of the more global regulations or regulations that are not aimed at commercial companies.
The information handling in the defense industry is one such example, covered by three different regulations – CMMC, NIST 800-171, and NIST 800-53.
Cybersecurity Maturity Model Certification (CMMC) is a DoD program (U.S.) that targets Defense contractors specifically, making sure that all of them are properly protecting sensitive information.
NIST 800-171 is a special publication from the National Institute of Standards and Technology, and it covers a list of data protection requirements in regard to controlled unclassified information (CUI).
NIST 800-53 is a list of privacy and security controls that is applicable to every single U.S. federal information system with the only exception being everything that works with national security matters.
Not only these regulations are applicable to companies and contractors, it is also necessary for service companies to follow them, as well. This includes the tech giant Microsoft and its Microsoft 365 tool which is commonly used in many different iterations across the U.S. government structure. As such, the topic of Microsoft CMMC compliance (as well as the rest of the aforementioned regulations) is worth mentioning here.
This level of data sensitivity has a requirement of a Zero Trust approach to be taken for data access when it comes to potentially sensitive information – it is covered in CMMC and should be applicable to both Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This allows for a much more granular approach to securing sensitive information without tampering with the overall speed and effectiveness of the system.
Of course, this kind of service is not available in Microsoft 365 package, meaning that an external solution is required – such as NC Protect, which is a versatile and effective data security solution that can offer a Zero Trust ABAC approach to Microsoft 365 data, Nutanix data, Dropbox data, and even files stored inside of a regular Windows installment.