Understanding Identity and Access Management (IAM) and Authorization Management

Written by Alon Nachmany and Shruti Kulkarni of the CSA IAM Working Group.

Introduction

Identity and Access Management (IAM) is a crucial aspect of cybersecurity that ensures that only authorized individuals have access to sensitive information and resources. Within IAM, authorization management plays a vital role in controlling access to resources based on users' roles and attributes. This blog explores the two commonly used authorization management models, Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), and the importance of having the right policies and procedures in place to ensure the security of sensitive information and resources.

Role-Based Access Control (RBAC)

RBAC is a model where access to resources is granted based on a user's role within an organization. For example, a user with the role of "admin" would have access to more resources and would have more privileges than a user with the role of "guest." RBAC is typically used in organizations where access to resources is determined by an individual's job function. It is a simple and straightforward model that is easy to implement and manage. It also helps in managing the relationship between a user and the resources the user is authorized to access.

As an illustration, developers need access to code repositories to carry out their job duties. Instead of granting each developer access to a repository and manage the access which becomes exponential as the number of developers and repositories increase, RBAC can help streamline the process as illustrated below:

RBAC

Role Names mapping

New joiners can be added to the Role Names mapping table. This reduces the overhead of managing access to each of the developers and leaves little scope for committing mistakes.

Attribute-Based Access Control (ABAC)

ABAC is a model where access to resources is granted based on a user's attributes, such as their location, clearance level, or department. With ABAC, access to resources can be fine-tuned to a granular level, allowing for more precise control over who has access to what. This model is more flexible than RBAC and allows for more granular control over access to resources.

As an illustration, in a soap manufacturing organization, only the designers of the soap formula have access to the physical facility that designs, builds, and tests the soap formula. As such, only the formula designers are granted access cards to the facility. Another illustration is the classic example of departments that work on highly classified deliverables, which if compromised may impact the health and safety of the general public. In such scenarios, users who have clearance to view deliverables are granted access to just view. They are not granted access to modify or write to the deliverables.

Centralized Management

Both RBAC and ABAC can be managed through a centralized place, such as a directory service or IAM platform. This central location allows for easy management of groups, attributes, best practices, and services. It also enables automation and delegation of access control, making it easier to manage and maintain a secure environment.

Policies and Procedures

However, it's essential to note that having a centralized place for authorization management is not enough. It's important to have the right policies and procedures in place to ensure the security of sensitive information and resources. This includes procedures for creating a user, granting access, revoking access, managing authentication factors, regular reviews and audits of access controls, as well as employee training on security best practices.

Conclusion

Authorization management is a vital aspect of IAM and cybersecurity, and both RBAC and ABAC models provide different means of controlling access to resources. Having a centralized place for management and automation of access controls can make it easier to maintain a secure environment, but it's important to have the right policies and procedures in place to ensure the security of sensitive information and resources. Organizations should carefully consider which model best fits their needs and implement the appropriate policies and procedures to ensure the security of their sensitive information and resources.

Key messages:

• Compromises may take place because access to resources may not be managed appropriately. Also in large organizations, access management may grow exponentially and become unmanageable in the absence of processes and procedures.
• To ensure that IAM and authorizations are managed efficiently and support cybersecurity, it is important to have tools in place. These tools are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).
• Having the right level of policies, processes, and procedures along with RBAC and ABAC will ensure that people have the right level of access to conduct their job duties and have little scope to expand on the granted privileges.