A short while ago, someone asked why ABAC has been so slow to adopt on https://security.stackexchange.com/. Here’s my take below. Top 5 reasons ABAC has been slow to adapt But ABAC is still worth it… Everyone’s talking about it. Should you do it? I’m biased so I’ll say yes. But don’t take my word for it. Look at NIST’s Guide to Attribute Based Access Control (ABAC) Definition and Considerations, Gartner’s research, as well as Kuppinger Cole and Group 451. So how can you speed up ABAC adoption? Get Authentication Right First There are many reasons why ABAC hasn’t picked up as quickly. This year (2023), at the European Identity Conference and Identiverse, vendors, attendees, and analysts alike all said that […]
Many of you will be familiar with Randall Munroe’s fantastic xkcd cartoon site. He’s even got a strip for what I’m going to talk about… Standards. I’d been a member and editor of the XACML Technical Committee for about a decade until I decided to move on to the world of Consumer Identity (CIAM) before returning a few months ago to my first love. In the time I was away, new standards emerged (Rego, Oso, Cedar, Zanzibar) and so it felt about time I hopped onto the standardization bandwagon again to promote and streamline authorization. Lo and Behold AuthZEN. My peers Atul Tulshibagwale (SGNL) and Omri Gazitt (Aserto) gave this excellent presentation on the goals of the AuthZEN WG at […]
Originally published on IDPro. For the first time ever, Identiverse headed to Vegas for its annual conference. It was a hit, as always, and judging by the agenda, some of the hot topics were passwordless authentication, AI, and last but definitely not least, authorization. My eyes were gleaming! We’re making authorization great again! Much Ado about Authorization I was delighted to see so much activity around authorization, both in the standards track, the vendor track, and the keynotes. On the floor, we had a slew of newer vendor booths tackling the authorization challenge, from Aserto to Indykite. All sources of inspiration. There was no shortage of authorization-related talks either: As You Like It One of the main challenges with ‘authorization’ […]
This morning, I woke up, got breakfast ready for my three-year-old, sat down at my desk and wondered: “what if Dr. Seuss had written about ABAC?” Don’t ask me why… Maybe because I’d been reading I Am Not Going to Get Up Today! to my kid the night before. Who knows? Oh, and if you’re wondering what ABAC is, it’s attribute-based access control. Fortunately, we live in a day and age where ChatGPT can pretty much fulfill our wildest dreams and so, without further ado, here’s what ChatGPT thinks Dr. Seuss would have said about ABAC: In a world of data and access control so tight,There’s a method that shines with a brilliant light.ABAC, my dear friend, is its clever […]
Attribute-based access control is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.