This document discusses the evolution of access control models from DAC to ABAC. It provides an overview of Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC). ABAC is described as a new model that controls access based on multiple attributes of subjects, objects, and the environment, allowing for more flexible and fine-grained access decisions. The document predicts that by 2020, 70% of businesses will use ABAC due to its scalability and ability to incorporate real-time context into authorization decisions.

1. ABAC AND THE
EVOLUTION OF
ACCESS CONTROL
MODEL
I-Security Seminar
ITS Surabaya, Sept
2014

2. Co Founder of BelajarMikrotik.Com
Founder of ForumMikrotik.Com
Trainer and Lecturer for Project Management and
Information Security Classes
ICT Manager of Services at PT. Bayan Resources Tbk
AKBAR AZWIR, MM, PMP,
CISSP

3. INFORMATION SECURITY
Informati
on
Security
Confidentiality
Availability
Integrity

4. AAA
Authenticati
on
To answer question “Who are you”
3 factor : Who you are, what you have
and what you are
Authorizatio
n
To answer question
“What can you access”
Accounting
To answer question
“What you have
accessed”

5. Let’s talk about Access Control

6. ACCESS
CONTROL
MECHANISM
“The logical
component that
serves to receive
the access
request from the
subject, to
decide, and to
enforce the
access decision.”

7. ACCESS
CONTROL
MODEL
“Framework that
dictates how
Subjects Access
Object.”
- CISSP AIO Exam Guide, 6th Edition

8. DAC MAC RBAC ABAC
ACCESS CONTROL
MODEL

9. DISCRETIONARY ACCESS
CONTROL (DAC)
ACL
• Decentralized
• Owner Discretion,
usually via
administrator
• Enforce through ACL
• Identity Based
• Permission rule
attached to the
Object

10. DISCRETIONARY ACCESS
CONTROL (DAC)
ACL
Folder Accounting Dept
Rudi
Accounting Manager
Agung, Logistic Staff
Johny, Accounting Staff
Subject Permission
Rudi Full
Control
Johny R W D C

11. DISCRETIONARY ACCESS
CONTROL (DAC)
Pros
•Easy to implement
•Great Flexibility
•Built-in in most
OS
Cons
• Doesn’t scale well
•Possibility of ACL
Explosion
•Prone for
mistakes

12. DAC MAC RBAC ABAC
ACCESS CONTROL
MODEL

13. MANDATORY ACCESS
CONTROL (MAC)
Subject with Clearance Object with Classification
• Centralized
• Access Control enforced with Clearance and
Classification
• Only Subject with Clearance the same or above
from Object Classification can Access the
Object

14. MANDATORY ACCESS
CONTROL (MAC)
Ken Watanabe, Intelligent Analysis
Clearance Level 2
Project Pegasus
Data Classification Top Secret
Clearance Level Classification
Level 5 Top Secret, Secret, Classified,
UnClassified
Level 4 Secret, Classified, UnClassified
Level 3 Classified, UnClassified
Level 2 UnClassified

15. MANDATORY ACCESS
CONTROL (MAC)
Pros
• Most Secure
• Easy to scale
Cons
• Not Flexible
• Limited user
functionality
• High admin overhead
• Expensive

16. DAC MAC RBAC ABAC
ACCESS CONTROL
MODEL

17. ROLE BASED ACCESS
CONTROL (RBAC)
ACL
Subject Assigned to Role Role Object with ACL for Role

18. ROLE BASED ACCESS
CONTROL (RBAC)
ACL
Accounting Manager
Accounting Staff
Andrew
Lucas
Lisa
Jim
Subject Permission
Accountin
Full
g Manager
Control
Accountin
g Staff
R W D C

19. ROLE BASED ACCESS
CONTROL (RBAC)
• Centralized and Decentralized at once
• Subject access permission are enforced
through Role membership
• Role permissions are enforced through
Object’s ACL
• Subject can be a member of more than one
role

20. ROLE BASED ACCESS
CONTROL (RBAC)
Pros
•Scalable to some degree
•Great for organizations
with high turn over
Cons
•Roles needs provisioning
and maintenance
•Possibility of Role
explosion
•Unable to accommodate
real-time context

21. DAC MAC RBAC ABAC
ACCESS CONTROL
MODEL

22. ATTRIBUTE BASED ACCESS
CONTROL (ABAC)
Subject with Attributes Object with Attributes
• Centralized
Environment
Conditions
• Access Control enforced by taking Subject Attributes,
Object Attributes, and Environment Context and
compare them to the Policy
• Policy written using human readable language that
easily understood, XACML (eXtensible Access Control
Markup Language)

23. ATTRIBUTE BASED ACCESS
CONTROL (ABAC)
User Dept X Folder Classified Dept X
Environment
Conditions
• Ex 1 : User can only access their Dept Folder
from their own Office location at Working Hour
only
• Ex 2 : Certain Folders can only be accessed
from Specific Workstations if the bandwidth
usage is low

24. ATTRIBUTE BASED ACCESS
CONTROL (ABAC)
PEP
PDP
PAP PIP Environment
Conditions
Attribute
Repository
Policy
Repository
PEP : Policy Enforcement Point
PDP : Policy Decision Point
PAP : Policy Administration Point
PIP : Policy Information Point

25. ATTRIBUTE BASED ACCESS
CONTROL (ABAC)
Pros
• Scalable
• Real time Context
aware
• Segregation of Duty,
different people can
manage different
Subject and Object
Attributes and Policy
Cons
• It’s new
• Requires socialization
and convincing
• Organization change
required to manage
Attributes

26. ATTRIBUTE BASED ACCESS
CONTROL (ABAC)
• ABAC is still in it’s early stage
• Gartner predicts that by 2020 70% of business
will use ABAC

27. ATTRIBUTE BASED ACCESS
CONTROL (ABAC)
• Microsoft Windows Server 2012 Claim Based
Access Control or Dynamic Access Control is
Microsoft implementation of ABAC
• Fedora 3.3 FESL (Fedora Security Layer) using
XACML to implement ABAC
• 3rd party auth service companies such as
Axiomatics and Avatier offer ABAC
implementation to OS and Applications and or
Databases

28. ATTRIBUTE BASED ACCESS
CONTROL (ABAC)
• Open source ABAC projects such as :
• http://abac.deterlab.net
• OpenAZ, http://www.openliberty.org

29. DAC SIMPLE
DEMONSTRATION
Finance
Marketing
ICT
Finance
Marketing
ICT
DC1, Jakarta FS1, Medan
User Attribute -
Department
Attribute – st (State)
Andi.Michael Finance Jakarta
Bayu. Achmad Finance Medan
Ken. Surahyo Marketing Jakartq
David.Lim Marketing Medan
Zeru.Halim Information
Technology
Jakarta

30. • The current information system ecosystem
require a flexible yet secure access control and
that’s what ABAC is trying to answer
• As Gartner predicts, by 2020, 70% of business
will use ABAC for authorization. Let’s familiarize
early
• There is still a lot of study required as there is
no standard implementation of ABAC, therefor
there is still a lot of involvement that we can
offer to the Information System world
CONCLUSION

31. Thank You
ABAC AND THE
EVOLUTION OF
ACCESS CONTROL
MODEL
I-Security Seminar
ITS Surabaya, Sept
2014
Q & A