Sqrrl Blog

Aug 21, 2013 1:11:00 PM

Attribute-Based Access Controls, Fine-Grained Security Controls, and Big Data

Summary: Sqrrl Enterprise is the only Big Data solution that brings together fine-grained access controls labels on data (i.e., cell-level security) with fine-grained identity/resource/environmental attributes for access control (i.e., Attributed Based Access Control or ABAC)

The National Institute of Standards and Technology (NIST) defines ABAC with the following:

"ABAC is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of the entities (subject and object) actions and the environment relevant to a request. Attributes may be considered characteristics of anything that may be defined and to which a value may be assigned. In its most basic form, ABAC relies upon the evaluation of attributes of the subject, attributes of the object, environment conditions, and a formal relationship or access control rule defining the allowable operations for subject-object attribute and environment condition combinations."

ABAC takes Role Based Access Controls (RBAC) one step further by providing organizations much greater flexibility and granularity in defining how users can access data. It has been an exciting year for organizations interested in ABAC, as NIST released Draft Special Publication 800-163 in April. This new SP lays out high level guidance for architecting an ABAC-based system. ABAC is definitely the way of the future for identity management, and this NIST publication paves the way for mainstream adoption.

However, NIST guidance on ABAC really only addresses half of the fine-grained access control problem. This can be illustrated through an example use case that NIST provides:

"A subject is assigned a set of subject attributes upon employment (e.g., Nancy Smith is a Nurse Practitioner in the Cardiology Department.). An object is assigned its object attributes upon creation (e.g., a folder with Medical Records of Heart Patients). Resources Objects may receive their attributes either directly from the creator or as a result of automated scanning tools. The administrator or owner of an object owner creates an access control rule to govern the set of allowable operations (e.g., all Nurse Practitioners in the Cardiology Department can View the Medical Records of Heart Patients)."

In this example, an ABAC-based policy is created to give Nurse Practitioners in the Cardiology Department access to medical records of heart patients. The identity attributes are relatively fined-grained (Nurse Practitioners in the Cardiology Department). However, the granularity of data access is relatively coarse (Medical Records of Heart Patients). Medical Records contain lots of different information with differing levels of privacy and security requirements (e.g., Mental Health Information, doctor’s notes, Personally Identifiable Information, test results, etc.).

For a more complete solution ABAC needs to be married with fine-grained access controls on the data. Each piece of data within the Medical Records (Mental Health Information, doctor’s notes, Personally Identifiable Information, test results, etc.) should be tagged with an access label that determines what types of people (as determined by their attributes) should have access to each individual piece of data.

In other words, it is sub-optimal to design an ABAC system with coarse data labels. ABAC should be teamed with fine-grained data labels (aka “Cell-Level Security”). Sqrrl Enterprise (powered by Apache Accumulo) is the only solution that can do this union.


How does Sqrrl Enterprise accomplish this? We have paired Apache Accumulo (akin to a Policy Enforcement Point for those versed in ABAC) with a Policy Engine (akin to a Policy Decision Point) and a Labeling Engine to apply access control labels to individual pieces of data.

Contact us here if you are interested in seeing a demo and learning more.

Topics: Blog Post