Why Your Organization Needs Rule-Based Access Control

Role-based access control allows network managers to personalize a user's access level based on the individual's role within the organization. Rule-based systems, on the other hand, grant access to individuals complying with a specific set of conditions. By establishing a pre-defined rule-based access control setting, an administrator might, for example, grant a person or team access to a specific network resource only during regular business day hours.

Rule-based access control, frequently abbreviated as RuBAC, is often described as an attribute-based control, since end users are given a specific level of system access based on pre-determined criteria, regardless of their role or position within the organization, explains Joe Dowling, Dell Technologies' vice president of cybersecurity, identity, and access management.

RuBAC can be used in a variety of scenarios other than network access control, such as file and directory access control, and application access control, says Alaa Negeda, senior solution architect and CTO at telecommunication service provider AlxTel. “It can also be used in conjunction with other security measures, such as firewalls, intrusion detection systems, and passwords.”

RuBAC settings are typically defined by how much control each user is granted to accommodate their specific role within the organization. “The ability to control access is based on discrete criteria, conditions, or constraints,” says Alexander Marquardt, global head of identity and access management for analytics software provider SAS. “It’s explicit and very granular, focusing on a single attribute or characteristic of a subject, object, or operating environment.”

Jay Silberkleit, CIO at freight and logistics services provider XPO, believes that RuBAC is the best choice for organizations looking for a network access method that offers maximum customization and flexibility.“Rules can be changed quickly without changing the overall definition of the organizational structure,” he notes.

Benefits of RuBAC

RuBAC's central benefit is granularity and clarity, Marquardt observes. “There's no ambiguity when looking at a rule, as it explicitly allows or disallows access to a particular object or execution of a specific operation.”

The lure of increased control and flexibility also draws many organizations to RuBAC. Rule-based access control is an ideal model for any enterprise that requires explicit rules that are relatively static, Marquardt says.

RuBAC also gives adopters virtually infinite user access flexibility with only a minimal amount of overhead. “A small set of rules can be adjusted to enable functionality for a large user base,” Silberkleit explains. The approach also allows multiple network access levels to be rolled out to a subset of users for testing or experimentation. “Having this fine-grained control over access helps keep companies agile and secure,” he states.

Read the rest of this article on InformationWeek.

Additional reading: