• United States



by No Analyst or Consultant

Governance-Based Access Control (GBAC): Improved information sharing, reduced risks

Jun 20, 20058 mins
CSO and CISOData and Information Security

By Tim Bouma

Never has it been easier to share information. Todays networked world has led to unprecedented information sharing from within and outside of organizational boundaries, enabling organizations of all typesgovernment agencies, private sector companies and non-profitsto enhance their value. The benefits of this activity have been far ranging, from the development of seamless service delivery to improved coordinated response capabilities against criminal activities and terrorist threats.

Yet information sharing also leads to precarious situations. For instance, according to the Computer Security Institute, data theft from external and internal sources grew at a rate of more than 650 percent between 2001 and 2004, demonstrating that the electronic transmission of information presents grave risks, including the misuse of confidential, personal, medical and financial information.

Recognizing both the value and risks of information sharing, legislatures around the world are increasingly requiring public- and private-sector organizations to comply with a host of new measures aimed at setting boundaries on when and how information should be collected, shared, managed and disposed of. Examples of some of these countries measures include:

  • AustraliaFederal Privacy Act
  • CanadaPersonal Information Protection of Electronic Documents Act (PIPEDA), Federal Privacy Act, National Archives Act, Access to Information Act
  • EuropeEuropean Data Protection Directive
  • United StatesSarbanes-Oxley Act, Gramm-Leach-Bliley Act, California Security Breach Notification Law, Fair Credit Reporting Act, Health Insurance Portability Accountability Act (HIPAA), Freedom of Information Act (FOIA), U.S. Patriot Act

While information sharing delivers numerous benefits, organizations have grown frustrated in finding the best approach to ensure that information is properly managed and protected. Traditional access control models no longer meet the broad and complex requirements of information sharing. As government regulations and customer and citizen demands continue to increase, organizations must find a way to implement a more sophisticated access control scheme. Government-Based Access Control (GBAC) is one viable solution that helps organizations facilitate robust information sharing while mitigating the inherent risks.

New challenges for access control

In the recent past, when information was kept strictly inside the organization, traditional approaches to access control worked extremely well. However, as organizations increasingly share information outside their boundaries, these traditional approaches are no longer adequate to address new requirements.

Todays most common access control models include the following:

  • Identity-Based Access Control – Permits access to data based on the users or owners of the data
  • Rules-Based Access Control – Permits access to data based on formally defined security levels assigned to information and clearance levels assigned to individuals and processes
  • Role-Based Access Control (RBAC) – Permits access to data based on an organizational role, such as a clerk or investigator, which has been assigned to an individual within the organization

These access control models operate on the following assumptions: 1) that only a single organization requires access to information, 2) information is accessed only by internal users of the organization, 3) and everyone is subject to or must be compliant with a single authority. However, as the world becomes increasingly interconnected and information sharing across organizational and jurisdictional boundaries increases, these assumptions no longer hold true. As such, a new approach to access control is required.

Faced with new responsibilities in sharing and safeguarding information, many organizations are paralyzed by fear and indecision. They dont understand the governance structure of their information or their responsibilities in sharing and protecting that information, and they worry about legal exposure, misusing data, losing control over their data and many other issues. As a result, valuable information remains locked in organizational silos and is difficultoften impossibleto share.

The evolution of access control

Today, information sharing can still be viewed as an access control problem, but there are new assumptions to consider:

  • Multiple organizations require access to information
  • Information may be accessed by, or shared with, external users
  • Everyone may be subject to compliance with multiple authorities and jurisdictions

A new model that effectively addresses these assumptions is now emergingGovernance-Based Access Control (GBAC).

Evolution of Access Control

As the illustration above depicts, GBAC is an innovative and evolutionary extension of the traditional access control models of the last 30 years. It addresses new assumptions for access control that simply did not exist when information was shared and stored in separate information silos for internal use only.

The fundamental premise of GBAC is simpleinformation assets must be managed based on their governing legislation. GBAC considers the larger issue of why information is being held in the first place, and takes into account that multiple authorities may be required to determine an access control or information sharing decision.

With GBAC, access permission rules can be specified and applied against any information asset, whether it is a single customer database record, an entire database collection or an individual document or e-mail. These rules can be rigorously enforced based on key governance questions:

  • Jurisdiction. What jurisdiction is originally, or ultimately, responsible for this information asset?
  • Collection authority. Under what specific legislative authority, regulation or governing policy was this information asset collected and used, including subsequent use?
  • Collection purpose. What was the reason, purpose or business process involved behind the collection of this information asset?
  • Security designation. What is the sensitivity of the information asset?
  • Disclosure authority. What is the authority that enables this information asset to be disclosed beyond its original authority and/or reason?
  • Disposition authority. What is the authority under which the information asset may be disposed?

Because each specific information asset can be tied back to its true and original purpose, GBAC provides a framework by which to classify an information asset to reflect its true and original purpose. It also provides a means to specify rules of governance irrespective of where information assets reside, whether on a system or within the organization.

The benefits of GBAC

Risk mitigation

GBAC solves the fundamental challenge that every organization is faced with today: How do you get the right information to the right people for the right purpose without disclosing the specific details of the information beforehand. By classifying information according to governance and specifying the right rules of governance, an organization can properly share an information asset without needing to know the intended recipients, the assets intended use or the specific contents of the asset.

By establishing explicit GBAC rules, an organization can mitigate its risks once it decides to share information beyond its boundaries. These rules in effect serve as a warning label, removing a major element of risk from the sharing organization by placing rules, conditions and responsibilities on the organization that benefits from this shared information.

Improved service delivery

GBAC also promotes better service delivery across an organization, even facilitating the development of a shared services delivery model. The concept behind this model is simplecitizens and customers can visit one locationwhether in person, online or via telephoneand view the entire organization as a single entity.

The privacy, security and compliance risks associated with information sharing can pose a formidable barrier to the implementation of a shared service delivery model, but GBAC mitigates those risks. With GBAC, an organization can share the required information between services to increase the overall integrity, efficiency and effectiveness and pave the way toward a shared service delivery model to satisfy customer and constituent demands.

Improved transparency and accountability

Finally, what may be regarded as the most important benefit of GBAC is how it can better enable transparency and accountability within and across organizations and jurisdictions. With GBAC in place, each access request is associated with a GBAC rule that evaluates whether an information asset can be accessed. This access request, along with its context, can be recorded in an audit log that details who made the request (the individual user who has been assigned a role) and what was requested (the information asset granted access via the GBAC rule).

If, for some reason, an audit or an investigation is required, the information contained within these logs may be used to determine who accessed the information and why and whether the request was done in accordance with the proper governance. This information may then be used to further an investigation or be collected as evidence. Thus, GBAC becomes a very powerful mechanism to drive transparency and accountability down to the level of each individual and to each information asset within an organization.

Moving forward

Implementing GBAC is not without its challenges. Big steps are ahead for organizations wishing to deploy GBAC. One of the biggest is simply taking the time to inventory what information holdings are in place and what legislative measures govern their use. But in the long run, GBAC will provide a sounder, simpler, more efficient and, ultimately, more cost-effective approach to managing access to information assets. When weighed against the potential costs and costs, implementing GBAC becomes a compelling value proposition for all organizations that share information.

Tim Bouma is an executive consultant with CGI, focusing on the areas of identity and access management, business transformation, knowledge management and collaboration. His research in the GBAC area is conducted through CGIs Technology Leadership Program. Most recently, Mr. Bouma worked with the Canadian federal government, providing solutions in the areas of identity management, service delivery design, business transformation and inter-jurisdictional access control.