• United States




What’s the ROI on attribute-based access control?

Aug 07, 20173 mins
Access ControlAuthenticationEnterprise Applications

Despite the predicted growth of attribute-based access control (ABAC), misconceptions about it leave decision makers concerned about ROI

Technology is changing at a rapid rate, leaving business decision makers and security teams confused about which products they actually need. Still further, they want to know what the enterprise will gain from their investment.

As is the case with any other investment, a business wants to see some ROI, and security practitioners need to understand the benefits of each new product and how the product will help reduce risk.

While Gartner predicts that “by 2020, 70 percent of enterprises will use attribute-based access control (ABAC) to protect critical assets,” a lot of confusion still lingers around what exactly an organization can expect to get out of ABAC. 

Gerry Gebel, vice president of business development at Axiomatics, understands that while ABAC is likely to become more widely used as a security tool, that can’t happen if questions about ROI exist.

ABAC is a “next generation” authorization model that provides fine-grained dynamic, context-aware and risk-intelligent access control, Gebel said. “ABAC is an authorization service that uses attributes as building blocks in a structured language to define and enforce access control.”

If added in with new digital transformation initiatives, ABAC can help enterprises deliver a more personal, convenient and trusted mobile experience to customers, employees and partners, while enabling secure access to applications and data in the cloud, Gebel added. 

Enterprises need to be able to adapt more quickly to changing regulatory and security requirements.

“ABAC delivers a transparent policy approach, instead of managing controls that are hard-wired into business applications,” Gebel said.

Of course, those are the intended attributes of the model. Future customers, though, question (as they should) the benefits to their enterprise.

4 misconceptions around attribute-based access control (ABAC)

Gebel shared four of the greatest misconceptions around ABAC and his truth to help readers understand differing opinions so that decision makers can find their truth, which is probably somewhere in the middle.

  • Misconception 1: Some security practitioners believe using ABAC will hinder system performance. Truth: This is false. At most, said Gebel, ABAC adds a minuscule amount of latency (single digit milliseconds). 
  • Misconception 2: ABAC requires a customer to consolidate their authentication. Truth: This is again false. ABAC is a complement to authentication and can be added even if you already use multiple login credentials.
  • Misconception 3: My developers can just write their own access control when building an API. Truth: Not really. Maintaining logic built into an application is exponentially more costly and inefficient. In addition to the up-front developer cost when creating the application, the ongoing costs for making changes in the future can be quite significant.
  • Misconception4: Roles and group lists are all I need for access control in our custom-built applications. Truth: Not necessarily. ABAC frees up your development team to focus on key initiatives and eliminates the need to write many extra lines of code to deal with complex access requirements. In addition, your application may not have all the needed context available to properly make authorization decisions.

Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author