The Immediate Advantages of Attribute-Based Access Control

Written by David Worthington on December 22, 2021

Share This Article

Managing access control via Active Directory can be a perilous process for any IT administrator. It’s too easy to fall behind in user lifecycle management or mistakenly overprovision users, which is a caveat anyone who’s used nested groups understands. This legacy approach doesn’t make user-based determinations and demands administrative overhead. 

Attribute-based access control (ABAC), however, works differently: it provides an instant cross-check of users within a group to the apps and resources they need. ABAC is, by nature, a better match for today’s threat environment than legacy directory access controls, which is beneficial in an era when Zero Trust principles demand greater diligence. Nested groups had their time and place, but are no longer necessary (or even desirable) if your organization is living in a SaaS-based environment.

What is Attribute-based Access Control?

ABAC is a method of granting and managing user access to IT resources to support environments that require more contextual awareness than simple user-centric parameters such as their assigned role. Used by cloud providers and identity and access management (IAM) solutions, ABAC is being used all around us to bring order to IAM chaos, which can include:

  • Safeguarding apps, databases, and file servers by taking account attributes such as department, location, manager, time of the day, and other helpful parameters in account when granting or denying access
  • Securing microservices/APIs so that sensitive transactions aren’t accidentally exposed
  • Efficiently achieving stringent regulatory compliance requirements
  • Controlling network firewalls dynamically by making policy decisions on a per-user basis

Older access control methods such as role-based access control (RBAC) would only consider if an employee has the corresponding rights within a given system to access it. Active Directory (and even Azure Active Directory) maintains a similar posture as traditional RBAC, where group membership determines access rights. What’s more, groups can be nested within groups, which without management can violate Zero Trust principles when trust is intrinsic within the access control model itself.

That’s a stark contrast with ABAC, which would essentially provide a “firewall” of intelligent decision making to protect access to IT resources. It applies an “if/then” logic that determines the risk that’s presented by a user at a given time. For example, it could prevent access to an application deemed “high value” by an employee who is authorized to access it but is away on vacation and using unsecured public Wi-Fi at a coffee shop to do so.

The ability to apply these conditions to group membership drives IT efficiency and delivers more proactive security controls.

How JumpCloud Applies ABAC to Group Management

In general, ABAC applies business logic to group members by using attributes as conditions of group membership, which creates distinct advantages over legacy group management approaches. While the ABAC model typically performs dynamic mapping, JumpCloud® instead applies logic by suggesting appropriate membership to user groups, which admins ultimately have control over.

JumpCloud has taken the best of ABAC and applied it to the creation and maintenance of groups. That’s a necessity given JumpCloud manages access to many different types of endpoints across a variety of platforms. ABAC examines users’ attributes before granting users access to services, and the platform can even automatically suggest membership status and keep pace with changes such as a transfer to a different department or manager.

You can think of JumpCloud’s group management as something that defines conditions for membership and assists admins in governing access within and downstream of JumpCloud. Updates are suggested to be made live in production based upon attributes such as “department,” “title,” or any number of custom attributes, depending upon the application you’re managing access to. User attributes, such as a manager, populate the “if,” but conditional access attributes, such as geolocation, determine what happens next.

The platform can even designate certain permissions for a subset of users and provide elevated access so that specific applications remain off limits to other group members without any intervention by IT admins. These features automate the task of creating and maintaining groups and avoids overprovisioning, which is a concern within Active Directory (e.g., when groups age out, or when users are only intended to be part-time members, or nested group accidents that could inadvertently expose sensitive information throughout your organization). 

How ABAC Plays a Role In Enhancing Security and Compliance

Conditional access policies, which use parameters like device, network, and even geolocation to guard access to IT resources, add additional security provisions on top of ABAC, which benefit from the group maintenance our suggestions provide. ABAC works in tandem with conditional access so that attributes “decorate” users and distinctly map them to the appropriate group memberships to make suggestions for group management. 

JumpCloud also provides a method to audit access that has business rules and policy-driven decision making baked in. For example, when a user is determined to be in violation of a condition of group membership, their membership is updated to reflect that new rule (or whether an exception was made). Auditing and compliance weren’t the primary motivation behind how we designed group management, but the platform makes performing an audit much easier due to its Zero Trust architecture.

Groups are consistently looking at the user’s attributes to determine who should have access to a resource and remain a member. SCIM provisioning has made it even easier to synchronize and manage identities for web apps to automate account creation and deletions for a more complete approach to user lifecycle management.

This short tutorial video describes how JumpCloud does this:

 

Leaving the Nest

It’s been over two decades since Active Directory was introduced to solve the problem of managing users and devices within a network domain. Nested groups made access control easy to implement using a parent/child hierarchy, with inherited permissions for subgroups. Some IT admins find this model endearing; however, mistakes happen and an employee or group that erroneously becomes a member in one place could obtain potentially unauthorized access elsewhere. IT admins become the line of defense between security and overprovisioning and must actively audit groups and user lifecycles.

Even Microsoft recognizes the importance of ABAC and has implemented it within several products, but under its own proprietary terms. Active Directory, however, still uses nested groups and has extended the legacy feature to its Azure Active Directory IAM services on the web. Twenty years is a long time, and a lot has changed. within the cybersecurity landscape as well as the traditional client/server environment. Microsoft’s IAM solutions maintain heavy dependence on outdated concepts such as nested groups that aren’t designed for modern SSO nor Zero Trust security models that secure remote work.

The ongoing challenges of enabling work from anywhere dictate a better methodology, such as ABAC. The time is now for small and medium-sized enterprises (SMEs) to move to a cloud directory that uses ABAC, conditional access, and an approach that can manage secure access to all IT resources.

Try JumpCloud

Zero Trust is inherent in how JumpCloud manages groups without the administrative overhead of nested groups. The drawbacks of Microsoft’s legacy may be a bit oversimplified, and a proven solution will have its defenders, but you don’t know what you’re missing until you try something new. JumpCloud is free for 10 users and 10 devices with complimentary 24×7 live chat support for the first ten days following your account’s creation. Birds must leave the “nest” before they can fly.

David Worthington

I'm the technical blogger for JumpCloud. JumpCloud certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter