Policy Based Access Control (PBAC) Explained

Traditional access control methods, such as role-based access control (RBAC) and attribute-based access control (ABAC), have built the foundation for securing systems and managing user access. 

However, they fail to provide the flexibility and enhanced security needed in today’s dynamic environment–especially for the financial services industry. As organizations navigate stringent compliance requirements and evolving security threats, they need a better alternative to make dynamic, context-aware access decisions–like policy-based access control (PBAC). 

Below, we’ll explore PBAC in further detail, how it compares to other models, and how it benefits the financial services industry.

Policy-based access control (PBAC) is a strategy to govern access to systems and resources based on the user’s role and an organization’s policies. 

Administrators establish such policies to define who can access what resources and in what circumstances. 

Thus, PBAC is a fine-grained authorization method that considers multiple user attributes when determining access privileges rather than just one, like with coarse-grained methods. This includes: 

• Subject attributes: The user’s role or rank within an organization

• Object attributes: The characteristics of the asset or resource the user is attempting to access

• Action attributes: The user’s desired action (viewing, editing, etc.)

• Contextual attributes: The time, data, and location of the access request 

Once PBAC is implemented, access privileges are granted after assessing the attributes of the request against the organization’s policies using Boolean logic. 

How the PBAC Market Has Evolved

Access control mechanisms have developed over time to help organizations enhance the security of their systems and networks. 

Role-based access control (RBAC) and attribute-based access control (ABAC), which we will discuss below, are predecessors to PBAC. While they offered unprecedented control and oversight at the time they were introduced, they lack the flexibility and sophistication to handle the complex threat environments that many organizations today face. 

Thus, PBAC emerged as a more granular and adaptable model, and is now reaching mass market adoption. It gives organizations finer access control based on the context of a request and multiple user attributes. Plus, policies can be written in plain language by administrators, requiring no coding expertise or intervention from IT, resulting in an even more nimble and responsive security framework. 

Benefits of PBAC

PBAC can offer organizations a variety of advantages over other, more traditional access control methods. Here are some of the main benefits PBAC provides: 

• Flexibility and scalability: Rather than embedding access logic into individual systems and applications, it can be externalized to policies. It’s easier and more cost-effective to deploy updates across the environment without needing to update the code of each individual application or system. 

   

• Enhanced security: Organizations can enforce granular and complex policies that consider multiple user attributes rather than just one, helping to make systems more secure and less susceptible to fraud or unauthorized access. 

   

• More consistency: Policies are centrally managed and consistently reflected across all systems. This eliminates the risk that human oversight would create inconsistent or outdated access controls in certain applications.

   

• Better auditability: Since policies are managed centrally, it’s easier to monitor and audit access trails, supporting regulatory compliance. 

   

Implementing PBAC can benefit a number of industries. However, the financial services industry, in particular, can take advantage of PBAC’s ability to control user access in complex environments. 

It allows organizations to consider the perceived risk, transaction type, user role, and other attributes when enforcing access controls. This way, they can enhance the security of sensitive financial data and transactions while still granting access to entitled users. 

Traditional authentication mechanisms are no longer enough to protect customer data and mission-critical infrastructure. Instead, fine-grained authorization, including PBAC, is the key to addressing the rapidly evolving threat landscape and ensuring compliance with industry regulations. 

Here are some of the specific segments of the financial services industry that are adopting PBAC: 

• Banking: Banks can ensure customer accounts and transaction data is only accessible to individuals in the appropriate roles, during certain times, and using certain devices. 

   

• Insurance: Providers can limit access to policyholder data and claims processing systems based on the type or amount of claim being processed and the user’s location.

   

• Wealth management: Firms can ensure only authorized advisors or financial planners are able to access client portfolios and initiate trades based on the user role, asset type, location, and other attributes of the request. 

   

• FinTech: Providers can restrict access to payment systems, digital wallets, and other financial data by verifying the user’s location and device, given the risk level of the transaction.

To further illustrate the benefits of policy-based access control, let’s take a look at how this model addresses some of the vulnerabilities of other common authorization methods. 

Role-Based Access Control (RBAC)

Role-based access control (RBAC), or non-discretionary access control, is a model that bases user access privileges on each individual’s assigned role in the organization. 

For instance, bank administrators might set predefined permissions for everyone with the role of “teller” to access account balances and process transactions. Those in the “investment manager” role could have permissions to execute trades and manage the client’s investment portfolio but not access basic account services. 

The goal is to only provide users with access to the systems and resources relevant to their role and nothing more, following the principle of least privilege. RBAC also makes it easier to onboard new employees, as they don’t have to set permissions for each new user individually. 

However, RBAC doesn’t consider more nuanced attributes, like the context of the request. For instance, if a teller attempts to access a customer’s account after hours from their personal computer to exploit their information, PBAC might deny the request based on set policies, whereas the static logic of RBAC could allow it.

Attribute-Based Access Control (ABAC)

Attribute-based access control (ABAC) dynamically governs user access based on user attributes or characteristics. Attributes might include the user type or role, the time, date, and location of the request, and file name and sensitivity, among other details. 

Rather than strictly binding access privileges to a user’s specific role in the organization, ABAC considers the context of the request and offers more granular control. 

With ABAC, organizations can create more unique and customizable permissions for each individual. Though it’s a bit more complicated to set up and manage than RBAC, it can offer more security and flexibility. 

But, as opposed to PBAC, ABAC policies aren’t managed centrally, making it a bit more tedious to update custom permissions and deploy policy changes. 

Relationship-Based Access Control (ReBAC)

Relationship-based access control (ReBAC) grants or denies user access based on their relationship to a given asset, entity, or system. Thus, the specific context of the request, like the current time or location, aren’t the focus of this access model. 

An easy way to see this in practice is to consider a file folder on your computer. Given the established hierarchies, if you are given access to a folder, you will also get access to every individual file and additional folders stored within it. 

ReBAC is a bit more advanced than RBAC, but still not as flexible or dynamic as ABAC or PBAC.

Policy Based Access Control (PBAC)

Again, PBAC is a much more adaptable and flexible model, offering more fine-grained control in an increasingly dynamic threat environment. 

Authorization is based on organizational policies, which can consider more user attributes and situational context compared to other models. 

Since policies are written in plain language, it’s easier for administrators to get an overview of who within the organization has access to what assets, providing better transparency and compliance with regulatory requirements. 

Thus, using the above example of the investment manager, under PBAC, access to client portfolios would be governed by additional attributes aside from their designated role, such as the time of day they’re attempting access or if they’re accessing the system from a secure network. 

Though PBAC can offer enhanced security and more granular control over user access permissions, there are some potential roadblocks that organizations face when implementing it. 

The following are some of the common challenges with policy-based access controls: 

Complexity of Policy Creation and Management

Given that PBAC allows for such granular access controls, creating the policies to govern this model can be a complex task. Especially as the organization grows and access policies become more sophisticated, updating and managing them can become more resource-intensive. 

Integration with Existing Systems

Updating current systems that rely on other access control models is another challenge for organizations. For instance, the process of externalizing access control logic from apps and systems and centralizing management to one policy engine is a complex task that requires diligent planning and sufficient resources. 

Ensuring Policy Consistency and Enforcement

PBAC should help to ensure access control policies are consistent throughout the organization. However, if certain policies are conflicting or there are gaps in policy language, it can make the system vulnerable to unauthorized access. 

Balancing Flexibility with Security

Organizations can create highly granular and context-aware policies. However, there is a chance that policies become too restrictive. This can enhance the security of the system, but will make it difficult for users to access the systems or applications critical to their roles. 

The following steps provide an overview of the process organizations will undergo to implement PBAC into their security framework: 

1. Assess Current Framework
   Administrators should evaluate the organization’s current access control method to determine what’s working for them and where they could make improvements.
   

    

   Are there any gaps or system vulnerabilities under the current framework that need to be addressed? The answers to such questions can help to guide teams as they create access policies and implement the new framework.
   

    

2. Externalize Authorization Logic
   Any access control logic currently embedded in individual applications or systems should be removed. 
   

    

   Policy enforcement points (PEPs) should be implemented instead, which can communicate with an external policy engine to manage and enforce access control policies.
   

    

3. Define Access Policies
   The next step is to establish clear and comprehensive policies outlining who has access to what resources and when. 
   

    

   Administrators should engage with stakeholders to ensure policies align with business objectives and balance system security with usability.
   

    

4. Implement Policy Enforcement
   Test out policies first to ensure the PEPs in the organization’s systems and applications are interacting properly with the policy engine to process access requests. 
   

    

   Once you’ve seen that the policies work as intended and don’t accidentally block legitimate users’ access to necessary resources, roll out deployment across the organization.
   

    

5. Train and Educate Staff
   Keep staff informed on any updates to policies. Especially notify them of any new policies that will impact their access to certain systems or resources.
   

    

   Advise them on how they can troubleshoot access issues and who they can contact if they’re having challenges. Overall, emphasize the importance of adhering to access policies to uphold system security and regulatory compliance. 

 

6. Monitor and Review
   Administrators should continuously monitor access control activities to see which users are accessing which resources.
   

    

   Regularly review and update policies to adapt them to changing organizational needs and regulatory standards.

PBAC is not a mechanism for verifying user identities. However, its effectiveness hinges on the contextual signals that identity verification provides. In other words, PBAC is of no use without proper user identity verification. 

Identity verification systems, like multi-factor authentication, will ensure that a user attempting access is who they claim to be. Then, the PBAC system will rely on this to drive access decisioning logic.

The basic principles of PBAC will remain the same no matter where it’s implemented. However, the regulatory requirements imposed in certain jurisdictions and industries can result in significant differences in how it’s deployed from case to case. 

For example, financial services companies in the United States are subject to regulations like the Sarbanes-Oxley Act (SOX) and the Gramm-Leach-Bliley Act (GLBA) regarding auditing guidelines and financial data security. So, PBAC models implemented in this industry must comply with these laws. 

Similarly, healthcare companies must achieve compliance with HIPAA guidelines to protect patient health information (PHI), and PBAC must align with these requirements. 

In addition, regional laws, like the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and the General Data Protection Regulation (GDPR) in the European Union outline specific data privacy frameworks, which will impact PBAC requirements when implemented in these regions.

PBAC is the next evolution of access control models, providing organizations with fine-grained control and greater visibility over user access permissions. 

This dynamic approach ensures that organizations can mitigate security risks and streamline access control management. Plus, it’s agile and nimble, making it easier to change and deploy policy updates across the organization rather than updating the unique permissions for each user in every application or system they use. 

Forward-thinking organizations that want to enjoy these advantages can explore PBAC authorization solutions with Ping Identity. 

Ping Identity was recently recognized by KuppingerCole as a market leader in policy-based access management, offering comprehensive authorization capabilities to enhance security, drive seamless experiences, and stay ahead of industry regulations. 

To learn more about our PBAC solutions and discuss your goals with a security expert, contact us today.