Beyond the Perimeter: Why RBAC Needs an Upgrade for Internal Security Threat

Mar 11th, 2024

The traditional approach to data security relies heavily on a perimeter defence strategy. Firewalls, intrusion detection systems, and access controls like Role-Based Access Control (RBAC) safeguard against external threats. However, in today’s digital landscape, the biggest security risks often come from within.

The principle of least privilege access (PoLP) requires that a user or entity should only have access to the specific data, resources and applications required to complete their required task. Attribute-based Access Control (ABAC) principles extend RBAC to limit access to specific rows and attributes within applications or analytics environments.

Privileged Access Abuse: A Growing Threat

Consider the case of WikiLeaks founder Julian Assange. Edward Snowden, a former National Security Agency (NSA) contractor, possessed legitimate access credentials to NSA data. He exploited those privileges to download and leak classified information to Wikileaks, exposing a massive security breach.

Closer to home, South Africa’s Absa Bank reported a data leak in 2020. An employee with authorized access stole and resold the personal information of selected customers, while back in 2017 an estate agency was responsible for one of the largest breaches reported to that date when hackers accessed a database by masquerading as the database administrator. These incidents highlight a critical weakness: RBAC alone is insufficient to deter insider threats.

With a data breach costing South African companies an average of R46.5 million in 2023, more must be done.

The Solution: Extending RBAC with FGAC

RBAC’s Limitations in Mitigating Insider Threats

RBAC restricts network or system access based on a person’s or account’s role within an organization. While this user centric-approach prevents unauthorized access to systems, it doesn’t limit access to specific data within systems

RBAC cannot account for the possibility of authorized users exceeding their privileges or acting maliciously. A privileged user (or impersonator) with legitimate access to vast amounts of data can still cause significant damage.

Attribute-Based Access Control (ABAC) and Fine-Grained Access Control (FGAC)

ABAC, an evolution of RBAC, addresses some of these shortcomings. It grants access based on attributes rather than roles. FGAC, often used interchangeably with ABAC, emphasizes fine-grained access control.

Here’s how they enhance data security:

  1. Granularity:
    – ABAC protects data at a granular level. It defines access based on combinations of user and object attributes (e.g., ID Number, Credit Score, HIV Status).
    – FGAC takes this further, allowing precise control over data access for example, only allowing access to customer’s data within a salesperson’s territory, or restricting access from a home computer.
  2. Dynamic Policies:
    – ABAC and FGAC require dynamic access management platforms. These platforms identify sensitive data and dynamically apply consistent policies across your data landscape.
    – Solutions like Pathlock and Satori excel in this domain.

Enter Pathlock and Satori: Enhanced Security Solutions

  • Pathlock: This solution focuses on “least privilege access” to enterprise applications, like SAP, Salesforce, Oracle and Coupa and many more. It grants users only the specific permissions required for their tasks, minimizing the potential for misuse. Pathlock continuously monitors user activity and detects anomalies that might indicate malicious intent.
  • Satori: This SaaS platform empowers data teams with auto-applied security and masking policies that offers controlled access and management of sensitive data within analytics environments.

The Path Forward: A Layered Approach

RBAC remains a foundational security control. However, for robust internal data security, organizations must adopt a layered approach. This includes:

  • Implementing least privilege access principles in core enterprise applications and analytics environments.
  • Proactively manage risk with increased visibility and identification of user’s data access
  • Continuously monitoring user activity for suspicious behaviour.

By extending traditional RBAC with advanced solutions like Pathlock and Satori, organizations can significantly reduce the risk of insider threats and protect their valuable data.

Click here to visit Master Data Management.