ABAC Seen Reducing Policy Burdens
January 26, 2023
security leader Immuta touted its position in GigaOm’s ABAC vs. RBAC: The
Advantage of Attribute-Based Access Control over Role-Based Access Control
report, which compares how 13 data security companies manage policies. The
findings suggest that using attribute-based access control (ABAC) with Immuta is
the most efficient, cost effective, and manageable strategy. Immuta required
just eight policy changes to accomplish the same security objectives compared to
745 policy changes with legacy role-based access control (RBAC) used by other
data security platforms, representing a 92x improvement.
As organizations aim to simplify data security, they need better approaches to
managing the exponential growth of data policies that are simple, thorough, and
cost effective. But it has been difficult to quantify the benefits of ABAC, a
modern approach that permits or restricts data access based on assigned user,
object, action, and environmental attributes, versus RBAC, a legacy approach
that permits or restricts system access based solely on an individual’s role
within the organization.
In a detailed and repeatable study, GigaOM’s researchers found that when it
comes to ABAC versus RBAC, ABAC better streamlines and accelerates policy
management and enforcement for organizations' overall data use cases.
Key findings include:
ABAC reduces policy burden by 93x versus RBAC, requiring just 8 policy
changes where RBAC required 745.
An ABAC approach can save organizations roughly $500,000 in time and opportunity
costs, based on the time and effort required for ABAC versus RBAC models.
Researchers evaluated standard RBAC as well as RBAC with column tagging (CT-RBAC),
and found that while the latter is more dynamic and scalable, its limitations
become clear as complexity grows.
ABAC was the only approach that was able to resolve security requirements for
advanced use cases, such as purpose-based restrictions and de-identification.
“Column-Tagging Role-Based Access Control adds some dynamic and scalability
advantages over traditional RBAC, but as the scenarios became more complex, we
saw the policy burden grow and become fragile. The difference between these
approaches and Object-Tagging Attribute-Based Access Control became clear. By
leveraging dynamic variables, nested attributes, global row-level policies, and
row-level security, OT-ABAC can be quickly implemented and updated compared to
the two role-based methods,” stated the report. “Using both conventional and
column-tagging, RBAC as a data security mechanism creates a heavy
policy-management burden compared to OT-ABAC. Furthermore, OT-ABAC is shown here
to provide scalability, clarity, and evolvability in meeting a complex
enterprise’s data security and governance needs.”
independent study scored vendors using a rubric that measured the number of
policies created and the number of policy modifications required for each.
GigaOm tested Immuta as the only CT-ABAC vendor, against the following RBAC
vendors: Apache Ranger, AWS Lake Formation, Alation, Informatica CDGC,
TrustLogix; and CT-RBAC vendors: Satori, Apache Ranger + Atlas, Privacera, ALTR,
Okera, Secupi, Collibra Protect. To conduct the study, GigaOm designed a
reproducible test that included a standardized, publicly available data set and
data security policy management scenarios based on real-world use cases.
“At the end of the day, an organization’s decision to take an ABAC or RBAC
approach to data security should be based on its own individual business and
technology demands. However, as we see data security laws and regulations become
more complex and a growing emphasis on sensitive-data driven analytics, RBAC
will become an increasingly antiquated model,” said Mo Plassnig, Chief Product
Officer of Immuta. “Static role-based access controls require new policies for
every change within a data environment, limiting their agility and scalability
when it comes to managing data security. The results of this study clearly show
that ABAC is the most efficient approach amongst these 13 vendors, and validates
the value of Immuta’s ABAC capabilities in achieving data security and access
control at scale.”