Cloud Pak for Data Group

 View Only

Attribute-based access controls in Cloud Pak for Data 4.5

By Yalon Gordon posted Wed July 13, 2022 01:53 PM

From its inception, IBM Cloud Pak for Data was conceived explicitly as a data platform for enterprises that care deeply about the security of their digital assets. For our most recent release (4.5), we have doubled down on this promise with a handful of features and best practices designed to make our clients’ environments bulletproof. One of the ways we hope to improve our clients’ security postures is by introducing a new paradigm — “Attribute Based Access Control” (ABAC) — for determining who can access which resources in Cloud Pak for Data.

Organizations using Cloud Pak for Data today manage their end users’ permissions within the platform by creating “roles” with specific sets of permissions and then assigning individual users to the role that is most appropriate to them. While this framework functionally allows organizations to protect their data and resources, it reaches its practical limits fairly quickly as an organization’s headcount grows. When you have thousands of end users working within an instance of Cloud Pak for Data, assigning and updating their roles becomes a massive task for cluster administrators. We believe that Attribute Based Access Control (ABAC) can address these challenges, reducing the manual effort required to administer Cloud Pak for Data while improving our clients’ security posture.
Access control

Rather than rely on the concept of preset roles to determine whether a user should have access to an asset in the platform, ABAC uses the characteristics (known as “attributes”) of a user’s profile to make these decisions. These decisions are guided in advance by rules which administrators can create. For example, once an administrator limits access to payroll data to people whose “department” attribute is “Human Resources,” that rule will be enforced universally within Cloud Pak for Data, eliminating the need to assign each person in HR a role that would provide the same access. Through this mechanism, ABAC improves upon Role Based Access Control (RBAC) by introducing dynamic scalability to access control.

ABAC’s dynamic scalability significantly reduces the burden of administering a Cloud Pak for Data cluster. ABAC is dynamic in that its rules are enforced in real-time. For organizations, this means that if a user’s department (or any other attribute) changes, their permissions are automatically updated, thus ensuring a continuous strong security posture no matter what happens within the organization. Furthermore, ABAC rules enable cluster administration at a massive scale by eliminating the need to constantly create, modify, and assign roles to users. Cluster admins can “set and forget” their access management rules with the knowledge that no matter how many users are onboarded to Cloud Pak for Data, they will be taken care of by ABAC.

New user group window

Our first implementation of ABAC is just the tip of the iceberg when it comes to its potential to reshape access management in Cloud Pak for Data. Starting in Cloud Pak for Data 4.5.0, clients will be able to take advantage of the benefits of ABAC using SCIM attributes from their LDAP servers. As our clients begin to utilize the benefits of ABAC, we will work on extending the benefits our implementation of ABAC affords. We plan on supporting non-SCIM LDAP attributes soon, massively expanding the scope of ABAC use cases that Cloud Pak for Data can support. Further down the line, we see opportunities for more advanced rule-building capabilities and an increased granularity in terms of the kinds of assets one can create rules for.

Cloud Pak for Data has always been about security, and we consider our renewed focus on this aspect of the platform to be crucial for its continued success. ABAC is a great example of our efforts in this area and comes with the added benefit of significantly reducing the manual effort required to administer a large environment. We are excited to see our clients make use of it.
Subscribe and stay tuned for more on Cloud Pak for Data v4.5