Security Think Tank: Pay attention to attribute-based system access permissions

One thing predicted for 2018 that did not happen

At the beginning of 2018, the EU’s General Data Protection Regulation (GDPR) was starting to become a reality for everyone, with rumblings over what it was and what it required hard to ignore. By May 2018, as the deadline approached, these had reached a crescendo, accompanied by a daily deluge of consent request emails.

Six months on, where do we find ourselves? There are rumours of massive fines, with Marriott being the latest in the firing line, but the reality is that much of the predicted apocalypse has not happened.

Much of the concern in the run-up to GDPR being law was down to the non-specific nature of information provided, along with scaremongering about consent requirements and unprecedented fines.  However, much like the oft-quoted Y2K bug, this simply hasn’t happened.

The lack of panic following 25 May is gratifying. GDPR was not introduced to hinder business; rather it was a reminder, albeit a sharp one, that organisations had a responsibility to the consumer to manage their data more responsibly. Far from being a revolution, GDPR is an evolution. The transparency, data minimisation, integrity and security of data processing that it demands are all principles of the 1988 Data Protection Act, which companies should already be abiding by.

While there is a school of thought that the full effect of GDPR will take 12 to 18 months to be realised, for the moment at least, it appears that most people have taken a pragmatic approach to meeting compliance, tailoring it to the nature of their business.

And for those requiring a silver lining, GDPR is an opportunity for organisations to develop their existing policies and procedures, cleanse data repositories and develop trust with their customers by demonstrating transparency with their data processing.

One thing that happened in 2018 that was not predicted

Expanding our sights outside the security arena, would a no-deal Brexit have been predicted this time last year? General consensus seems to be that it was initially bandied round as a negotiating tactic, but as the exit deadline rapidly approaches, it would appear that it may become reality.

One thing that should happen in 2019, but probably will not

In terms of what should happen in 2019, it would be nice to think that attribute-based system access permissions will be given the airtime it deserves.

Based on the school of security thought that wide system access is given to everyone, unless there is a reason not to, it makes the case that it’s time to upgrade the current approach of preordaining roles and authorisations. Instead, it gives people access, as long as they meet certain contextual requirements. 

Water company employees with handheld devices, for example, could be provided with the locations of all the meters in the region in which they are working, but not for those in the rest of the UK. This could be updated if they changed locations, meaning they would have access to the information they need to do their job, but nothing in excess of that.

The theory is behind regulatory requirements such as International Traffic in Arms Regulations (ITAR), which, among other restrictions, requires people to be on US soil to access specific and sensitive pieces of information. 

And this focus on context is applicable in many other situations. A company buying a particular item may not itself be sensitive information, but details of where orders are shipped to and stored may flag that a project is top secret, thereby changing the security level.

The security profession needs to continually assess what is possible and push boundaries in order that it innovates and evolves. Attribute-based system access permissions are a step on this ladder.