GigaOm Report Reveals Advantages of Modern Approach to Data Access Control

Data security leader Immuta announced its position in GigaOm’s ABAC vs. RBAC: The Advantage of Attribute-Based Access Control over Role-Based Access Control report, which compares how 13 data security companies manage policies. The findings suggest that using attribute-based access control (ABAC) with Immuta is the most efficient, cost effective, and manageable strategy. Immuta required just eight policy changes to accomplish the same security objectives compared to 745 policy changes with legacy role-based access control (RBAC) used by other data security platforms, representing a 92x improvement.

As organizations aim to simplify data security, they need better approaches to managing the exponential growth of data policies that are simple, thorough, and cost effective. But it has been difficult to quantify the benefits of ABAC, a modern approach that permits or restricts data access based on assigned user, object, action, and environmental attributes, versus RBAC, a legacy approach that permits or restricts system access based solely on an individual’s role within the organization.

In a detailed and repeatable study, GigaOM’s researchers found that when it comes to ABAC versus RBAC, ABAC better streamlines and accelerates policy management and enforcement for organizations’ overall data use cases. Key findings include:

  • ABAC reduces policy burden by 93x versus RBAC, requiring just 8 policy changes where RBAC required 745.
  • An ABAC approach can save organizations roughly $500,000 in time and opportunity costs, based on the time and effort required for ABAC versus RBAC models.
  • Researchers evaluated standard RBAC as well as RBAC with column tagging (CT-RBAC), and found that while the latter is more dynamic and scalable, its limitations become clear as complexity grows.
  • ABAC was the only approach that was able to resolve security requirements for advanced use cases, such as purpose-based restrictions and de-identification.

“Column-Tagging Role-Based Access Control adds some dynamic and scalability advantages over traditional RBAC, but as the scenarios became more complex, we saw the policy burden grow and become fragile. The difference between these approaches and Object-Tagging Attribute-Based Access Control became clear. By leveraging dynamic variables, nested attributes, global row-level policies, and row-level security, OT-ABAC can be quickly implemented and updated compared to the two role-based methods,” stated the report. “Using both conventional and column-tagging, RBAC as a data security mechanism creates a heavy policy-management burden compared to OT-ABAC. Furthermore, OT-ABAC is shown here to provide scalability, clarity, and evolvability in meeting a complex enterprise’s data security and governance needs.”

GigaOm’s independent study scored vendors using a rubric that measured the number of policies created and the number of policy modifications required for each. GigaOm tested Immuta as the only CT-ABAC vendor, against the following RBAC vendors: Apache Ranger, AWS Lake Formation, Alation, Informatica CDGC, TrustLogix; and CT-RBAC vendors: Satori, Apache Ranger + Atlas, Privacera, ALTR, Okera, Secupi, Collibra Protect. To conduct the study, GigaOm designed a reproducible test that included a standardized, publicly available data set and data security policy management scenarios based on real-world use cases.

“At the end of the day, an organization’s decision to take an ABAC or RBAC approach to data security should be based on its own individual business and technology demands. However, as we see data security laws and regulations become more complex and a growing emphasis on sensitive-data driven analytics, RBAC will become an increasingly antiquated model,” said Mo Plassnig, Chief Product Officer of Immuta. “Static role-based access controls require new policies for every change within a data environment, limiting their agility and scalability when it comes to managing data security. The results of this study clearly show that ABAC is the most efficient approach amongst these 13 vendors, and validates the value of Immuta’s ABAC capabilities in achieving data security and access control at scale.”

To read the full ABAC versus RBAC report, click here.

About Immuta

Immuta enables organizations to unlock value from their cloud data by protecting it and providing secure access. The Immuta Data Security Platform provides sensitive data discovery, security and access control, data activity monitoring, and has deep integrations with the leading cloud data platforms. Immuta is now trusted by Fortune 500 companies and government agencies around the world to secure their data. Founded in 2015, Immuta is headquartered in Boston, MA.