What is Policy Based Access Control (PBAC)?

July 1, 2020
Policy Based Access Control (PBAC)

Learn how Policy Based Access Control (PBAC) combines semantic security risk management with a dynamic policy framework to mitigate security threats. 

Policy Based Access Control (PBAC)

Organizations rely on a wide range of applications and operating systems to securely deliver value to their customers efficiently and effectively. In addition to this complexity, businesses are also working across multiple environments (OnPrem and Cloud), supporting a broad range of devices (BYOD), and have adopted Agile processes to accelerate development. All of these components add complexity to the enterprise computing environment. The big challenge for business leaders is manageability. How can you possibly provide effective security controls in such a complex, change-rich environment? The answer is to use Policy Based Access Control (PBAC).

Digital transformation is driving the adoption of Cloud computing to support collaborative business processes that unlock new value streams. In order for these new operating models to work, they have to meet inter- and intra-enterprise security requirements. While most Cloud platforms offer their own security standards, no Cloud provider has a solution available today that allows businesses to ensure that applications comply with security needs at the business level nor do they provide continuous evaluation of a user’s access to dynamically invoke security controls as needed. 

[feature_box style="10" only_advanced="There%20are%20no%20title%20options%20for%20the%20choosen%20style" alignment="center"]

Before you continue reading, how about following us on LinkedIn?

lang: en_US


IT leaders tend to think of security concerns in business terms, and Policy Based Access Control combines semantic security risk management with a dynamic policy framework to mitigate security threats across modern service-oriented application architectures whether they are On-Premises or deployed in the Cloud. PBAC solutions address the need to model security requirements, dynamically provision and configure security services, link operational security events to vulnerabilities, and impact assessments at the business level. The end goal is effective risk management because the likelihood of a successful attack increases as a user’s access increases. 

Creating a Policy Based Access Control (PBAC) Model

Policy Based Access Control is the foundation of context-driven access control models, which are essential to developing viable, dynamic approaches to manage risk across inter-connected systems. Realizing the benefits of PBAC begins with comprehensive data modeling around users (by role/job function) and application privileges. This data model is not just a means of arriving at a PBAC design; it is the definitive specification of the data requirements to develop effective policies. It could be argued that the proliferation of access control models has come about because of the limitations in understanding application, system, and user data. PBAC provides a framework to manage user access in a single model type, meaning less time will be spent on disparate access management activities. This framework is consistent with organizational risk management objectives and is an example of how a data-oriented approach can support business agility without compromising usability or security.

Privilege separation is a fundamental concept in application and system design, where a program is divided into isolated functional components to minimize the risk in the event of a breach. If a hacker compromises one part of an application, they don’t get access to the full set of privileges available to backend systems and data. This approach provides some protection by separating components but is also a somewhat arbitrary exercise. In contrast, defining a Policy Based Access Control Model is much more precise, since we understand the user’s context within the organization and the policy-driven constraints of their access. Basing the boundaries of what a user can access on the most current data (e.g. user role, device, location) removes much of this ambiguity. Ambiguity decreases the ability to manage your security posture, while precision increases it. 

Learn more about Policy Based Access Control in our on-demand webinar. Policy Based Access Control (PBAC) offers an advanced framework to centrally manage permissions and provide assurance for the enterprise in a scalable solution. The first step in maturing your IAM program is assessing your needs and identifying the scenarios where PBAC can help automate risk mitigation. Click here to watch on-demand now.

learning about policy based access control (pbac)


Follow @Idenhaus on Twitter and subscribe to our Identity Management biweekly or our healthcare IT biweekly newsletter.


Learn how Identity and Access Management can help secure your organization in our book, Reimagining Identity Management: How To Design, Choose And Implement The Right IAM Solution For Your Business.


forbes technology council

Idenhaus is honored to be featured in the Top 10 Identity Governance and Administration Consulting/Service Companies of 2019.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us

More News