RBAC, ABAC or somewhere in between
The aim of an effective IAM solution is to define and control what users can do with applications by providing multiple control mechanisms to ensure the right user has access to the right information (or organizational resources) at the right time. The three main high level components to an Identity Management System are:
1.) Subjects, such as accounts. 2.) Resources, for example applications or groups. 3.) Policies, which define how the subjects should interact with the resources. Policies can be implemented in a number of ways.
One important method used to assist in achieving this is access control. Access control is a set of policies that facilitates users having the appropriate access to the required systems, resources, services and applications.
Traditionally, 4 classic access control models exist. These are described in order of prevalence, with the oldest model being detailed first.
Rebalancing the scales – Consumer, The King?
Personal data can be described as any relatable information to a person or consumer which can be used to identify the person directly, or indirectly (in the context of GDPR consumers are also known as ‘data subjects’). It can be anything from a name, a photograph, a national identification number, a telephone number, an email address, medical records, a computers IP address and social networking updates.
Regulations regarding the privacy and protection of this personal data have existed since 1984, with The Data Protection Act, followed by the 1995 Data Protection Directive. For the times, these policies were considered a benchmark of excellence in the area of data protection law. However, with the technological advancements and transformations of the 21st Century; the initiation of the digital economy and the digital single market; and services such as eIDAS, regulation needs to evolve as well. A much more stringent and far reaching regulation, is therefore set to be enforced - the EU General Data Protection Regulation (GDPR).