The End of Role-based Security and the Rise of Attribute-based Security

Prof Bill Buchanan OBE FRSE
6 min readAug 23, 2024

The Internet is over five decades old, and still, we have data breaches and cybersecurity compromises. One of the problems in this relates to the usage of role-based security, so let’s look at an alternative: Attribute-based encryption (ABE). Basically, we started with role-based security as it matched well with the operating system, but we have scaled this up to work at the corporate level. Unfortunately, the rights of the operating system do not match well with the things that are defined within organisations. Our role-based approaches can be seen as a legacy of the past, and where we just found it easier to scale the roles rather than secure our data properly.

The problem with role-based security

In cybersecurity, most of our systems are based on role-based security, and which is often flawed, as simple security has a few roles, such as staff and student. For this every person in the staff role gets the same rights (even if they need them or not). Then we often add in other roles, such as Admin, Production, and so on, and then more roles on top of that. As we scale up with more and more roles, the whole thing becomes confusing to manage, and where an adversary can just pick off a user with enough rights to achieve their mission.

--

--

Prof Bill Buchanan OBE FRSE
Prof Bill Buchanan OBE FRSE

Written by Prof Bill Buchanan OBE FRSE

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.

Responses (9)