BrainSync: ABAC, a stepping stone to Data-centric security featuring Luke Terry (CTO)

Introduction

In the first edition of BrainSync, a new series where we discuss a variety of technical topics we sat down with our CTO, Luke Terry, to discuss Attribute-Based Access Control or, ABAC for short.

In this interview we will start with the basics, covering questions such as, what is ABAC?, What are some of the benefits? And how does it compare to other access control mechanisms? All the way through to its strategic relevance, technical integration, strategic adoption and future thinking.

Interview with Luke Terry, MindLink CTO

What is attribute-based access control in plain English?

I like starting with the easy questions—it’s also the hardest to answer! But if we want to keep it simple: attribute-based access control, or ABAC, is about making access decisions based on characteristics of a person, what they’re doing, what they’re trying to access, and their environment. That’s really it. People make similar decisions in everyday life—ABAC just formalizes those real-world instincts into access control rules.

How would you describe the difference between role-based access control (RBAC) and ABAC?

They’re similar, but RBAC is really a limited version of ABAC. RBAC only considers a person’s role—it doesn’t care about their environment, what they’re trying to do, or what they’re trying to access. ABAC allows for all of those factors. In its purest form, RBAC looks only at the role to determine access, whereas ABAC lets you factor in many attributes.

Why is it important to look beyond someone’s role when deciding what they can access?

It comes down to granularity. Relying solely on a role ignores a lot of context—like whether someone is working from a secure office or from home. In mission-critical environments, that context can be vital. ABAC allows decisions to be made in real-time and based on multiple factors. That flexibility supports dynamic operations and improves security.

How would you explain ABAC to someone who only understands RBAC?

I’d say that ABAC can model RBAC exactly—so it doesn’t replace it, it extends it. If you're used to RBAC and you've had to create dozens of roles just to handle small differences, ABAC simplifies that. For example, instead of 100 project lead roles, you’d have one role and a project attribute—fewer roles, more flexibility.

How does ABAC improve flexibility in environments where roles and missions change frequently?

It allows you to define rules based on constraints, not just roles. When roles or missions change, you don’t need to rewrite access rules. You define them once, and they dynamically respond to attribute changes—like a new mission or location—without manual updates.

Why is ABAC particularly effective in joint operations?

There are three key benefits: granularity, dynamism, and interoperability. You can define access based on location, organization, clearance, and more. That’s critical when different agencies share systems. ABAC allows rules to adapt automatically, and even if organizations define attributes differently, ABAC can accommodate those differences in policy.

How does ABAC help prevent over-permissioning and insider threats?

It's about granularity again. In RBAC, an admin might have broad access to multiple systems. With ABAC, you can limit that access based on context—like their physical location or system attributes. That containment helps prevent lateral movement within systems, which is a common tactic in insider threats.

What are the consequences of relying only on RBAC in modern environments?

The biggest risk is accidental exposure of sensitive data. RBAC lacks the granularity to consider things like clearance or context. In mission-critical environments, that can be life-threatening. ABAC provides the control needed for safe compartmentalization of information.

How does ABAC enable zero trust principles?

Zero trust means "never trust, always verify." You need to make decisions based on who someone is and what they’re trying to access. That requires attributes—so ABAC is essential. Without it, you can’t implement zero trust effectively. It's the foundation.

Where in a typical system architecture is ABAC enforced?

Ideally, as close to the data as possible. But in reality, it's often at the API level, because not all apps or databases support ABAC. If you only enforce it at the front door, attackers might still get in through the back door. That’s why encryption and layered enforcement are important and DCS-enabled applications are where you really want to get to.

Doesn’t all that granularity make things complex?

It can, but you don’t need to implement everything at once. Start with data labeling, then layer in ABAC controls. You can build up gradually, focusing on the areas of greatest risk first.

What challenges come with shifting from RBAC to ABAC, and how can they be mitigated?

The biggest challenge is infrastructure. Older systems like Active Directory are RBAC-based. You need an identity management system that supports ABAC. Start by locking down RBAC systems and layering ABAC on top. It’s incremental but still improves your posture.

What types of attributes are typically used in ABAC?

It depends on the organization. For classified systems, clearance level, nationality, organization, and mission context are key. You take what you already consider when granting access—and turn those into formal attributes.

How does ABAC relate to policy as code or infrastructure as code?

They're often used together. Policy as code lets you manage access rules like software—track changes, review them, and ensure consistency. But it also means you need people who can understand and write those policies correctly, which introduces complexity.

Where do you see ABAC and data-centric security making the biggest impact in defense over the next five years?

Definitely in joint mission agility and secure data sharing. As ABAC and data-centric security evolve, you’ll see improved interoperability and trust between organizations. They’ll enable more flexible, yet secure, collaboration across coalitions.

How does ABAC support “need to know” vs. “need to share” in coalition environments?

It enables both. Traditional network-centric approaches created barriers. ABAC allows you to enforce security without those physical barriers, supporting both confidentiality and collaboration at the same time.

What advice would you give to IT program managers trying to move toward ABAC and zero trust?

Talk to experts. It's not something you can implement off the shelf. Start by building the foundations—identity management, data labeling, policy design—and then introduce ABAC controls gradually. Prove value incrementally and scale from there.

Are there policy, cultural, or capability shifts needed for ABAC to succeed at scale?

Yes. Users need to get into the habit of labeling data, and organizations need systems that support it. Automating where possible helps, but it’s also a cultural shift. People need to trust and use the compliant systems instead of shadow IT. That’s when the security benefits really materialize.

How does this shift change information sharing across classified and coalition networks?

You move from network-centric to data-centric. Every system can become a coalition system because access is now enforced through ABAC. In theory, it removes the need for segregated networks. In practice, data sovereignty and other challenges remain, but the barriers to sharing are lowered.

What would you say to someone who dismisses ABAC as “just another access model”?

It is another access model—but it’s the only one capable of supporting zero trust and data-centric security. It’s more expressive, more flexible, and more secure. It can model RBAC exactly, so you don’t lose anything—but you gain everything.

Closing thoughts

As this conversation makes clear, ABAC isn’t just a new access control model—it’s a fundamental shift in how we think about security in dynamic, high-stakes environments. Where RBAC falls short, ABAC provides the precision, flexibility, and contextual awareness needed for modern defense and government operations.

For programme managers and military leaders navigating complex coalitions, missions, and evolving threats, ABAC offers a scalable path to achieving zero trust and data-centric security. But it’s not a turnkey solution—it requires cultural change, technical groundwork, and strategic alignment. As our CTO emphasized, the journey starts with smart foundations: clear identity, data classification, and strong policy governance.

In an era where collaboration is essential but compromise is not an option, ABAC is no longer a luxury—it’s mission-critical.