Citation:

Sunnykumar Kamani, 2025. "A Dynamic, Attribute-Based Access Control (ABAC) Model for Microservices and Cloud-Native Applications Integrated with Traditional IGA", ESP Journal of Engineering & Technology Advancements  5(3): 145-150.

Abstract:

The rapid cloud-native adoption architecture defined by loosely coupled components (microservices) has fundamentally changed the enterprise IT landscapes. These dynamic, distributed systems require an equally dynamic and granular access control mechanism that cannot be provided traditionally. Though traditional Identity Governance and Administration (IGA) systems are very good at managing static roles, they do not relate to the contextual, real-time decisions needed in modern applications. This paper will present an architectural model that unifies IGA with Attribute-Based Access Control (ABAC) by redefining the IGA system as a central Policy Administration Point (PAP) of a federated enterprise-wide ABAC system. The IGA platform is thus repositioned in this model as a source of authority with responsibility for defining, managing, and disseminating all attribute-based policies to distributed Policy Decision Points (PDPs) within cloud environments. This framework overcomes the disadvantages of Role-Based Access Control (RBAC) such as "role explosion" and reduces the administrative burden of ABAC by eliminating "policy sprawl." The proposed model allows for continuous authorization, making compliance easy while offering a scalable, resilient security posture for hybrid, cloud-native application environments that align directly with modern security paradigms like Zero Trust.p>

References:

[1] V. C. Hu et al., “Guide to Attribute-Based Access Control (ABAC) Definition and Considerations,” NIST Special Publication 800-162, National Institute of Standards and Technology, Gaithersburg, MD, USA, 2019. doi: 10.6028/NIST.SP.800-162.

[2] F. Vaz and J. Ferreira, “RBAC and ABAC Models: A Comparative Analysis for Security in IoT Environments,” in 2020 IEEE International Conference on Cyber Security and Resilience (CSR), 2020, pp. 37-42.

[3] A. J. Yawn and T. Hicks, “Identity Governance and Administration Powered by Risk Context: Taking Access Control to the Next Level,” SANS Institute, SANS Whitepaper, Oct. 2023. [Online]. Available: https://www.sans.org/whitepapers/identity-governance-and-administration-powered-by-risk-context/

[4] N. Farhadighalati, L. A. Estrada-Jimenez, S. Nikghadam-Hojjati, and J. Barata, “A Systematic Review of Access Control Models: Background, Existing Research, and Challenges,” IEEE Access, vol. 13, pp. 101–115, 2025.

[5] I. Al-Sarayreh, A. Yasin, M. Tawalbeh, and S. Awwad, “A survey of context-aware access control mechanisms for cloud and fog networks: Taxonomy and open research issues,” Sensors, vol. 20, no. 14, p. 3918, 2020, doi: 10.3390/s20143918.

[6] R. Singh et al., “Decentralized Policy Information Points for Multi-Domain Environments,” arXiv, 2021. [Online]. Available: https://info.arxiv.org/help/submit/index.html.

[7] N. Farhadighalati, L. A. Estrada-Jimenez, S. Nikghadam-Hojjati, and J. Barata, “A Systematic Review of Access Control Models: Background, Existing Research, and Challenges,” IEEE Access, vol. 13, pp. 101–115, 2025.

[8] M. M. A. Hasan, M. A. H. Abedin, and K. M. T. T. Al-Muztaba, “A Survey of Access Control Models and Their Applications in Cloud Computing,” J. Comput. Sci. Technol., vol. 39, no. 5, pp. 1010-1025, 2024.

[9] T. Reese, “Your Guide to Identity Governance and Administration (IGA),” Netwrix Blog, Aug. 20, 2024. [Online]. Available: https://blog.netwrix.com/what-is-identity-governance-and-administration

[10] D. Cahill, “A Modern Approach to Identity Governance and Administration,” Enterprise Strategy Group, Research Insights Paper,Apr.2021.[Online].Available: https://omadaidentity.com/wp-content/uploads/2021/05/ESG-Research-Insights-Paper-Omada-Modern-IGA-Apr-2021.pdf

[11] K. Bowman, “The Interplay of IGA, IAM and GRC for Comprehensive Protection in Cloud Transitions,” ISACA, Industry News,July2023.[Online].Available: https://www.isaca.org/resources/news-and-trends/industry-news/2023/the-interplay-of-iga-iam-and-grc-for-comprehensive-protection-in-cloud-transitions

[12] Z. A. Abualkibash, B. H. Z. Abualkibash, and M. M. S. Al-Enezi, “Zero Trust Cybersecurity: Procedures and Considerations in Context,” Applied Sciences, vol. 14, no. 12, p. 4811, 2024, doi: 10.3390/app14124811.

Keywords:

ABAC, Policy Administration Point (PAP), microservices security, cloud-native security, hybrid policy models, continuous authorization, Identity Governance and Administration (IGA), Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Information Point (PIP).