Authorization is an essential part of any modern enterprise’s identity and access management (IAM) solution. Acting as an organizational gatekeeper, it is the process that determines which employees can access which company data and, crucially, where the boundaries lie.
A variety of approaches are used across the security ecosystem in an attempt to deliver effective authorization. These include role-based access control (RBAC) which permits or denies access to resources based solely on a user’s job title and function. For example, access to a specific network might only be made available to users with administrator in their title.
While RBAC is the current industry-standard access control model, it is limited in its coarse-grained approach wherein access is defined only by job title and its function. Access rights are fixed per user and don’t allow for temporary access or reassignment of roles. Any changes made will affect all users who have the same role.
Another widely used option is attribute-based access control (ABAC). This is a fine-grained access control solution where access rights are granted to users through set policies that evaluate assigned attributes. Here, attributes are descriptions of users, objects and environmental factors used to create policies that apply access limitations to a network, its data and files.
This approach is also not without its challenges, however. For instance, policies can’t be written in plain language and instead must be created using eXtensible access control markup language (XACML). This is an old standard and can be extremely complicated to understand and maintain. Indeed, coding complex policies is time-consuming and prone to difficulties, including limited visibility and the impact rule changes may have on other policies.
Historically, RBAC and ABAC have been widely accepted approaches to creating and managing access control (AuthZ) policies. They were most suitable in an era when digital user journeys for employees and consumers were less sophisticated and less functionally rich than today. Like most legacy technology methods, they still have their merits and appropriate use depending on required assurance levels and requirements.
The challenge is that, in general, both RBAC and ABAC have less flexibility with respect to creating, managing and governing authorization policies. They also require advanced user administration skill sets, which results in greater friction with respect to creating and implementing AuthZ policies.
Ultimately, this will limit and in some cases restrict the effectiveness/optimization of the authorization policy. The downstream impact can become profound with respect to user experience, risk mitigation and potentially data privacy.
Dynamic Authorization and the Rise of Zero-Trust
Moreover, the industry and regulatory context for enterprise authorization is also changing. Last year’s cybersecurity executive order, for instance, added to the momentum building behind the adoption of zero-trust architecture (ZTA) where the objective is to significantly improve cybersecurity resilience and help prevent the increasingly damaging attacks and breaches seen in recent years.
As a result, real-time dynamic AuthZ, coupled with central policy management and powered by policy-based access control (PBAC) has become a prerequisite for ZTA. PBAC is an authorization approach that draws on both attributes and roles to determine access rights. It is designed to go beyond even ABAC to meet the fast, constantly changing, remote access needs of organizations that are also increasingly reliant on cloud-based applications.
PBAC takes the best characteristics of ABAC and RBAC and makes them much more accessible. Like ABAC, PBAC is also capable of supporting both roles and attributes, so access can be determined by values such as ‘who’ (role), ‘what’ (resource or asset) and ‘when’ (time of day). What’s more, the most advanced PBAC providers go even further, enabling policies to be coded in plain language and, as a result, are not reliant on XACML.
From finance, retail and insurance, to health care and the public sector, PBAC is being applied to a variety of mission-critical use cases. Take banking, where organizations can implement PBAC to create policies that can state, for instance, “Branch managers can access the client basic profile, bank accounts and card data of clients that belong to the same line of business (LoB) and same branch as themselves.” The plain language impact of the GUI-based PBAC approach is that its users don’t need to reference specific LoBs or bank profiles because each detail is delivered via a simple visual representation.
In health care environments, for instance, organizations typically handle extremely sensitive client information and need to protect doctor-patient confidentiality at all times. In particular, access to patient medical files requires adherence to strict rules, often on a need-to-know basis. In this context, a PBAC policy can specify that “a doctor can view all medical records of a patient within his specialty.” In addition, the most effective PBAC solutions can then add layers of policies including other authorized users, from specific locations, during specific times.
Given the current volume, sophistication and impact of cybersecurity incidents, authorization is under intense scrutiny as a vital component of any effective approach to minimizing risk. As such, organizations that apply these more advanced technologies to meet both security and business objectives will be ideally positioned to succeed.