PlainID Identity Security Posture Management Blog

How Do You Authorize: The Old Static Way or the New Dynamic Way?

Written by Gal Helemski | Sep 7, 2016 10:26:15 AM

This is the second of a four-part series that looks at the changes in approach to authorization and IAM that businesses need to make if they want to remain flexible and nimble, allowing employees to quickly and simply access key data without curtailing security.

Authorization (AuthZ), is the core of organizational security—which also means that it’s central to productivity, AuthZ determines what a digital identity can do within each and every application.

Employees need access to data and applications anytime and while on the go, but for security reasons, they can’t have that access at all times. So, when should that decision be made? When is the right time to decide if access is permitted or denied?

Traditional AuthZ – Once upon a time…

It’s common for authorization decisions to be triggered by HR movements, for example when on-boarding a new employee, changing an employee’s role or terminating employment.

When a new employee joins an organization, they are likely to receive the same AuthZ as a co-worker, gain additional permissions over time, and that would be the end of it. Authorizations aren’t changed or even reviewed as more factors change.

Is that enough? Of course it’s not enough

The expectations of core security within organizations today are higher, they need to be smarter and to be able to take more factors into account, such as where the employee is accessing from, whether their role has changed, or if the parameters of the project have changed. A definition that was made a year ago, or even an hour ago may no longer be relevant. When gaining access to the most valuable assets of the organization, the decision needs to be made now!

Classic AuthZ methods have limited functionality. They rely on repository-defined groups or roles that provide a link between users and resources. Those authorization decisions are preconfigured and cannot change in real time. Giving a user authorization to view and use a certain suite of files and applications means that unless the administrator manually revokes authorization, the user will be able to use them forever.

Smarten-up your AuthZ

Dynamic AuthZ represents access decisions that are made in real time. When the user requests access to data, tries to manipulate data, or attempts to use an application, Dynamic AuthZ can consider what factors make those actions a potential risk. For example, the time of access, the location, the worker’s employment or vacation status, and the security status of the system are all deterministic factors that delineate a user’s ability to take certain actions.

What could this look like? Access to modify research data is permitted for authorized users until that data is approved; after approval the data can only be viewed. Or, let’s say that normally, access to IT resources in a production environment is limited, but, upon an incident that requires specific attention, access is approved for the authorized user. Dynamic AuthZ can be used to enable access, to prevent access based on what happens in real time, who the user is, and where they are accessing from. It lets you make smart decisions on how data and resources will be available to be used.

Dynamic AuthZ: Connect with the ‘here and now’ to protect your assets

PlainID isn’t big on the static approach. We recognize its limitations. We understand businesses need to control and fine-tune access in real time so we take the dynamic approach to AuthZ.

PlainID lets you influence access decisions in real time based on user attributes, environmental attributes and events. AuthZ should be smarter and it is done through PlainID’s platform!

Speaking of real time, you won’t have to wait forever for the third part of this series that looks at the changing IAM landscape. See you soon!