It's time for Runtime Authorization

Gal Helemski
July 10, 2017

In today’s digitally-dominated business world, information is a highly valued asset and increasingly needed by both human and non-human entities. But as organizations adopt new technologies, the traditional boundaries disappear and the networks of identities, devices, resources and data increase in both scale and complexity, as does authorization management.

Who can access what, when and how has become an even greater challenge than before, and is now recognized as the largest issue in technology audit, insider threats, cyber risk and compliance adherence. The most common method to handle this complexity is based on admin-time authorization. But as the demand for better control increases, it's time to get to know, and adopt - runtime authorization.

The Case for Runtime Authorization

Identity and access management (IAM) programs often task the administrator with designing and implementing authorization controls. These admin-time authorizations take place when a user’s account is created or managed. The abilities of the user to operate within the application, to access data and resources, is predetermined. The application you are currently accessing might have gotten your access rights yesterday, a month ago or ten years ago.    

In addition, admin-time authorization is typically based on predefined roles. This can be problematic when people shift roles as their already assigned roles no longer match their new responsibilities and entitlements.

Runtime authorization is different: decisions are made only when needed and when the user is actually accessing an application and/or data. Shifting the decision to runtime, when as much information as possible about the user and their current actions is available, is advantageous, for example - what are the user’s current assignments, where is he operating from, and what is he requesting access to, etc.

Externalizing Authorization

An externalized authorization solution, enhances the advantages of runtime authorization. It offers flexibility, centralized control and advanced security for access control decisions. The aim of an externalized authorization solution is to provide the administration of access policies, to act as a decision point to provide policy based decisions, and to offer an enforcement point for these decisions.

Using an externalized authorization solution, authorization policies can be modified without application downtime or the need for code changes. This means companies can respond quicker to changing business or regulatory requirements. In addition, externalized authorization allows for managing access authorizations for multiple systems from a single platform. This allows for consistent enforcement of policies across the organization without having to rely on individual system administrators.

Room for Improvement

The demand for externalized authorization solutions, the functionality and flexibility they offer is rapidly growing. A key element is how decisions are being composed: Can the business owner take control, or at least be more involved? How flexible can the decisions be? Is there a limitation on the factors relevant for the decision?

Performance and scalability is another major consideration, i.e. how can the solution address increasing challenges? Graph-based technology is being used more and more to tackle these obstacles. It can address both the flexibility required in access decisions and the mandatory support for high performance.

Runtime Authorization Maturity

In “Improving Runtime Authorization Maturity,” Gartner analyst Homan Farahmand says that more business users are deploying external runtime authorization solutions to solve compliance and risk issues. The report explains in detail the way runtime authorization operates and how it's integrated into different scenarios, such as portal access, API access, application access, structured and unstructured data access, and federated access patterns.

Our key takeaways from the report are:

  • Runtime authorizations should be evaluated as part of the organization's overall authorization management and control strategy, based on the maturity level of what is already in place, and the enterprises’ long term vision.  
  • Cloud based solutions are also important to look at, as both a management solution and as a way to better control access to the cloud resources.
  • Evaluation of runtime authorization should also take into account emerging technologies that offer advanced abilities to module policies, based on graph technology.   

The PlainID Option

Of course, there’s no need to go it alone. PlainID offers an easy-to-use platform that enables access to be determined dynamically and in real time, based on user attributes, environmental attributes and events.  Our solution is based on graph technology that is uniquely packaged together with the policy runtime services (PRS), and is offered in the cloud or on-premise.

Request a Demo


*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Most Popular Posts