The 3 Pillars of Authorization

Gal Helemski
October 4, 2018

When dealing with today’s distributed IT environments, current Identity and Access Management (IAM) models are not flexible enough to support the depth of granularity needed when managing access controls. The accelerated shift to cloud-based services has resulted in the proliferation of identities and their associated challenges. This is why the need for enterprises of all sizes to adopt externalized authorization management (EAM) solutions is greater than ever. EAM solutions are, by definition, agile and give both business leaders and IAM professionals a centralized platform to manage authorization.

You wouldn’t build your own Authentication solution, like an Okta, and the same line of thinking goes for an Authorization Solution.

We believe in a 3-pillar approach to authorization that supports the complete architecture of authorization thereby ensuring all corporate digital identities can only access resources to which they have permission, when they have permission.

Pillar #1 Administration

Authorization supports business decisions that enable the business operations. Administration is the ability to control and understand those business decisions, and therefore is the most important aspect of authorization (not how the decision is made, or how it is delivered). An authorization decision, is a business decision, and therefore administration of Authorization must include these capabilities:  

  1. Clarity – A clear understanding of the access decisions (policies), expressed in a way that is understandable by someone who is not tech oriented.

  2. Validation & Testing – Ability to ensure that the policy grants or denies access as expected and to check that the results of any new policy match expectations.

  3. Analysis – Be able to see why specific permissions or privileges are granted or denied. Analysis goes beyond the “why” and supports the ability to fine-tune policies, based on usage and possibly other parameters, such as risk. This helps the administrator understand what is needed to support business initiatives, and address any risk factors that might be involved with those decisions.

  4. Visibility – Assess the impact of any access decision on identities and any applications or resources to which a policy might grant or deny access.  Each access control policy should have a range which must be understood by the policy administrator.

  5. Governance - the ability to approve, certify and recertify access requests. In overseeing the process of authorizing user access, IGA (identity governance and administration) ensures the execution of protocols and business standards.

Pillar #2 Decision

With the policies in place, authorization decisions for the business must be made dynamically in real-time, based on current identity attributes, the resources being requested, and the current environmental attributes. This is the magic of the PBAC model. The underlying technology architecture must be advanced enough to support the following capabilities in the decision process:

  • Flexible Data Module - Ability to support and respond in a variety of authorization standards and languages, even a home-grown one, to any level of granularity depending on the policy.

  • Smart Decisions - Dynamic, context-aware access decisions can be made on changing identity, resource and environment attributes, rather than just static predetermined decisions.

  • Graph Database - the underlying technology must be sufficiently advanced to be both flexible and scalable. The graph database provides both the flexibility required by the authorization data model and the performance to support the run-time decisions.

Pillar #3 Enforcement

Just like this Gartner blog states, the ability to support and implement fine-grained authorizations across enterprise environments is critical. Enforcement of access decisions must be able to go beyond coarse-grained models and support fine-grained access control policies. Using a variety of authorization standards, like XACML, OAuth and UMA, decisions made are based on any amount of attribute values at runtime.

However, because enforcement of authorization is not yet standardized, it's important to have a solution flexible enough to support both what your organization currently has, and what may be required in the future.  

What this Means for your IAM Strategy

With the increased requirements for data privacy, including GDPR regulations, any authorization management solution must offer built in administration, decision, and enforcement capabilities. A PBAC approach to authorization is built with business leaders in mind, allowing them to oversee access controls, ensuring their businesses can adapt to any regulation. Given the pivotal role that authorization plays in your overall identity management strategy, it is critical to ensure that your IAM toolbox includes an authorization solution that supports all of the capabilities described above.

Most popular posts