PlainID Identity Security Posture Management Blog

The 3 Pillars of Powerful Dynamic Authorization

Written by Oren Harel | Oct 11, 2021 7:33:25 PM

In our last blog post, we discussed what is dynamic authorization and why it is essential for security resilience.

As a quick recap, authorization is the process of taking us to the last mile of access control by granting (or revoking) users various types of permissions to a resource once their identity has been authenticated. 

Taking this one step further dynamic authorization entails granting authorization and access to resources, including application resources, data assets, and any other asset dynamically and in real time.

The questions dynamic authorization answers


And the engine that drives dynamic authorization is policy-based access control (PBAC), where rulesets define the connection between user attributes (such as role), resource attributes, and environmental data, which are evaluated in real time to grant the right level of permissions and privileges. 


Policy-based Access Control Model


In today’s post we’ll be covering the three pillars of maximizing the strategic security benefits of dynamic authorization.

Pillar #1: reliable data sources 

At the heart of effective and powerful dynamic authorization is the ability to gather information from reliable data sources in real time, so we can accurately determine what a user can or cannot access and what they can or cannot do once they access an application, system, service, data, or any other asset. 

Such information includes:

  • User level attributes 
  • The location and system from which the user is authenticating 
  • The number of authentication factors being used
  • What the user is trying to access, and any meta data associated with it
  • Time and day

The more accurate and up to date the data is, which supports the access decision, the more reliable the authorization will be. 

Among an organization’s reliable data sources are:

  • Active Directory (AD), for data relating to user object attributes such as the user’s name, department, and group membership, among others.
  • LDAP, for user attributes, such as job title, certification level, location, and more.
  • SQL, for data resources and their associated metadata.
  • Identity and access management (IAM), for user related data and entitlements.
  • A data catalogue that contains the organization’s data assets and metadata that can support access decisions.
  • Virtual tokens created by the IDP, which typically contain basic information about the user.
  • Risk-based authentication systems for the risk profile associated with the activity.

 

 

--------------------------------

 

The need for dynamic authorization in a medical R&D organization

Let’s see how this plays out in a medical research organization. Namely, this organization manages several drug development projects every year, where the duration of each project takes place over the course of several years, and comprises multiple phases, including research, development, clinical trials, and production.

There are numerous employees and suppliers who are on the project team, each of which accesses different information on an ongoing basis. 

But not each individual can access the same information, due to privacy and other regulatory restrictions.

As such, it is necessary to make sure that when someone attempts to access medical or research records, that they can do so based strictly on their pre-approved access level, the record’s confidentiality level, as well as who the individual is, where they are located at any given time, when they are attempting access, and more. 

And these authorization decisions need to be made dynamically and in real time.

In addition, it is necessary to have fine-grained access control, to make sure that those who should be accessing only research data are not accessing personal medical records, for example, and that only the non-confidential parts of the records in question are being accessed.

--------------------------------

The need for real-time decisioning and dynamic authorization can be found across every industry. As an additional example, in the highly regulated banking sector, it is critical to make sure that the branch manager can access all the accounts managed by their branch. The fintech vendor, however, who is behind the financial services app, should only be able to access information that the account holder has approved, and as based on the level of access that has been granted in real time. 

As such, the access decision should be connected to which account (i.e., the asset) someone is attempting to access as well as to its attributes. So we can see that the more details we have, the more granular and accurate we can be, and the more effective we can be in executing the kind of robust authorization that prevents the loss and damage of a breach.

 

Pillar #2: visualization & control

Now that we know what are the reliable data sources from which we should aggregate information, the next step is to determine how we can manage this seemingly complex business of dynamic authorization in a way that is as simple and efficient as possible.

Efficiency is mandatory since the parameters that drive authorization decisions change all the time, requiring real-time agility. 

And the two key enablers of real-time agility, when it comes to dynamic authorization, are visibility and control.

Because decisions need to be made/changed on-the-fly whenever there is an access attempt, we need to be able to visualize and simulate user access on an ongoing basis so we can predict what would be the outcome and implications if they access a particular app or system.

“Organisations are developing fast and their business processes are continuously changing, causing additional pressure on the organisations’ control and governance systems.” (KPMG) 

As we saw in our healthcare services example, the security organization must not only be able to visualize and simulate scenarios that are driven by user data, but to also be able to run scenarios that connect this data to asset attributes

It’s not just a matter of asking – “who can access this asset?” It’s also about what in this asset can they access? Can they access it today? Can they change it in any way? 

Pillar #3: centralized management with distributed enforcement

“But as the policy complexity increases and the target objects become more sophisticated, you need more advanced policy management and enforcement mechanisms.” 

(Gartner, Hype Cycle for Application Security, 2021, July 2021, by Analyst(s): Joerg Fritsch).


The third pillar of powerful dynamic authorization is centralized management with distributed enforcement.

Namely, since there are countless apps and platforms in the enterprise, each with their own rules, organizations need a way to be able to customize enforcement with these rules in their highly distributed environments. This is the only way to achieve accurate and effective authorization.

And, they need to be able to centralize management, for the sake of efficiency and the confidence that access is kept under tight control.

   

In conclusion, the importance of effective dynamic authorization to bolstering the organization’s security posture cannot be understated. And the key to powerful dynamic authorization is the ability to rely on reliable data sources, together with visualization and control, and centralized management with distributed enforcement.


To see how you can achieve powerful dynamic authorization, we invite you to book a demo.