20 December 2021
As the technology landscape moves further towards a fully cloud-based system, a modernized approach to access control has emerged. We know that trying to “provision for everything,” where access is granted too easily and too often, is no longer working. The focus has shifted from expensive and high-risk manual processing of access permissions to lower cost and less risky automated processes and to reducing risk exposure even further through a zero-trust architecture.
Typical homegrown identity and access management solutions (IAM) for large enterprises often adopt the provision for everything approach. The creation of hundreds of thousands of provisions results in an explosion of entitlements. Management becomes incredibly complex with all these entitlements then having to be certified, a legal and financial requirement in the banking world. Giving away too much risks creating over privileged users. By forgetting to later remove that high level of access granted, there is a danger of segregation-of-duties violations and conflicts of interest.
We see a growing need in the marketplace for a new approach to access control that is capable of managing both coarse-grained and fine-grained authorizations, and limits access wherever possible. A dynamic IAM solution can grant access based on the lowest clearance level needed, with attributes being changed when they are no longer relevant. Focusing on policies reduces the entitlement provisioning footprint as access no longer needs to be individually certified, only the policies themselves. An access management solution based on zero trust can reduce risk by limiting access.
We found that the capabilities in the architecture of vendor solutions in what they can protect is far greater than most homegrown solutions. With the ability to seamlessly integrate applications, microservices and API databases, IAM solutions are more efficient and modernized. Whether it be a role-based, attribute-based or policy-based access control solution, it should be supported both on premises and in the cloud. Vendor solutions provide better visibility, an easier to use product and more automated processes.
We launched an extensive pilot to benchmark products and evaluate different build vs buy IAM solutions through use cases and web applications. We started with 6 solutions, quickly eliminated 3 based on criteria such as how well they would apply to a specific vertical and whether it was the right time in the industry for that specific solution, then started the extensive bake-off. The benchmarks used for the bake off focused on what features the company wanted and what they needed to protect with their policies. Use cases were built internally, a web application was built, hooked up to the products and benchmarked for 4-5 months. Metrics and measurements were taken for comparison which provided a mountain of data via this proof of concept. For example, if we take the issue of fine-grained vs coarse-grained authorizations for a trading desk, where traders need access to specific books and accounts, this requires provisioning access in and out all day long. The access management solution needs to connect seamlessly with the trading application and focus on efficiency, so the key comparison metrics here would be critical response time and pay load.
The healthcare industry could also benefit greatly from a more streamlined, centralized access management solution. Currently, when we consider the average physician who works for a large conglomerate hospital, they often operate out of 2-3 locations for patients in multiple departments. Reliant on legacy systems, entry generally requires a different physical badge for access to be granted at each location. Multiple separate identities are provisioned to one single person by creating several personas and logins. Removing that person’s DNA from the system would require terminating each of those separate identities. The adoption of PlainID’s PBAC approach, combining coarse-grained access rights with fine-grained controls such as geo-location, would eliminate the need for multiple personas per user. For example, once badged in at the parking garage, dynamic authorization would be applied, granting the access credentials needed only for that specific location.
Authorization is a strategic issue and ultimately requires business logic. Choosing an access management solution requires us to first understand the business problem, whether it be strategic, auditing or a regulatory driver. The developers, app owners and management should then be brought together as the key players and influencers involved in access decisions. Creating a bridge between IT and business ensures the business problem is addressed with respect to the entitlement model but within the boundaries of the application.
* Guest Blogger Tom Malta is the Head of Identity and Access Management, Navy Federal Credit Union