Blog

What Is Dynamic Authorization and Why Is It So Critical for Security Resilience

Oren Harel
September 9, 2021

“Security teams should brace for an unsettling and unprecedented year, as we’re on pace to see 40 billion records compromised by the end of 2021.”(threatpost.com)

The security mandate has never been more acute. In 2020, the volume of records that were compromised by breaches increased by 141% to 37 billion. And the damage that is caused by each breach is also growing. According to a 2021 research report from IBM, the average cost of a single data breach rose from $3.86 million to $4.24 million last year, the highest noted during the 17-year history of the report.

At the heart of these breaches is a cyberattack involving unauthorized access to networks, applications, and systems, where cybercriminals steal data from the organization. Such data can include intellectual property and financial records, as well a sensitive, confidential, or personal customer and user information.

In the effort to regulate who can view and access various resources, and ultimately mitigate the risk of financial and reputational damage, organizations rely on access control solutions. Among the services that these solutions typically provide are centralized authentication, single sign-on (SSO), and session management, among others.

While it may seem that most organizations today are relatively adept at the authentication part of access control, especially with the growing proliferation of multifactor authentication, the number of attacks is still rising, and continues to do so all the time.

Being good at authentication is important. But, as the numbers show us, authentication alone does not get the job of security done. Resilience cannot be assured by authentication alone.

 

Why great authentication is not enough

In the access control mix, the goal of authentication, also known as AuthN, is to verify the identity of a user attempting to access data, a network, system, or device. 

The factors that are most widely used for authentication are:

  • User ID and passwords, which are the most common and most basic.
  • Two-factor and multifactor authentication, which require two or more factors, such as a biometric factor or a possession factor (i.e., a security token). 
  • One-time pins, which provide one-time access.
  • Biometrics, which grant access as based on an eye or fingerprint scan. 

While authentication can validate that users are indeed who they say they are, this is just the first step to securing access. 

This is where authorization comes in. Similar to the AuthN nomenclature, authorization is also referred to as AuthZ. Where this is the process that takes us to the last mile of access control by granting (or revoking) users permission to a resource, once their identity has been validated.

And once validated, AuthZ determines whether the user may or may not access certain data or perform certain actions as based on pre-defined controls such as whether they have permission to create, read, edit or delete a file, execute a program, and retrieve or update information in a database.

As we can see, an environment cannot be truly secure without authorization. When users can prove who they are, we are not yet secure. Only when we know what they can do and prevent them from doing what they can’t and shouldn’t, can we complete the last mile of access control.

Request a Demo

 

The authorization challenge 

“But inconsistent or weak authorization protocols can create security holes that need to be identified and plugged as quickly as possible.” (CSOonline)

As we have seen, effective access control must be comprised of both robust authentication and authorization. 

When crafting the authorization strategy, it is critical to consider what kind of method will be applied. The typical AuthZ go-to is driven by role-based access control (RBAC). This approach regulates access to applications, services, and data as based on organizational functions or ‘roles,’ such as executive, engineer, finance, and so. As such, RBAC is not driven by the identity of individual users, but by their roles.

With RBAC users are granted access only to the information that is necessary for them to effectively carry out their duties. Permissions are granted based on parameters such as responsibility, competency, and authority, and may be limited to specific tasks such as viewing, creating, or modifying a file.

At first glance, the RBAC approach may seem to offer some benefits, such as reduced administrative work and operational efficiency. Seemingly, you define roles, and you’re ready to go.

But unfortunately, this is not the case. Today’s digital enterprise is driven by complex environments that are highly distributed with hundreds of applications, many systems, hybrid legacy and cloudified, microservices-driven infrastructures, and hundreds, sometimes even thousands of roles that are continually changing and require the creation of a new access scenario with each change.

It is impossible to keep track of ever-evolving assets and which user is receiving access to which resources and gain the requisite visibility into access risks.

Ultimately, RBAC is a static authorization methodology attempting to control access in a dynamic business and IT environment.

As such the role-based, static approach no longer suffices.

 

PBAC-driven dynamic authorization and how it helps to overcome the challenge

The key to overcoming the challenge is the implementation of dynamic authorization, where authorization and access to resources, including the network, applications, data, and any other asset is granted dynamically in real-time.

And what makes dynamic authorization possible is replacing role-based access control with policy-based access control (PBAC). With this method, roles are combined with policies that are comprised of logical rules for evaluating in real time the level of permissions and privileges that should be granted. 

So, as opposed to RBAC which is purely driven by roles and is therefore not a real-time, nor a dynamic approach, PBAC provides the necessary framework for evaluating what a user can or cannot access based on what can be known about them at any given point in time, including:

  • User level attributes, such as what is their current certification level, role and responsibilities, whether they can access confidential and personally identifiable information (PII), as well as what they are accessing at any given moment. 
  • The location that a user is authenticating from, including whether from an internal or an external system.
  • The number of authentication factors being used, i.e., with single, two factor, or multifactor authentication.
  • The credentials being provided, whether basic, a certificate, a token, or other.
  • The time of day and day of the week at which the user is authenticating.

Request a Demo

Role-based access control vs. policy-based access control

RBAC

PBAC

Statically assigns rules that are based on the user’s attribute values at the time when the role was assigned 

Dynamically assigns rules that are based on the user’s attribute values at any given point in time 

Ignores the context of sessions

Session context is considered in the evaluation

Cannot identify and enforce access patterns in a unified policy

Identifies and enforces access patterns in a unified policy

Doesn’t combine real-time session information in the evaluation of access control decisions

Combines real-time session information in the evaluation of access control decisions

Request-response authorization is performed

Supports continuous authorization

Can’t utilize changing variables when granting access permissions

Changes do impact whether access is granted in real time

 

Ultimately, with PBAC, hundreds and even thousands of roles can be replaced by just a few policies. These policies are managed centrally by the organizations for every application and system, through a single pane of glass.  

With centralized management security professionals can easily add or update policies as needed, as well as quickly deploy them. 

And since these policies are managed externally, outside the protected application, Gartner calls this approach “Externalized Authorization Management.”

“Externalized authorization management (EAM) provides runtime controls — including policy management, policy enforcement, and decision modeling — for fine-grained authorization to infrastructure, applications, services, transactions and data. EAM is also sometimes referred to as “dynamic authorization.” EAM solutions usually offer a centralized policy server and can implement multiple authorization methodologies, including attribute-based/role-based access control (ABAC/RBAC).” 

(Gartner, Hype Cycle for Application Security, 2021, July 2021, by Analyst(s): Joerg Fritsch).

 

How to do dynamic authorizations right

Today’s organizations need to manage countless access rules that are distributed across multiple repositories, directories, and on the application level. Moreover, roles and assets are constantly changing.

This makes it very difficult to manage and enforce authorization in real time unless you have dynamic authorization capabilities in place.

So, what can the security organization do to make sure it does dynamic authorization right? Stay tuned, we’ll be discussing all the best practices in our next post.

And, in the meantime, to get immediate answers to your authorization questions, we invite you to request a demo.

Most popular posts