The goal of risk management is improvement. If it fails to propel necessary change the effort is in vain. IT infrastructures are complex and diverse. Identified risks will often impact multiple systems. Risk treatment is difficult since existing technologies usually lack suitable "hooks" for efficient risk mitigation. This is why extensible authorization makes a difference. It manages access controls via policies from a central point. Extending policies to evaluate risk factors at run-time, means building risk intelligence. Continuous policy maintenance thus provides suitable risk management "hooks" for all the managed applications.    

Access control as an integral part of risk management

Information security management has its focus on the confidentiality, integrity and availability of information. All of these aspects relate to access control. If unauthorized access can not be prevented, confidentiality and integrity is at stake. If authorized access cannot be provided, availability is at stake.

When new risks are identified, you will therefore typically need to update your access control models. If the technology used does not easily allow change, risk mitigation will be delayed and costly.

eXtensible authorization from Axiomatics uses centrally maintained policies that enforce access control across multiple applications and systems. Furthermore, the policies use a rich and expressive language in which practically any risk situation can be captured.

The extensible authorization model therefore becomes an integral part of the risk management process. Output from risk analysis serves as immediate input for policy management and risk treatment. This simplifies management, minimizes gaps and reduces costs for risk mitigation.