Download your copy of our State of Authorization: Playbook Edition Get it now »

It’s time to take a holistic approach to cybersecurity by rethinking policies

Solving cybersecurity threats shouldn’t be seen as discrete. Rather it is important to take a holistic approach to achieve the overall result of cybersecurity.

Trying to solve cybersecurity threats shouldn’t be seen as discrete. Most often enterprises pick a solution like a firewall that is punctual but it only solves one specific issue of the overall problem. Rather it is important to take a holistic approach of what products an organization combines to achieve the overall result of cybersecurity.

Let’s take a deeper dive into this topic.

Let’s rethink how we approach policies

Organizations can rethink their approach to cybersecurity by writing down simple policies in plain English. This makes the security goals easier to dictate and help clarify what should or shouldn’t happen in a given scenario. To do this you want to move away from the thought process of role-based access control (RBAC) where one is only considering artificial roles and groups and not other attributes, it is key to not do a role engineering exercise.

When goals and configuration are written as policies in simple English, it makes it easier to digest the policies into actionable items and helps professionals understand all the tools available to them in the cybersecurity and identity and access management (IAM) realms. Some of the tools may be user directories, identity management products, authorization products and so forth.

But at the end of the day, it is a matter of maintaining a higher-level policy before digesting or translating it into different parts. The high level policies are the ones that the C-levels care about and establish. The high level policies are the ones the business will be measured against. These are the same policies that will be used in a disaster recovery plan. What matters is being able to digest the policies into actionable configuration in your cybersecurity products.

Clear requirements naturally lead to strong policies

When looking at your overall cybersecurity strategy, it is important to identify how components work together and what they achieve. Does your authorization solution allow for policy as a means of configuration. If so, let’s look at the policy lifecycle: there is a stage that identifies what the policy is and what other policies it may apply to. This helps identify who is responsible for each part of the policy and how the different parts will be implemented in different tools.

Creating a clear policy is only one part of the lifecycle. The other part is reporting back on the policy once it has been implemented. For example if a part of the policy has to do with API authorization, how do you report back that the API gateway and authorization engine have been configured correctly? And how do you keep track of configuration maintained on the API gateway and PDP?

If we take a policy-based approach and adopt an externalized authorization architecture this gives us the opportunity to collect rich audit logs that act as a trail of all the access that was granted or denied and becomes extremely easy to prove compliance of the technical policies with the original high-level policies.

Gain more knowledge on rethinking policies

Ready to start rethinking how your organization does policies? Download our The State of Authorization: Playbook Edition which takes a look at creating policies and each step of the policy lifecycle.

Other good reads to expand your policy knowledge include:

Have 30 minutes? Let's show you a demo!

See how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo

  Join us on LinkedIn for more insights
Archived under:
About the author

As Chief Technology Officer, David has experience leading the design and development of Salesforce’s identity offering including customer identity and access management (CIAM). He is a founding member of IDPro, a co-author of the OASIS XACML standard, and an expert on standard-based authorization as part of an overall IAM implementation.