Playbook drilldown: Deployment methodology
I know that’s an area where we get a lot of questions, so I wanted to take a deeper dive into the methodology around deploying an authorization solution.
When enterprises first come to us to talk about authorization they don’t often know where to start. But the organization knows they have a need for authorization in general or for a specific application that is coming to fruition – which is a step in the right direction.
We’ve pulled together a few questions we often ask that identify core priorities for a policy-driven authorization deployment and/or ‘low hanging fruit’ that will give your organization some quick success as you embark on this endeavor.
1) Are there any new applications that are coming onboard?
Building authorization takes time and effort from developers and isn’t usually part of their core competency.
On average, this takes about four – six weeks of development effort that delays the ability to launch a new application. Not only does it delay software releases, it’s usually difficult to manage over time and isolated from how other applications manage authorization.
However, with an authorization vendor, it helps speed up the time-to-market of new applications while increasing security and performance.
2) Are there attribute-based access control (ABAC) policies within existing applications?
When there are existing applications that are all running different authorization policies – they are all siloed making it difficult to manage and keep authorization policies consistent across applications. These applications could be running role based access controls, but others may already be taking advantage of attribute-based access controls.
Shifting away from a siloed or isolated approach to authorization can help organizations with auditing, provisioning, and continuous risk evaluations.
Organizations can make this shift by simply bringing all of those separated ABAC policies into one centralized solution. This allows organizations to have more control on how access to information is handled for internal and external users.
3) Where are your high-value assets stored and can you define who has access to this data?
This question may not apply to every organization, but many companies have lower level, day-to-day data people work on as well as high-value assets that if they got in the wrong hands could be disastrous.
In this case, the organization should prioritize which applications get integrated into the authorization solution first. They will want to consider:
- Where are those high-value asset applications or data sets stored?
- How are they controlled right now?
Most often companies use a coarse-grained approach. This type of access control is the ability to grant or deny access to resources based on a single factor, i.e. role, or entitlement.
However, the company could benefit from using a fine-grained approach to better protect assets. A fine-grained approach has the ability to grant or deny access to critical assets, such as resources and data, based on multiple conditions and/or multiple entitlements to a single data resource.
Take the next step
Download a copy of our State of Authorization: Playbook Edition to use as a reference guide. This is a helpful resource if you want to get the lay of the land, so you can feel more informed and confident as you embark on your authorization project.
Want to get into more details about your specific project? Our team of solutions experts are ready to help you take a pragmatic look at what a rollout would look like specifically for your situation.