As security and identity teams set goals for a Zero Trust strategy, they quickly realize architectures promoting custom authorization development for every application are neither scalable or secure.
This led to the emergence of an externalized authorization architecture that has gained significant traction, enabling enterprises to decouple business applications from authorization policies. This means instead of hard coding individual authorization rules per application, authorization is expressed as configuration through a centralized policy service.
This ensures policies are created based on a modern policy framework, leveraging an attribute-based access control (ABAC) strategy, while also offering application development teams out-of-the-box editors and policy-as-code solutions for creating authorization policies.
Author policies through a web-based tool or “as code” using the Abbreviated Language for Authorization (ALFA), which is beneficial for your development and DevOps teams.
At the core of an attribute-based access control (ABAC) policy is the connection to attributes, also referred to as Policy Information Points (PIPs). Attributes may be served from other vendors in the identity (e.g. user, roles) or security (e.g. risk, classification) ecosystem or even be custom attributes from an organization’s internal database.
Axiomatics provides a number of out-of-the-box connectors (e.g. HTTP/Rest, LDAP), making integrations with attributes both seamless and extendable.
After policies are created from the PAP, policies are deployed to the Policy Decision Point (PDP).
The PDP is an authorization service that uses policies and attribute data (PIP) to make decisions about whether an attempted resource access should be permitted or denied. The PDP is provided as a REST/JSON-based microservice built with cloud-native principles.
Enforcement is done in the architecture by Policy Enforcement Points (PEP), which by their nature must be environment-specific as it is their job to intercept attempts to access a resource.
This means the enforcement point must be relatively tightly coupled to the resource it is protecting.
Depending on the application and subsequent resource type targeted, the externalized authorization architecture will vary (e.g. microservices sidecar PDP) and is adaptable, ensuring it meets modern deployment models driven by DevSecOps.
There is security and operational value you realized when you take the steps to externalization authorization from your applications.
This brief video explains the basics of the request flow when leveraging an Externalized Authorization model to enforce your policies.
Meet with our experts to see why businesses worldwide choose Axiomatics for their access control needs.Contact us