+
CrowdStrike joins the Axiomatics partner community with risk-based authorization for enterprise Learn more  
Externalized Architecture: Confidently scale authorization policies

Externalized Architecture:
Confidently scale authorization policies

A modern approach to authorization and access control by centralizing your policy service using our dynamic authorization solution.

Deliver policies across the full application stack
from front-end to database

As security and identity teams set goals for a Zero Trust strategy, they quickly realize architectures promoting custom authorization development for every application are neither scalable or secure.

This led to the emergence of an externalized authorization architecture that has gained significant traction, enabling enterprises to decouple business applications from authorization policies. This means instead of hard coding individual authorization rules per application, authorization is expressed as configuration through a centralized policy service.

This ensures policies are created based on a modern policy framework, leveraging an attribute-based access control (ABAC) strategy, while also offering application development teams out-of-the-box editors and policy-as-code solutions for creating authorization policies.

Axiomatics externalized architecture policy workflow chart

Runtime authorization intelligent architecture

Policy Administration Point (PAP)

Author policies through a web-based tool or “as code” using the Abbreviated Language for Authorization (ALFA), which is beneficial for your development and DevOps teams.

Policy Information Points (PIP)

At the core of an attribute-based access control (ABAC) policy is the connection to attributes, also referred to as Policy Information Points (PIPs). Attributes may be served from other vendors in the identity (e.g. user, roles) or security (e.g. risk, classification) ecosystem or even be custom attributes from an organization’s internal database.

Axiomatics provides a number of out-of-the-box connectors (e.g. HTTP/Rest, LDAP), making integrations with attributes both seamless and extendable.

Policy Decision Point (PDP)

After policies are created from the PAP, policies are deployed to the Policy Decision Point (PDP).

The PDP is an authorization service that uses policies and attribute data (PIP) to make decisions about whether an attempted resource access should be permitted or denied. The PDP is provided as a REST/JSON-based microservice built with cloud-native principles.

Policy Enforcement Point (PEP)

Enforcement is done in the architecture by Policy Enforcement Points (PEP), which by their nature must be environment-specific as it is their job to intercept attempts to access a resource.

This means the enforcement point must be relatively tightly coupled to the resource it is protecting.

Authorization decisions are externalized from
applications
and support microservices architectures

Depending on the application and subsequent resource type targeted, the externalized authorization architecture will vary (e.g. microservices sidecar PDP) and is adaptable, ensuring it meets modern deployment models driven by DevSecOps.

Axiomatics externalized authorization workflow
  1. View record #123
  2. Can Alice view record #123
  3. Evaluate policies
  4. Retrieve additional attributes as needed
  5. Permit, Alice can view record #123
  6. View record #123

How our externalized authorization approach works for applications

There is security and operational value you realized when you take the steps to externalization authorization from your applications.

This brief video explains the basics of the request flow when leveraging an Externalized Authorization model to enforce your policies.

Learn more about how Axiomatics delivers the
authorization approach
that works for your enterprise

KuppingerCole Market Compass Report: Policy Based Access Management

We are pleased to be featured in this report and believe this research validates our view of the authorization space and the value we bring to customers.

Learn more

A practical guide to implementing Orchestrated Authorization in three phases of growth

Get started implementing a targeted growth model & enable identity teams to deliver against specific outcomes prior to wider implementation.

Learn more

The Role of Orchestrated Authorization in a Cloud-native Environment

Learn how Orchestrated Authorization addresses the needs of the large enterprise, bringing flexibility to authorization deployment.

Learn more
Axiomatics icon

Modernize your authorization strategy with a trusted leader

Meet with our experts to see why businesses worldwide choose Axiomatics for their access control needs.

Contact us