You want to modernize access control so you can implement a Zero Trust security strategy. You’re not alone.
Many organizations wonder how to build policies that not only reflect right access controls but that are also repeatable and scalable.
Policies are the heart of any strong cybersecurity infrastructure. Solid access controls ensure that the right data or processes are accessed at the right time by the right people.
A Zero Trust strategy demands that access controls are continuously verified. How do you balance building repeatable and scalable access controls that are flexible enough to fit the “never trust, always validate” rule of Zero Trust?
You need to inform the tools you are using with the right information and models to be successful.
An Orchestrated Authorization model is the foundation for building policy that continuously validates permissions for each user based on a set of attributes defining who, what, when, where, why and how.
Orchestrated Authorization combines the needs of policy translation, policy visualization, integrations, and policy modeling into one coordinated, repeatable and scalable model that supports any organizations complex and demanding requirements.
Policy modeling as one pillar of the Orchestrated Authorization strategy takes you through five critical steps that are essential to building, deploying and maintaining policies that provide a fundamental shift needed to modernize access controls.
The definition of maturity varies based on every organization’s history with authorization. Within one organization, several different business units or departments could be at varying stages of maturity. It is important to understand these differences and how that impacts desired outcomes.
Collect the authorization requirements in natural language from the business source so application owners can ensure policies are translated into formal authorization language.
Define what attributes will inform the policies as well as controls. While many organizations have adopted RBAC inspired policies (RBAC), modern authorization requires identifying attributes that enable policies to continuously inspect access to bring the right level of context to the policy decision.
Once attributes are defined, the team can begin to model policies which are often wire-framed across a subject, action and object model. Axiomatics offers organizations the ability to author policies using its policy editor, which is a visual web interface or alternatively “as code” using the Abbreviated Language for Authorization (ALFA).
A key part of policy modeling is the outline of capabilities for testing, access reviews and visualization to align to compliance, risk mitigation for each domain and application.
A policy must be dynamic to function as the framework for deployment across data platform by centralizing attribute-based permission information.
Orchestrated Authorization translates business logic from natural language into policies that can then be authored in a formal authorization language that reflects a Zero Trust framework. Basically, the business user defines what type of access is needed, when and why. This natural language is then translated into the domain specific format that policies need.
A policy based on Orchestrated Authorization mitigates cybersecurity risks and leads to operational efficiency with the collaboration of business leaders and policy developers. It combines the business requirements of business leaders with the depth and power of authorization-specific development language which provides the best of both worlds.
If the organization is looking to truly deploy a Zero Trust strategy, then ensuring they are identifying attributes that enable policies to reflect the continuous deep inspection of access is critical. Modeling Zero Trust policies after the Kipling method brings the right level of context to the policy decision: who, what, when, where, why and how. These attributes will serve as the framework for the deployment of policies across domains and applications.
People asking this question are typically looking for answers to improving access controls. These terms refer to different methods used to grant access to information, processes, or systems.
Role-based access control (RBAC) grants access based on a user’s role, this has lead to another term in the industry called Role Explosion. Essentially, for every permeation of access you need to create a new role. It can become unyielding for a large organization to manage.
Attribute-based access control (ABAC) refers to attribute based access controls. If you looked at the “course-grained vs. fine-grained” question above, ABAC is falls neatly into the fine grained category. In fact, it is super fine grained. ABAC pulls on a multitude of attributes available from identity sources within the organization to evaluate the most complex and specific access control policies. The only limit to how many attributes can be used in defining a policy is limited only to the identity sources available within the company. ABAC based policy modeling maximizes the abilty to be fine grained thus mitigating risk exposure for an organization.
Policy-based access control (PBAC) refers to policy based access controls and combines roles and attributes together. It’s a middle of the road option that sits between fine-grained and course-grained access offerings.
Meet with our experts to modernize your access control strategy and meet today's Zero Trust demands.Contact us