+
  Policy’s role in authorization, XACML today, & OpenID’s new policy charter Listen to the podcast  
Policy Modeling: Build repeatable, scalable, and auditable access controls

Policy Modeling:
Build repeatable, scalable, and auditable access controls

Modernizing access control to achieve a Zero Trust strategy, built upon the flexibility and scalability of Orchestrated Authorization.

How we do it

You want to modernize access control so you can implement a Zero Trust security strategy. You’re not alone.

Many organizations wonder how to build policies that not only reflect right access controls but that are also repeatable and scalable.

Policies are the heart of any strong cybersecurity infrastructure. Solid access controls ensure that the right data or processes are accessed at the right time by the right people.

A Zero Trust strategy demands that access controls are continuously verified. How do you balance building repeatable and scalable access controls that are flexible enough to fit the “never trust, always validate” rule of Zero Trust?

man developing cybersecurity

Preparing your organization to better predict, prevent,
and respond to evolving cybersecurity risks requires
more than authorization management software

You need to inform the tools you are using with the right information and models to be successful.

An Orchestrated Authorization model is the foundation for building policy that continuously validates permissions for each user based on a set of attributes defining who, what, when, where, why and how.

Orchestrated Authorization combines the needs of policy translation, policy visualization, integrations, and policy modeling into one coordinated, repeatable and scalable model that supports any organizations complex and demanding requirements.

Policy modeling as one pillar of the Orchestrated Authorization strategy takes you through five critical steps that are essential to building, deploying and maintaining policies that provide a fundamental shift needed to modernize access controls.

Policy modeling requires collaboration between different teams

Axiomatics policy modeling collaboration chart

Axiomatics’ approach to policy modeling guides you
through five essential steps to achieve a scalable,
repeatable, access control outcome

Identify authorization maturity

The definition of maturity varies based on every organization’s history with authorization. Within one organization, several different business units or departments could be at varying stages of maturity. It is important to understand these differences and how that impacts desired outcomes.

Requirements gathering

Collect the authorization requirements in natural language from the business source so application owners can ensure policies are translated into formal authorization language.

Identify attributes

Define what attributes will inform the policies as well as controls. While many organizations have adopted RBAC inspired policies (RBAC), modern authorization requires identifying attributes that enable policies to continuously inspect access to bring the right level of context to the policy decision.

Author policies in formal language

Once attributes are defined, the team can begin to model policies which are often wire-framed across a subject, action and object model. Axiomatics offers organizations the ability to author policies using its policy editor, which is a visual web interface or alternatively “as code” using the Abbreviated Language for Authorization (ALFA).

Test policies and deploy

A key part of policy modeling is the outline of capabilities for testing, access reviews and visualization to align to compliance, risk mitigation for each domain and application.

Learn more about how Axiomatics delivers the
authorization approach
that works for your enterprise

A Practical Guide to Policy Modeling

This practical guide will go through the five steps Axiomatics recommends when developing policies.

Learn more

Key Considerations: Why maturity is integral to driving authorization strategies forward

Learn what your organization should review to understand how maturity plays a role in driving the shift to a dynamic authorization strategy.

Learn more

The Role of Orchestrated Authorization in a Cloud-native Environment

Learn how Orchestrated Authorization addresses the needs of the large enterprise, bringing flexibility to authorization deployment

Learn more

Frequently asked questions

Why must a policy be dynamic?

A policy must be dynamic to function as the framework for deployment across data platform by centralizing attribute-based permission information.

How is Orchestrated Authorization help business stakeholders?

Orchestrated Authorization translates business logic from natural language into policies that can then be authored in a formal authorization language that reflects a Zero Trust framework. Basically, the business user defines what type of access is needed, when and why. This natural language is then translated into the domain specific format that policies need.

How is a policy built on the Orchestrated Authorization model different than any other model?

A policy based on Orchestrated Authorization mitigates cybersecurity risks and leads to operational efficiency with the collaboration of business leaders and policy developers. It combines the business requirements of business leaders with the depth and power of authorization-specific development language which provides the best of both worlds.

Why should policy modellers use the Kipling Method?

If the organization is looking to truly deploy a Zero Trust strategy, then ensuring they are identifying attributes that enable policies to reflect the continuous deep inspection of access is critical. Modeling Zero Trust policies after the Kipling method brings the right level of context to the policy decision: who, what, when, where, why and how. These attributes will serve as the framework for the deployment of policies across domains and applications.

What is the difference between RBAC vs ABAC vs PBAC?

People asking this question are typically looking for answers to improving access controls. These terms refer to different methods used to grant access to information, processes, or systems.

Role-based access control (RBAC) grants access based on a user’s role, this has lead to another term in the industry called Role Explosion. Essentially, for every permeation of access you need to create a new role. It can become unyielding for a large organization to manage.

Attribute-based access control (ABAC) refers to attribute based access controls. If you looked at the “course-grained vs. fine-grained” question above, ABAC is falls neatly into the fine grained category. In fact, it is super fine grained. ABAC pulls on a multitude of attributes available from identity sources within the organization to evaluate the most complex and specific access control policies. The only limit to how many attributes can be used in defining a policy is limited only to the identity sources available within the company. ABAC based policy modeling maximizes the abilty to be fine grained thus mitigating risk exposure for an organization.

Policy-based access control (PBAC) refers to policy based access controls and combines roles and attributes together. It’s a middle of the road option that sits between fine-grained and course-grained access offerings.

Have a question? Contact our experts
Axiomatics icon

Let's show you a demo and take the next leap in your authorization journey

Meet with us and see how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo