Confidently scale authorization policies across your organization with externalized architecture
A modern approach to authorization and access control by centralizing your policy service using our dynamic authorization solution.
Deliver policies across the full application stack
from front-end to database
As security and identity teams set goals for a Zero Trust strategy, they quickly realize architectures promoting custom authorization development for every application are neither scalable or secure.
This led to the emergence of an externalized authorization architecture that has gained significant traction, enabling enterprises to decouple business applications from authorization policies. This means instead of hard coding individual authorization rules per application, authorization is expressed as configuration through a centralized policy service.
This ensures policies are created based on a modern policy framework, leveraging an attribute-based access control (ABAC) strategy, while also offering application development teams out-of-the-box editors and policy-as-code solutions for creating authorization policies.
Runtime authorization intelligent architecture
Policy Administration Point (PAP)
Author policies through a web-based tool or “as code” using the Abbreviated Language for Authorization (ALFA), which is beneficial for your development and DevOps teams.
Policy Information Points (PIP)
At the core of an attribute-based access control (ABAC) policy is the connection to attributes, also referred to as Policy Information Points (PIPs). Attributes may be served from other vendors in the identity (e.g. user, roles) or security (e.g. risk, classification) ecosystem or even be custom attributes from an organization’s internal database.
Axiomatics provides a number of out-of-the-box connectors (e.g. HTTP/Rest, LDAP), making integrations with attributes both seamless and extendable.
Policy Decision Point (PDP)
After policies are created from the PAP, policies are deployed to the Policy Decision Point (PDP).
The PDP is an authorization service that uses policies and attribute data (PIP) to make decisions about whether an attempted resource access should be permitted or denied. The PDP is provided as a REST/JSON-based microservice built with cloud-native principles.
Policy Enforcement Point (PEP)
Enforcement is done in the architecture by Policy Enforcement Points (PEP), which by their nature must be environment-specific as it is their job to intercept attempts to access a resource.
This means the enforcement point must be relatively tightly coupled to the resource it is protecting.
Authorization decisions are externalized from
applications and support microservices architectures
Depending on the application and subsequent resource type targeted, the externalized authorization architecture will vary (e.g. microservices sidecar PDP) and is adaptable, ensuring it meets modern deployment models driven by DevSecOps.
- View record #123
- Can Alice view record #123
- Evaluate policies
- Retrieve additional attributes as needed
- Permit, Alice can view record #123
- View record #123
How our externalized authorization approach works for applications
There is security and operational value you realized when you take the steps to externalization authorization from your applications.
This brief video explains the basics of the request flow when leveraging an Externalized Authorization model to enforce your policies.
Let's show you a demo and take the next leap in your authorization journey
Meet with us and see how our award-winning solution can help you meet today's access control and Zero Trust needs.
Request a demo