Connecting ABAC to identity governance and administration to extend access control capabilities

Enterprises need an approach to improve synergies between existing IAM technologies.

facial recognition - biometric security identification - binary face

As applications, data and infrastructure continue moving into the cloud, the need for authorization of users to have the right access at the right time increases as well. The new enterprise is a hybrid of cloud and on-premise deployments all requiring a vetted, comprehensive and scalable access control model.

Within this changing climate, IT teams are overloaded with provisioning and deprovisioning, permissions management and pressure to easily audit and report on compliance. Access control automation is needed - and the access control solution needs to scale as the business grows.

As a first line of defense to effectively and efficiently control access to applications and data, organizations are turning toward identity governance and administration (IGA) to support both enterprise security and regulatory compliance. By leveraging IGA tools, access control is managed at administration time by automating the user provisioning and de-provisioning process.

The next line of defense is the run-time authorization service, which ideally uses an attribute and policy-based approach to enforce access rules on APIs, microservice and data services. Let’s explore how these two technologies can work in concert to uncover hidden value for enterprise customers.

Securing access to information with identity governance and administration

IGA uses a risk-based approach that streamlines the orchestration of user identity management and access control. The core functionality determines who has access to what data and/or workloads, what this access allows (what type of data, infrastructure or business functions), and makes usage/activity and policy-based risk decisions that are passed along with access decisions.

Similar to other identity and access management (IAM) technologies, IGA allows organizations to define, review, enforce and examine IAM policies, but it goes one step further. It also allows organizations to comply with regulatory mandates to simplify the auditing process for user access rights to support regulatory compliance reporting.

The common phrase that “Identity is the New Perimeter” is at the core of IGA. We’re seeing more hybrid IT scenarios as enterprises migrate assets and workloads to the cloud, and the user’s identity can be used to ensure access control is scalable, flexible and most of all, elastic.

IGA can help organizations solve a wide variety of challenges such as detecting unnecessary access rights that have been granted, the protection of valuable customer data and automation of critical IAM workloads. However, IGA relies on administrative time access control, meaning it focuses on the identity of the user and their role within the organization. At runtime, access control must be the domain of an Attribute Based Access Control (ABAC) system - which is both dynamic and externalized.

Implementing runtime access rules with Attribute Based Access Control

Also known as dynamic authorization, ABAC is a policy-based approach to ensure all users can only access and manage data they are authorized to see under the right circumstances based on business rules and regulatory compliance; it can also take into consideration unique policies of each business unit. Attributes are to create the access control policies that help define explicit scenarios in which access should be granted or denied - attributes themselves provide information about who, what, when, where, why, and most important, how. This provides the dimension of context which ensures the most accurate access control in even the most complex use cases.

This model is also unique in that it is standards-based, using a rich policy language (eXtensible Access Control Markup Language - XACML) to log different policies and rules. This framework enables explicit policies allowing for many distinct inputs into an access control decision, providing an extensive set of possible combinations of those variables to reflect a broad set of possible rules, policies or restrictions on access. ABAC is externalized from the IT layers it protects (applications, data stores, APIs) so the code is decoupled from the security logic that is maintained, externalizing the management and visibility into a single view, and allowing policies to be written once, and deployed enterprise-wide. This is all done at runtime and when combined with IGA, it provides the level of service required by organizations in today’s digital environment.

Combining IAM technologies to uncover hidden value and create comprehensive access control

Deriving the most value from IAM components like IGA and ABAC is the most beneficial when organizations take advantage of valuable synergies between the two technologies. Since IGA helps manage access control at administration, it sets the access control baseline for risk-based identity management and coarse-grained access control to support regulatory compliance and automation needs. ABAC can then consume that information and combine it with attributes to make dynamic runtime decisions that are fine-grained.

When these technologies are deployed in concert, organizations enhance their access control model to better serve their customers and realize a plethora of benefits including:

  • An enhanced access control model to minimize the risk of a breach and enhance the customer experience.
  • Improved visibility and transparency of the access control model to easily streamline access control decisions across the entire enterprise.
  • Simplified coordination of functions between IGA and ABAC technologies to make enterprise systems more efficient to deploy and manage.

IGA should be every organizations backbone to their identity management and access control model to help support regulatory compliance and IT security. However, IGA alone isn’t enough for more complicated access control use cases. The combination of administrative access control with IGA and runtime access control with ABAC is a powerful way to ensure precise user access control and the protection of critical assets and workloads even under the most complex access control circumstances.

Copyright © 2018 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.