What is
Authorization?

Identity and Access Management
(IAM) comprises four areas of
network technology:

Authentication

Ensures that only valid
users enter a system

Authorization

Ensures that authenticated
users access only what they
are supposed to

User Management

Provides provisioning and
related services

Directory Services

Maps access rights properly
to all applications

Authorization is an essential part of an enterprise’s IAM solution
As a company’s “gatekeeper” Authorization is the process that determines which employees can access which company data. Advanced, fine-grained authorization solutions can apply policies to further limit authorization by factors such as time of day or user location.

Authorization is often confused with authentication, but they play very different roles in corporate and organizational networks. Authentication is verifying that someone is whom they claim to be. This is usually done by supplying a username and password. Authorization is about determining what data or resources (software, files, etc.) an authenticated user can access.

Consider the case of a salesperson and a programmer. Authentication is used to confirm that each is a valid user and that each is whom they claim to be. Authorization is used to ensure that the programmer can see all of the company’s development files, while the salesperson can see only their business files, and that neither can see the other’s files.

Authorization solutions vary with company size and hierarchy, as well with other factors such as privacy or security issues Today’s solutions for large companies base Authorization
on one of the following:

Users work
responsibilities (roles)

Conditions such as a users location
or the Owe of day when the request
is made (attributes)

Rules based on a
combination of the above

Authorization has become more complex in the past few years due to the advent of the cloud and mobility. Some of these complexities include:

  • Removing the distinction between “internal” and “external” data and resources that was so basic to previous IAM concepts, especially in the area of Authorization
  • The surge in the number and variety of wireless devices has made dynamic, fine-grained Authorization essential for enterprises and SaaS businesses
  • SaaS and partner apps that do not synchronize often enough do not catch changes in status changes that should affect access rights

The Fundamentals
of Authorization

Authorization is about determining which
users can access which data or
resources. To do that effectively, good solutions support the following:

Administration

Decision Making

Enforcement

Administration

Administration is about planning and controlling business decisions. “Administration” is usually associated with logistics and efficiency, but Authorization itself is a business decision since it determines who has access to a company’s data and other intellectual property.

To support effective administration, an Authorization platform must include:

Network visibility
Seeing an users and resources is the first step in setting access management policy

 

Analysis of the solution’s decisions
Understanding why the platform allows or denies access will help fine-tune it

A testing environment
Supports checking and refining the solution

Governance
Ensures that Authorization decisions are certified and recertified in accordance with general IAM principles and

Decision Making

Authorization software must support the policies a company has in mind. For example, a company wants to create a rule that marketing personnel can access certain files only during office hours. Therefore, the company needs a solution that supports using time of day as input for an Authorization decision.

To support effective decision making, an Authorization platform must include:

Flexible Data Module
Ability to support a variety of Authorization standards and languages with the desired granularity

Graph Database
An interface that enables a user to create and modify policies in real-time without writing any code

Enforcement

Enforcement in this context means the ability to implement Authorization policies across an entire enterprise. This means active access governance by management to coordinate the efforts of all units that are responsible for Authorization to “ensure compliance in a consistent, efficient and effective manner: in the words of the Identity Management Institute. Otherwise, access policies may inadvertently vary between units of the enterprise, which could weaken security or interfere with cooperation between members of different units.

Ideally, all Authorization rules or policies should be written in standard languages such as eXtensible Access Control Markup Language (XACML) and Open Authorization (OAuth)

 

Flexible Data Module
Ability to support a variety of Authorization standards and languages with the desired granularity

Smart Decisions
Dynamic, context-aware access decisions give more options than ones based on static roles or policies that cannot vary with circumstances

Graph Database
An interface that enables a user to create and modify policies in real-time without writing any code

Access Control
Lists (ACLs)

Role-Based Access
Control (RBAC)

Attribute-Based Access
Control (ABAC)

Access Control Lists (ACLs)     

Access Control Lists (ACLs) are the oldest approach to Authorization. With ACLs, an administrator matches users to resources on a one-to-one basis.

Because only one characteristic, username, is used in Authorization decisions, ACLs provide coarse-grained Authorization.

Pros

  • ACLs offer the most precise matching of users to resources

Cons

  • Extremely cumbersome and mistake-prone
  • Every change (adding or removing a user, adding a resource, etc) requires manual adjustments

Example of Limitations

  • In a hospital, ACLs are used to give cardiology nurses access
    to the records specific patients. If these nurses are now added to the ICU, they will need access to the records of all ICU patients. Manually changing

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) involves creating roles, assigning them permission sets, and then assigning users to the roles. This approach is much more efficient than ACLs: assigning a user a role automatically gives them the correct access rights for all resources. Likewise, adding or removing a resource to a role ensures that the change is effective for all users with that role.

Because only one characteristic, role, is used in Authorization decisions, RBAC provides coarse-grained Authorization. eristic, role, is used in Authorization decisions, RBAC provides coarse-grained Authorization.

Pros

  • More efficient than ACES
  • Precise enough for companies with
    clearly defined roles that never vary with the circumstances

Cons

  • Static — a user’s access rights cannot vary with the circumstances
  • Maintaining roles takes time
  • Maintenance cost: Whenever a new resource is added to a network every role must be updated to include it.
  • RBAC solutions often suffer from ‘role explosion”, the creation of many roles that vary by only one or two permissions out of dozens
  • Maintenance cost: Whenever a new resource is added to a network every role must be updated to include it. Likewise, creating new roles is time-intensive, as is managing users.
  • prevents a user from legitimately accessing files that were not associated with their role when it was defined

Example of Limitations

  • In companies that permit users to have more than one role, users often acquire more permissions as they switch positions. This is called ‘access creep’ and increases a company’s risk.

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) does not use roles. Instead, it uses multiple characteristics or attributes, such as a user’s location or the time of day to determine whether or not to allow access to a resource. For example, an ABAC solution might grant an employee access to a sensitive document during work hours, but not at 2 AM.

Because it can base Authorization decisions on multiple factors, including time of day, ABAC is a “fine-grained” access management solution that works at run-time.

Pros

Cons

  • Greater flexibility of Authorization logic leads to greater software complexity
  • Fairly difficult to implement without using an External Access Management (EAM) solution

Example of Limitations

Beyond ACLs, RBAC, and ABAC

Despite the strengths of these Authorization methods, we can see that they have important limitations. Because it can base Authorization decisions on multiple factors, including time of day, ABAC is a “fine-grained” access management solution that works at run-time.

  • None support creating universal policies when needed. Although using attributes has many advantages, including the ability to create fine-grained policies, ABAC lacks the means to create and enforce the kind of universal policies enterprises often need.
  • These methods involve complex code, so IT often ends up being in charge of Authorization. Authorization decisions should really be made by management, since they affect a company’s Intellectual Property. Therefore, an Authorization method must be found that enables management to design and control policies without writing code.
  • They all rely on specific implementations, such as XACML and don’t support setting policies in natural language.

All of these problems are solved by Policy-Based Access Control (PBAC) solutions, especially PlainID’s SmartAuthorization platform.

The PlainID Approach
to Authorization

PlainiD offers a better solution to Authorization using Policy-Based Access Control (PBAC).

PBAC is the cutting-edge approach to access management, offering a hybrid of RBAC and ABAC’s strongest features. Or as KuppingerCole put it, °PBAC can be considered the harmonization and standardization of the ABAC and RBAC models at an enterprise level:

PBAC uses attributes to support fine-grained Authorization but also supports creating universal policies when needed. Such policies are often needed for compliance issues. At the same time, PBAC supports the convenience of roles but uses them as a single attribute in policy statements. This allows granting roles different access rights depending on circumstances.

PBAC solves two of the most pressing Authorization issues: the advent of the cloud and mobility.

  • The rise of the cloud has practically obliterated the distinction between “inside” and “outside” that was no basic to previous IAM concepts, especially in the area of Authorization
  • The surge in the number and variety of wireless devices has made dynamic, fine-grained Authorization essential for enterprises and SaaS businesses

PBAC solves these problems by enabling businesses to net dynamic access-time policies according to the physical or logical location of the user and other factors.

PBAC also makes compliance with regulations such as GRC and GDPR easier by segregating data access, controlling access creep, and even preventing authorized users from accessing data in a risky manner.

Because PBAC supports both roles and attributes, it is relatively easy to switch to it from either RBAC or ABAC. ere are a few tips that will make your transition easier:

1.Gather the “building blocks” for your policies:

The data and definitions you are currently using as input for Authorization decisions are the “building blocks° of policies. These typically include:

  • User identities/attributes
  • Roles (names and brief descriptions of them; no need for detailed permission sets
  • Other attributes that you want to use as criteria, such as location, time of day, etc.
  • Entities whose data you want to protect (folders, individual files) or that you want to limit access to (networks, applications, etc.)

Note to RBAC users:

In both this step and the next, keep an eye out for roles you can consolidate by
using other attributes to distinguish between them instead of needing separate

2. Identify existing policies and create new ones:

PBAC supports XACML, 0Auth, and other protocols and languages.

Note to ABAC users:

It is often possible to consolidate existing ABAC rules into a smaller set of policies.

3.Test and verify your policies

How PlainID’s Smart Authorization
Platform Solves Common IAM Issues

IAM managers have been facing increasing problems in the past few years. Some of these problems are caused by changes in technology and their effects on Authorization. Others are related to the way Authorization has been implemented in the field.

PlainID’s Smart Authorization platform solves both these of challenges. In the previous section, we discussed how PBAC solves problems related to the cloud and to mobility. Here we discuss how Smart Authorization solves the implementation issues.

One of the most common phenomena in RBAC systems is “role explosion”. Role explosion occurs when a company creates very specific roles to cover every possible net of permissions needed. As network resources grow, not only do existing roles get more complicated, but new ones get added.

PlainID recently solved this and other problems for a client we’ll call “Company A. Company A began with over 1,000 individual roles. The IT team managing them was overwhelmed to say the least.

As it does with all clients, PlainID used PBAC’s policy creating features and its use of attributes to reduce the number of roles significantly. By using attributes such as location and the time of access requests as input PlainiD was able to make each basic role more flexible. For example, for an American client, instead of having 50 roles for insurance salespeople to access the forms relevant to their state, PlainID could create one role called “salesperson° and use another attribute, “state” to link salespeople with their state.

PlainiD made the process simpler by first making the entire system visible. This made it much easier to best match users to data. By the time PlainID’s Smart Authorization platform went live, Company A had approximately 50 roles instead of 1000!

The result was a net of flexible, dynamic, fine-grained Authorization policies that could be altered in run-time, if needed. By making access management simpler, Smart Authorization saved the company thousands of dollars in IT costs, while freeing up days, if not months, of the team’s time. Moreover, using Smart Authorization enabled management to take over access management decision-making.

In the past, this area was no complex that it was run by IT. But Authorization is really a business decision: determining who has access to which data is one of the most important decisions a company will make. Smart Authorization enables you to net access management policies via an easy-to-use user interface without writing a single line of code.

Smart Authorization’s support of management includes approval and audit functions. You can configure the software to require a manager’s approval before implementing any change of policy. The platform’s record-keeping abilities enable you to perform audits and generate reports of their findings.

PlainID’s Smart Authorization platform is the ideal Authorization solution for enterprises and SaaS providers. Its PBAC-based solution offers fine-grained access management that is both extremely flexible and easy to use. It is designed to integrate with any environment, support all manner of access points, and safeguard your data in all scenarios, including B2B usage.

Smart Authorization is ready for today’s challenges — and tomorrow’s.

Taking the Next Step

Ready to find out more? Click the button below to
schedule a demo with a member of the
PlainID team, or Check out the PlainID Summary Brief.