We live in a dynamic world which requires organizations to be more responsive. Typically, information and application access policies are hard coded into the application. That necessitates many months of coding effort to make any policy changes, which no longer fits with the speed of business today.
Externalizing access control decisions to a central decision point, or Externalized Authorization Management, separates policy management from the application lifecycle. Externalized Authorization Management externalizes access control decisions to a decision point that is decoupled from the application. The system interrogates an information point, typically a directory, to determine a user’s access rights based on a centrally managed policy.
- Authorization and access rights to an organization’s network or assets are granted dynamically in real-time based on user, data and environmental attributes, such as certifications, IP address, group, department, or employee status.
- Decisions on access leverage these characteristics, or attributes, which help define whether they should be granted access to the application and at what level. The decision is based on the data they want to access and the action they want to perform.
- Externalized authorization allows for the management of permissions to multiple systems from a single platform, streamlining the access process and reducing administrative burden.
- Access control to file shares, network subnets, document repositories and applications can now be made in real time by a centrally managed decision point, using attributes in a user’s directory entry.
Centralization of Authorization
Many functionalities have been externalized over the last few years, such as authentication, storage of data, and logging. When centralizing authorization (left of diagram), an enterprise’s architecture tends to have external authentication as the top layer, which interacts with an external authorization module. All applications within an enterprise have interactions with both layers on a transactional basis.
On the right of the diagram, details a system overview of externalized authorization management in microservice and cloud environments.
The process flow of an externalized authorization setup is demonstrated below in a common enterprise security architecture based on standard components:
The components named in the model are:
Policy Administration Point (PAP): This is the point at which access authorization policies are managed.
Policy Enforcement Po