Dynamic authorization is a technology in which authorization and access rights to an enterprise’s network, applications, data, or other sensitive assets are granted dynamically in real-time. In contrast to traditional or static authorization models, in which authorization is granted before resources are accessed and is valid for subsequent access requests, dynamic authorization re-evaluates data access policies at the time of each access request, and either grants or denies access and entitlements to the requested resource based on the evaluation result at that specific point in time. In addition to granting access, dynamic authorization can be used to implement the Zero-Trust Architecture (ZTA) principle of “Least Privileged Access” to only provide the minimum level of access needed by the user at that specific time.
Dynamic Authorization can be used to extend role-based access control (RBAC), where access is granted based on a user’s role, or to apply attribute-based access control (ABAC), in which access rights and entitlements to an organization’s resources are based on attributes of the user, environment, and the data itself. Whether in extending RBAC or in applying ABAC, dynamic authorization can be used to implement a data-centric approach to an organization’s security, dynamically evaluating access and entitlement policies for every access request to protect specific resources at the specific time they need to be protected. This is the essence of the ZTA principle of ‘Never Trust, Always Verify’.
With traditional Role-Based Access Control (RBAC), or list-based authorization systems, administrators need to constantly monitor and reassess changes in user status, reassign and revoke roles, or even monitor and reassign permissions on individual files or records. This can be very resource intensive, and as organizations grow it does not scale well and can lead to role explosion.
With dynamic authorization systems driven by ABAC policies, in contrast, access to data is granted or denied in real-time by policy according to variables, such as the latest user status, data classifications, and environment information. A Dynamic Authorization Policy Engine, like the one at the core of the NextLabs platform, allows security administrators to define a small number of policies that will always be up to date, because the variables used in policy are evaluated at the time of the authorization request. Policies can be designed in such a way that they cover many different combinations of attributes.