We live in a dynamic world which requires organizations to be more responsive. Typically, information and application access policies are hard coded into the application. That necessitates many months of coding effort to make any policy changes, which no longer fits with the speed of business today.
Externalizing access control decisions to a central decision point, or Externalized Authorization Management, separates policy management from the application lifecycle. Externalized Authorization Management externalizes access control decisions to a decision point that is decoupled from the application. The system interrogates an information point, typically a directory, to determine a user’s access rights based on a centrally managed policy.
- Authorization and access rights to an organization’s network or assets are granted dynamically in real-time based on user, data and environmental attributes, such as certifications, IP address, group, department, or employee status.
- Decisions on access leverage these characteristics, or attributes, which help define whether they should be granted access to the application and at what level. The decision is based on the data they want to access and the action they want to perform.
- Externalized authorization allows for the management of permissions to multiple systems from a single platform, streamlining the access process and reducing administrative burden.
- Access control to file shares, network subnets, document repositories and applications can now be made in real time by a centrally managed decision point, using attributes in a user’s directory entry.
Centralization of Authorization
Many functionalities have been externalized over the last few years, such as authentication, storage of data, and logging. When centralizing authorization (left of diagram), an enterprise’s architecture tends to have external authentication as the top layer, which interacts with an external authorization module. All applications within an enterprise have interactions with both layers on a transactional basis.
On the right of the diagram, details a system overview of externalized authorization management in microservice and cloud environments.
The process flow of an externalized authorization setup is demonstrated below in a common enterprise security architecture based on standard components:
The components named in the model are:
Policy Administration Point (PAP): This is the point at which access authorization policies are managed.
Policy Enforcement Point (PEP): PEP intercepts user’s access request to a resource, then makes a decision request to the PDP to obtain the access decision (i.e., access to the resource is approved or rejected), and acts on the received decision.
Policy Decision Point (PDP): The PDP will compare the permissions requested in the XACML request against the mapping of the corresponding role as found in the request to the allowed permissions that can be fetched from PIP & PRP. Based on the findings, the PDP will either allow or deny the request.
Policy Information Point (PIP): A centralized attribute store that contains the information of the attribute values (i.e.: Subject, resource, or environmental attributes) referenced in the policy.
Policy Retrieval Point (PRP): A centralized storage of XACML access authorization policies, typically this is a database or filesystem.
Use Cases & Integration Patterns
These are common externalized authorization and use case patters [elaborate/setup]
- Portals and web applications- protect web applications, sites, pages, menus, menu items, regions, portlets, webparts, tables, hierarchical controls, graphs, fields, and buttons.
- Relational data- secure query access, mask data at the field-level, filter data at the row-level, and control CRUD operations at the table and database level.
- APIs and web services- secure access to external APIs, control access to data, grant permission to application functions and commands.
- Mobile applications- role-based and/or attribute-based access control
- Content management/ unstructured data- control access rights and usage of content & documents
- Spatial data- redact points of interest and details based on user device, user attributes, and geospatial functions.
- ABAC log analysis- rich ABAC policies and governance & compliance for any application without code changes and operational enforcement.
- Enterprise business & cloud apps- hybrid ABAC and RBAC, data segregation, masking, and data handling & secure control.
- Federated authorization- cross domain federated authorization with identity federations.
Benefits of Externalized Authorization
- Unified policy model and centrally managed access policies allow changes to policy without requiring code changes to each individual application.
- Externalize access control decisions with centralized policy resulting in consistent enforcement across the organization – not relying on individual system administrators.
- Single shared infrastructure with delegated administration shared across multiple application landscape, technology stacks, and cloud environments, to improve efficiency and reduce costs.
- Safeguard structured and unstructured data with centralized policies, to ensure secure collaboration inside and outside of the enterprise.
- Improve business management, enabling decisions to be made in real-time, increasing agility.
- Leverage attributes in the policy evaluation process enabling fine-grained authorization to increase control over data.
- Increase visibility and control over data by determining who, what, when, where, and why users should have access to information, while identifying anomalies and alerting on risky behavior.
- Monitor activities and data access across applications with centralized activity log, simplify audit and reporting to streamline compliance management.