As organizations adopt new technologies, the traditional boundaries disappear and networks of identities, devices, resources, and data increase in complexity and scale- causing difficulties for authorization management.
Ensuring appropriate access for employees has become an increasingly difficult challenge and is now seen as one of the largest issues in technology audits, insider threat and cyber risk prevention, and compliance adherence. Previously authorization was handled manually by administrators, however, this isn’t efficient and is error prone.
This creates a need for runtime authorization, where authorization decisions are made in real-time when the user is accessing an application or data. By evaluating the decision at runtime, when an increased amount of information about the user and their actions is available, it allows more fine-grained decisions to be made. Because of this, runtime authorization has become a focal point for developing the next generation of identity-centric access controls. This includes both human and non-human use cases, which can support the high volume and velocity of access to modern apps, computing units, data objects, and underlying networks.
Runtime authorization systems require an architectural view of the end-to-end access path. This path spans from the authenticated subject of the target object, considering all tiers, intended actions and computing environment requirements. Each authorization control in this path requires a set of policy management capabilities to define and maintain what policies should be enforced, while also supporting runtime services to evaluate and enforce the policies in real time.