Updated July 12, 2023
As organizations adopt new technologies, the traditional boundaries disappear and networks of identities, devices, resources, and data increase in complexity and scale- causing difficulties for authorization management.
Ensuring appropriate access for employees has become an increasingly difficult challenge and is now seen as one of the largest issues in technology audits, insider threat and cyber risk prevention, and compliance adherence. Previously authorization was handled manually by administrators, however, this isn’t efficient and is error prone.
This creates a need for runtime authorization, where authorization decisions are made in real-time when the user is accessing an application or data. By evaluating the decision at runtime, when an increased amount of information about the user and their actions is available, it allows more fine-grained decisions to be made. Because of this, runtime authorization has become a focal point for developing the next generation of identity-centric access controls. This includes both human and non-human use cases, which can support the high volume and velocity of access to modern apps, computing units, data objects, and underlying networks.
Runtime authorization systems require an architectural view of the end-to-end access path. This path spans from the authenticated subject of the target object, considering all tiers, intended actions and computing environment requirements. Each authorization control in this path requires a set of policy management capabilities to define and maintain what policies should be enforced, while also supporting runtime services to evaluate and enforce the policies in real time.
Externalizing Runtime Authorization
By externalizing authorization, it extends the advantages of runtime authorization, and enables zero trust access. It offers increased flexibility, centralized control, and advanced security for access control decisions. In externalizing authorization, it provides administrators the ability to enforce consistent controls in real-time across applications and data.
The process flow of externalized runtime authorization is demonstrated below in a common enterprise security architecture based on standard components:
The components named in the model are:
- Policy Administration Point (PAP): This is the point at which access authorization policies are managed.
- Policy Enforcement Point (PEP): PEP intercepts user’s access request to a resource, then makes a decision request to the PDP to obtain the access decision (i.e., access to the resource is approved or rejected), and acts on the received decision.
- Policy Decision Point (PDP): The PDP will compare the permissions requested in the XACML request against the mapping of the corresponding role as found in the request to the allowed permissions that can be fetched from PIP & PRP. Based on the findings, the PDP will either allow or deny the request.
- Policy Information Point (PIP): A centralized attribute store that contains the information of the attribute values (i.e.: Subject, resource, or environmental attributes) referenced in the policy.
- Policy Retrieval Point (PRP): A centralized storage of XACML access authorization policies, typically this is a database or filesystem.
To learn more about how externalized runtime authorization can enable ZTA, read our article on The Intersection of Zero Trust Architecture and Data-Centric Security.