Combining Federated Identity Management with Dynamic Authorization

Combining Federated Identity Management with Dynamic Authorization

By Cynthia S. Artin, Contributing Writer  |  November 06, 2018

The virtualization of nearly everything digital is pushing more and more applications, services, storage, and compute to the cloud, now including real time communications (voice, video, messaging, collaboration) and combinations of connected machines and humans.

Enterprises, governments, and individuals are operating in continuous contact, in an increasingly real time or near real time world of contextually rich working and living.

A desire for instant gratification by digital workers, including executives who travel globally and want to be able to access corporate data, services and applications from anywhere at any time on any device, is driving CIOs, IT and OT teams to rethink their security approaches; they need to enable productivity, but without putting sensitive data and confidential information at risk.

According to Grand View Research, the Identity and Access Management (IAM) market, which is tackling growing and more complicated challenges in this multi-cloud world will be worth over $22 Billion by 2025, representing a CAGR of over 12%.

“Spiraling adoption of cloud services and mobile devices and emergence of insider threats combined with strict compliance necessities are leading to increased spending on organization IT security, which is estimated to stoke the growth of the market,” their September 2018 report says.

Grand View also predicts that cloud will “be the most promising segment during the forecast period. Cloud is changing the way a business operates. It facilitates a different level of cost-benefit, flexibility, and efficiency to carry out business functions. Moreover, it also provides organizations an opportunity to transform their business models and gain a competitive edge over their competitors. Managing identities and accessing control for enterprise applications act as one of the prominent challenges faced by IT.”

Grand View’s press release on the report also states “Extending a company’s identity services into a/the cloud model is a notable requirement for use of on-demand computing services in the long run. Various cloud delivery models such as SaaS (News - Alert), PaaS, and IaaS call for service providers and IT departments to extend organization’s IAM processes, practices, and procedures to cloud services that are efficient and scalable for customers and providers. Utilizing more cloud-based services puts IT security function on the forefront of a company’s planning activities, which is likely to drive the market over the forecast period.”

Axiomatics’ Vice President of Business Development, Gerry Gebel, believes the future of IAM will include an increased focus on externalized dynamic authorization - also known as Attribute Based Access Control (ABAC). “Our customers across industries are working with a range of cloud service providers, and as they continue to move more and more to the cloud, they are confronted with new data and systems security challenges,” Gebel said. “In a more fluid and open world, including applications that depend on API calls, maintaining the protection of assets while also ensuring information is shared with the right people, at the right time, and under the right conditions has become more difficult.”

Gebel also noted that external cyberattacks and insider threat now comprise more than half of reported cybercrime. Enterprises and governments are on high alert, not wanting to stifle innovation and the growth of new digital services, but increasingly aware of new vulnerabilities that come with the exchange of data between systems, applications, and trading partners.  

“Dynamic authorization takes advantage of attribute values from subjects, resources, and the environment to make access control decisions based on digital policies that define how resources may be accessed,” Gebel said, “and as SaaS and cloud-based applications grow and organizations are more dependent on cloud infrastructure, an ABAC model offers centrally enforced policies across multiple cloud resources.”

Enterprises that implement an ABAC model using an externalized authorization management service within a cloud environment do so to improve security compliance, auditing, and monitoring by adopting externalized dynamic authorization, rather than relying on traditional and often multiple IAM approaches, which can become complicated and expensive as more systems are connected and more data is being exchanged in the cloud.

“There are significant benefits of centralized policy-driven access control,” Gebel said. “Dynamic authorization achieves this by transforming natural language access control policies into digital policies, and then enforcing those policies through an authorization engine, which contains a centralized policy management store.”

And while cloud offerings from AWS, Microsoft Azure, IBM (News - Alert) Cloud and other providers come with basic built-in security features that include identity and access management, Gebel says implementing dynamic authorization can extend security through more granularity by including the subject (e.g. identity), resource (e.g. metadata), and environment (e.g. geographic location) and the relationship between these values when performing an access control decision.

Gebel also sees dynamic authorization as a critical step towards increasingly intelligent cloud and automated or assisted network monitoring services. He cites as one example extending Amazon’s Lambda, S3, API Gateway (News - Alert) and CloudWatch by “adding software that can collect and track metrics on virtually every access control request and decision made in the cloud. Triggers and alerts can then be implemented as well to notify someone if too many access request denials are being issued within a given period,” Gebel said.

Gebel says organizations are adopting dynamic authorization while they are making their transition to the cloud, to get out in front of potential complexity and security vulnerabilities as part of the planning and “digital transformation” process.

“During the transition to a cloud environment, there is a mix of on-premise applications and cloud services, and while applications are moving to the cloud, a dynamic authorization service can apply policies and enforce decisions within both environments, while only having to manage policies in one location,” Gebel said. “This hybrid implementation can help to ease the transition of applications into the cloud as the authorization service already exists in the cloud. This saves time, eliminates repetitive re-coding, and shifts focus to the bigger picture of the cloud transition which becomes more programmable over time.”

Gebel says Privileged Access Management (PAM) and Privileged Task Automation (PTA) built for the cloud, vs. more traditional, premise-based systems, are ideal companions for ABAC-based IAM approaches.

“We’re becoming more federated, and in new ways,” Gebel said. “A decade or so ago, the term federated applied to single-sign-on, and a unified view of multiple systems. Today, federation is expanding as computing, infrastructure, cloud, services and applications are becoming more connected, driven to some extent by the growth of APIs.”

“We’re seeing big opportunities to integrate our dynamic authorization technology with PAM and PTA technologies in a growing security and access policy control ecosystem” Gebel said. “Once a PAM system, for example, authorizes a privileged user, ABAC kicks in with a rules engine and policy language that uses attributes and is optimized for more granular control and more comprehensive views as well as providing data for alerts and notifications in real time, which can help avert intentional security breaches, or accidental system downtime.”

Gebel also sees access control across the board as being critical to unlocking the full potential of the IoT. “We’re witnessing a new matrix of technology trends that intertwine machines and human beings, transmission networks, clouds, apps, services, containers, and of course massive data lakes. There will be no let-up in constant, contextual data sharing, and we’ve found that the key to ensuring connected systems, including IoT, will work securely is best served by strong but simplified architectures, for example API gateway calls out to Axiomatics for dynamic authorization.”

“Security of these APIs are being managed in one place, using our dynamic authorization technology, and even if policies are changing in real time, the system can report on it, certify it, and ensure compliance with the governance process,” Gebel said. He also pointed out that developers don’t have to worry as much about their applications when they “let the infrastructure take care of access, security and data integrity.”




Edited by Maurice Nagle