Access control is a key part of cyber security, however traditional approaches do not work well for modern business IT environments that nowadays typically include a mix of applications on-prem and across multiple cloud environments.

Most modern companies tend to struggle with access management for a variety of reasons. These include the fact that it is difficult to make the necessary connections to the many disparate IT systems for which they need to provision access, role-based access management is challenging, static role-based entitlements are difficult to manage and typically require regular recertification processes, and traditional approaches are focused on granting access to resources required by an individual to perform their job function, but do not cover how those rights are actually used to stop any abuse of entitlements.

In addition, course-grained authorization is no longer sufficient because modern applications and sensitive data assets in cloud-native, containerized and DevOps environments require fine grained authorization capabilities that can also supply identity attributes and context variables.

A policy-based approach can address many of the pain points experienced by organizations today by enabling a centralized, consistent, dynamic, on-demand (just-in-time) way of managing access to IT resources.

Organizations can already start moving in this direction by adapting processes, and adopting existing policy-based access management products and services.

Even mature organizations with legacy, on-prem applications can start tapping into the policy-based approach to access management by switching to a unified-services approach.

A service-based approach means end users no longer need access to the infrastructure on which the application is running, they only need to access the exposed services. This means accessing services will be consistent regardless of whether the applications are on-prem, delivered via cloud infrastructure, or via cloud-native deployments.

Adopting a service-based approach means policy-based access control can enable organizations to enforce consistent entitlements across the whole IT environment from legacy LoB applications to infrastructure as a service (IaaS), cloud-based apps, and multi cloud deployments.

Although legacy dynamic access management environments are not able to service multiple APIs efficiently and typically do not support Cloud Native Computing Foundation (CNCF) protocols, some vendors have developed tools to address this challenge.

As a result, there is already a policy-based access management market that caters for both ends of the access control market from traditional PBAC environments, consisting of policy decision points servicing multiple enforcement points and adhering to the XACML framework on one end, to cloud-native environments servicing cloud container approaches and microservices platforms, typically adopting the Open Policy Agent (OPA) protocol and adhering to the CNCF framework, at the other end.

Mature organizations can ensure that they remain competitive against more agile startups by switching to policy-based access management solutions that can assist by building in agility with common polices across multiple environments.

And all organizations can and should begin preparing for a more flexible and effective access management approach to meet future needs by investigating and understanding the business benefits of policy-based access management and familiarizing themselves with exiting solutions that can help them to start to move in that direction.

“ Due to the rapid change that is occurring in cloud environments the PBAM sector covers a range of solutions. At one end of the continuum are the traditional dynamic access management offerings, at the other end are the cloud-native solutions.” 

— Graham Williamson, Senior Analyst, KuppingerCole

Because we understand the importance of ­­a flexible, agile and effective access management capability, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.


A good place to start learning more about how to future proof your organization by switching to policy-based access controls, is this recently-published Market Compass on Policy Based Access Management. This report examines the business benefits of this approach, outlines a process for designing and deploying a PBAM environment, provides an overview of the segment of the access control market that employs policies to provide access decisions, and examines some of the vendors and products in this market.

Get some insights into policy-based access management in the context of DevOps by having a look at this leadership compass on Privileged Access Management for DevOps.


Traditional approaches to Access Governance are no longer fit for purpose due to the complexity of modern IT environments, increased security risk, and growing regulatory compliance requirements. Learn how a new risk-based and policy-based approach is needed to reduce the cost, effort, and complexity of overseeing and enforcing access entitlements, including access reviews and recertification in this advisory note entitled: Redefining Access Governance.


If you would prefer to hear our analysts talk about policy-based access management, listen to this analyst chat about the Market Compass on Policy-Based Access Management referenced above and this earlier analyst chat with the report’s author on Policy-based and Dynamic Authorization Management.

For a presentation on how organizations can rethink, redesign, and modernize their Identity and Access Management (IAM) architecture by implementing PBAC (Policy Based Access Control), have a look at this KC Live presentation on: Modernizing IAM - Implementing Policy Based Access Management & Governance.

Get some industry-based examples of how policy-based Customer Identity and Access Management (CIAM) can help meet the challenges of providing a more customer-centric approach by watching this presentation on: How Policy Based CIAM can Improve the Customer Journey.


Advancement in both business requirements and technology (such as growing use of micro-services), require a better way to control access. Discover how Policy-based access control (PBAC) combines identity attributes and context variables to enable sophisticated granting of access to corporate systems and protected resources based on centrally managed policies that ensure consistent access control decisions across the enterprise in this webinar entitled: Policy-Based Access Control – Consistent Across the Enterprise.

For a discussion on policy-based access control in the context of cloud-native applications, with a focus on the need for central authorization policy governance, the benefits of Open Policy Agent, and how to manage policy administration for a large environment, have a look at this webinar on Policy Based Access Control for Cloud-Native Applications.

The amount of sensitive information that’s stored across on-premises systems and cloud services is growing exponentially, and the task of managing secure access to this data by numerous third parties is quickly getting out of control. Learn how instead of managing access to individual systems with separate technology stacks, many companies are looking for more universal and future-proof alternatives in this webinar on: Policy-Based Access Management – A Reliable Foundation for Your Next-Generation Unified IAM.

Policy-based Access Control (PBAC) is an emerging model that seeks to help enterprises address the need to implement actionable access control schemes based on corporate policy and governance requirements. Find out how PBAC can help support specific governance objectives in this webinar entitled: Fine-Grained Policy-Based Access Control: Why & How?

Tech Investment 

And finally, organizations investing in technologies to support policy-based access management can have a look at some of the related technology solutions that we have evaluated: