Chinese philosopher Confucius is said to be the originator of the saying “the journey is the reward”. What does it mean? In its historic meaning, it says that by moving forward people will benefit, even while they might not reach perfection. Applied to projects, it means that continuous improvements, new understandings and small successes over time are the reward – not the ideal end-state.
In IT, a project might never reach its desired end-state, at least not at enterprise scale. One example is what is commonly referred to as Dynamic Authorization Management (as a discipline) or ABAC - Attribute-based Access Control - (as a theoretical concept). Organizations might succeed in a particular project on Dynamic Authorization Management, but they will rarely manage transforming their entire Identity and Access Management in such a way that every single authorization decision is made dynamically, using a central authorization system and relying on one or more attributes (i.e. attribute-based).
There is no doubt that Dynamic Authorization Management is the better way for authorizing access to information and systems, compared to statically assigned entitlements at the system-level or the lack of a valid, fine-grained authorization concept. Relying on centrally managed policies provides many benefits: consistency of authorization policies, always up-to-date policies, and reduced administrative efforts, to name just a few. Another important point is that Dynamic Authorization Management allows making authorization decisions in the context of the user, if integrated with versatile, risk- and context-based authentication.
While the discussion about RBAC (Role-based Access Control) versus ABAC (Attribute-based Access Control) is somewhat artificial and theoretical, moving towards Dynamic Authorization Management is a must for mature IAM/IAG infrastructures. There are too many advantages. Notably, Dynamic Authorization Management is not new. Some of today’s products came to the market back in the 1990’s. In mainframe infrastructures, Dynamic Authorization Management even dates back to the 1970’s.
However, there are four challenges:
- Existing applications
- Software architects and developers
- Providers of Commercial off-the-shelf (COTS) software
- Cloud Service Provider (CSPs) and standards bodies
Software architects and developers might be hard to convince to change the way they implement security (or what they believe is security). Despite the fact that IAM/IAG and software development commonly are separate siloes in IT organizations, this is the challenge that is easiest to solve. Explain the need and provide simple interfaces to the Dynamic Authorization Management system that make the developer’s life easier, not more complex, and you will succeed.
For providers of COTS software, things are more difficult. They rarely support standards such as XACML (Extensible Access Control Markup Language) to interface with Dynamic Authorization Management systems. Even while you might have a well-working gate from procurement to Information Security, that does not help unless the COTS software provides the required interfaces.
Things become even worse with the Cloud. There is just no adequate authorization standard for the Cloud yet. Given the fact that a very significant portion of Cloud services still lacks support for basic standards such as SAML (Security Assertion Markup Language), this is no surprise. This will change, but it will take a while.
There are some workarounds such as applying Dynamic Authorization Management at the level of XML Gateways, API Gateways, or Web Access Management solutions. However, there will remain many applications which just can’t be moved to Dynamic Authorization Management within a foreseeable period of time.
Despite these challenges, Dynamic Authorization Management is a must for every organization in maturing their IAM/IAG infrastructure and improving Information Security. Thus it is latest time for evaluating these concepts and starting to use them.
But even then, Dynamic Authorization Management must be considered as a long journey, where every single application on-boarded is considered a reward.