1 Introduction
Identity and Access Management (IAM) is a complex discipline and technologies composed of elements such as identity vetting, assurance, credential issuance, authentication, authorization, reconciliation, and governance and lifecycle management. Each of these components are necessary for a strong IAM infrastructure and cybersecurity. In recent years, many conceptual and technical advancements have been made in these areas. Authentication technologies, including multi-factor, risk adaptive, and biometrics, have received the most fanfare and press. But, once a user or device is authenticated, it still must be authorized.
Authentication is usually defined as the process of proving or demonstrating that a user, device, or now even an application is what it says it is. Username/password authentication has been the norm for decades, but is insecure and is increasingly being phased out where possible. New authenticators, such as USB keys, Smart Cards, and mobile biometrics are becoming more popular.
Authorization is the process of determining whether a user, device, or application should be allowed to perform an operation. Many factors influence access control decisions, including but not limited to:
- User attributes - group membership, roles, nationality, clearance, customer type/status, authentication strength
- Resource attributes – resource type, classification, sensitivity, file type, application type
- Environmental attributes – geo-location of requester, IP address, security posture of requesting device, user behavioral analysis, user history
- Action attributes – type of request: create, read, update, delete, etc.
OASIS XACML (eXtensible Access Control Markup Language) and IETF OAuth are two notable standards for access control. XACML defines an access control architecture, policy language, and request/decision/response protocol, based on XML. XACML now includes REST and JSON profiles for modern applications. OAuth uses the bearer-token approach for a decentralized, federated authorization model. OAuth 2.0 tends to be more widely utilized across the web, and is extensible: OpenID Connect and User Managed Access are built around OAuth 2.0.
Applications today are ever more complex, with dependencies on other applications and factors that must be considered before granting users access. Authentication is a necessary first step, but fine-grained authorization in accordance with specific policies is an increasingly common business requirement, especially in industries such as finance, health care, pharmaceutical, defense, aerospace, and insurance.
PlainID, headquartered in Israel, was founded in 2014. The company focuses on delivering fine-grained authorization functionality that scales for large enterprise applications. PlainID realizes that sometimes the same access control policies apply across many different applications and computing environments. To achieve economies of scale and better security, authorization in many cases should occur outside individual applications. The company is partnering with other technology vendors and has customers on several continents in the financial sector.