Digital technologies have transformed customer habits. With the increasing adoption of digital services and platforms, millions of people share their sensitive data with other organizations and entities. In many regions of the world, data regulation laws obligate organizations to provide secure user access to the customer data that is spread across different applications and directories. Access control is a key component of cybersecurity processes that enables organizations to manage who is authorized to access which data and resources. Organizations that fail to control user access can end up suffering from cyberattacks and/or violate regulatory compliance regulations. In order to mitigate risks and prevent cyberattacks, organizations must consider the right authorization concept that brings flexibility, adaptability, and observability to their business and IT environment.
Today, many organizations still use traditional Role-Based Access Control (RBAC) to grant access to applications and data based on a user's roles. However, IAM (Identity and Access Management) teams are required to manually change the access rights (via roles) in case of a job change, or if an employee leaves the company. In case of organizational changes, role models frequently require major updates, causing massive workloads. Furthermore, customer data use cases don’t tend to fit cleanly into roles; instead, access to customer data is managed by consents, entitlements and relationships which force organizations to look for access control solutions that extend beyond RBAC.
These traditional approaches for user access management are cumbersome to implement and inefficient, especially for large organizations working with dynamic organizations, a lot of change in human resources, plus the external entities to manage. Unlike roles, policies are easier to define, and they all have the same structure: Subject, Action, Resource, Context.
Addressing many pain points that organizations experience, PBAC (Policy-Based Access Control) enables administrators to have a greater control over access rights and edit permissions to a large number of users at once, coming into effect immediately and avoiding the lengthy and error-prone provisioning processes that are part of PBAC. Policies can be based on contextual controls and attributes, such as job title, file type, time of day, access location, and risk score. PBAC empowers IAM teams with flexibility to add fine-grained access control to resources and data based on policies.
PBAC allows organizations to enforce consistent entitlements across their IT environment from legacy applications and systems to IaaS (Infrastructure as a Service), cloud-based platforms, and multi-cloud deployments. An entitlement or authorization decision is provided to a Policy Enforcement Point (PEP), which can be the authentication system, API gateways, the applications themselves if they support such concepts, or integrated directly into company-owned and developed digital services. Modern applications are built on APIs, which provide a perfect hook to extend access control with PBAC capabilities without changing the application. Furthermore, organizations with legacy on-premise applications can, to a certain extent, adopt a policy-based approach to their access management systems.
A strong access management system is essential for embracing a Zero-Trust approach. PBAC contributes to this security paradigm by managing users’ access to systems and applications using predefined policies and contextual controls that are dynamically evaluated during the authentication or authorization. This aligns with one of the core principles of Zero-Trust, “Don’t trust. Verify!”.
This report looks at Ping Identity’s PingOne Authorize, which is one of the PBAC solutions in the market. Delivering capabilities like dynamic, policy-based authorization and API access management, PingOne Authorize allows organizations to centrally manage authorization, based on easy-to-create, fine-grained policies that are enforced at runtime.