Due to its value and sensitivity, customer identity and data must be protected with strong access management systems. Key use cases include managing usage of customer data and its availability both internally and externally; and managing availability of organizational data across employee and partner workforces. Organizations failing to manage access controls are at risk of suffering from cyberattacks or violating regulations. Authorization methods are constantly evolving to address ever-changing business requirements and the increasing threats. PBAC (Policy Based Access Control) is a concept that enables organizations to easily and continuously adapt to changes in human resources, roles, and regulations by building on organization-wide policies. Recently made available as a SaaS offering, PingOne Authorize offers a policy-based access control mechanism that integrates deeply with the authentication capabilities provided by Ping Identity, with API (Application Programming Interface) access management capabilities and enabling a broader range of externalized fine-grained authorization use cases.
Digital technologies have transformed customer habits. With the increasing adoption of digital services and platforms, millions of people share their sensitive data with other organizations and entities. In many regions of the world, data regulation laws obligate organizations to provide secure user access to the customer data that is spread across different applications and directories. Access control is a key component of cybersecurity processes that enables organizations to manage who is authorized to access which data and resources. Organizations that fail to control user access can end up suffering from cyberattacks and/or violate regulatory compliance regulations. In order to mitigate risks and prevent cyberattacks, organizations must consider the right authorization concept that brings flexibility, adaptability, and observability to their business and IT environment.
Today, many organizations still use traditional Role-Based Access Control (RBAC) to grant access to applications and data based on a user's roles. However, IAM (Identity and Access Management) teams are required to manually change the access rights (via roles) in case of a job change, or if an employee leaves the company. In case of organizational changes, role models frequently require major updates, causing massive workloads. Furthermore, customer data use cases don’t tend to fit cleanly into roles; instead, access to customer data is managed by consents, entitlements and relationships which force organizations to look for access control solutions that extend beyond RBAC.
These traditional approaches for user access management are cumbersome to implement and inefficient, especially for large organizations working with dynamic organizations, a lot of change in human resources, plus the external entities to manage. Unlike roles, policies are easier to define, and they all have the same structure: Subject, Action, Resource, Context.
Addressing many pain points that organizations experience, PBAC (Policy-Based Access Control) enables administrators to have a greater control over access rights and edit permissions to a large number of users at once, coming into effect immediately and avoiding the lengthy and error-prone provisioning processes that are part of PBAC. Policies can be based on contextual controls and attributes, such as job title, file type, time of day, access location, and risk score. PBAC empowers IAM teams with flexibility to add fine-grained access control to resources and data based on policies.
PBAC allows organizations to enforce consistent entitlements across their IT environment from legacy applications and systems to IaaS (Infrastructure as a Service), cloud-based platforms, and multi-cloud deployments. An entitlement or authorization decision is provided to a Policy Enforcement Point (PEP), which can be the authentication system, API gateways, the applications themselves if they support such concepts, or integrated directly into company-owned and developed digital services. Modern applications are built on APIs, which provide a perfect hook to extend access control with PBAC capabilities without changing the application. Furthermore, organizations with legacy on-premise applications can, to a certain extent, adopt a policy-based approach to their access management systems.
A strong access management system is essential for embracing a Zero-Trust approach. PBAC contributes to this security paradigm by managing users’ access to systems and applications using predefined policies and contextual controls that are dynamically evaluated during the authentication or authorization. This aligns with one of the core principles of Zero-Trust, “Don’t trust. Verify!”.
This report looks at Ping Identity’s PingOne Authorize, which is one of the PBAC solutions in the market. Delivering capabilities like dynamic, policy-based authorization and API access management, PingOne Authorize allows organizations to centrally manage authorization, based on easy-to-create, fine-grained policies that are enforced at runtime.
Full article is available for registered users with free trial access or paid subscription.
Register and read on!
Sign up for the Professional or Specialist Subscription Packages to access the entire body of the KuppingerCole research library consisting of 700+ articles.