1 Management Summary
This KuppingerCole Market Compass addresses the market segment for Dynamic Authorization Management (DAM). DAM is part of the Access Management market sector and focused on access control via run-time evaluation of policies. These solutions externalize access control decisions to a policy-based authorization server.
Authorization (AuthZ) is the act of verifying a user’s entitlements that grant them access to a specific controlled resource. This is often performed within a computer via an internal store of user accounts and entitlements to specific functionality, but such an approach makes it difficult to employ enterprise-wide access control policy management and enforcement. A properly deployed dynamic authorization service takes access control to the next level. It enables enterprises with sensitive data to more finely control access to protected resources, across a variety of use cases.
One reason for pursuing a dynamic authorization environment is the ability to establish consistent access control policy across an organization. Many companies use role-based entitlements often enabled via Microsoft Active Directory (AD) groups, which means a user’s access rights are based on AD group memberships that are typically managed locally. This arrangement makes it difficult to impose consistency to access control decisions across an enterprise.
With a dynamic authorization model, access control decisions are managed via centrally administered policies that are applied across multiple applications and protected resources. This facilitates policy changes, which result in access control decision changes, to be implemented across all applications that use the authorization service, as opposed to static environments in which a policy change results in a re-assignment of user entitlements in an identity data store for future use in access control decisions. Furthermore, in a dynamic authorization environment, policies are evaluated in real-time against current attributes. As soon as an attribute changes, policy decisions based on that attribute will change, rather than having to wait for a nightly update of identity attributes before access control policy is correctly applied.
A dynamic authorization environment also facilitates the application of risk management to access control decisions. For instance, if access to an application outside business hours represents a greater risk, access policy can require elevation of a user’s authentication assurance level when they attempt to access the application in the evening. In this instance the authorization service can prompt for an additional authentication factor before a permit decision is rendered.
There are several desired characteristics of a dynamic authorization solution:
- Access control decision are externalized. It is no longer necessary for access control logic to be coded into each application. Instead, when a user access request is received, a redirect to an external authorization service will be generated and the application will be sent a “permit” or “deny” depending on the evaluation of a user’s request against the policies that have been established.
- It is attribute based. Rather than relying on the more widespread role-based access control a dynamic authorization service will evaluate a user’s attributes, but also resource attributes, in real time, for example: ensuring a user still on the board of directors if they are accessing board meeting minutes. Sometimes context variables will also be evaluated, i.e. ensuring access only during business hours.
- Access control decisions are policy-based. Access control decisions in a dynamic authorization environment are determined via a set of policies, bringing consistency to access control decisions. With a central policy store the same policy can be used for multiple protected resources, so that granting access will no longer be dependent upon individual settings in isolated applications or databases.
Dynamic Authorization gives an enterprise the fine-grained control they need over access to protected resources. All organizations should consider deploying DAM as part of their data-loss protection strategy.