Analyst Chat #124: Market Compass "Policy-Based Access Management"

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Graham Williamson. He joins us from Australia, working with us for KuppingerCole in Asia-Pacific. Hi, Graham. Good to see you.

It's good to be here Matthias. Thank you.

We're talking today because you've just recently completed a document, a research document called a Market Compass about Policy Based Access Control. What was it exactly and what was the market segment that you were looking at?

Okay. It was actually to update a Policy Based Access Control document that I did a couple of years ago. And we decided, we looked at a variety of names, and we decided on Policy Based Access Management because it's a bit more than just control. We need to actually manage our identities and manage our identities' access to the various resources that they should have so it's PBAM and it's a Market Compass. So it looks at a number of vendors in the space and gives a write up on each of them.

Right. So when you say it has changed since the first edition until the most recent edition, that you did previously, what has changed? You say that the management component has been added. We see Policy Based Access Control and Management, especially in the Zero Trust area. Has that been reflected also in that market? Is it growing?

Absolutely. Absolutely. The biggest change is the move to cloud. So back two years ago, we focused on Policy Based Access Control, and this is having a policy based approach to our access control as opposed to a rules based approach which most organizations use to improve our cyber security. We worked to get to a policy based mechanism so that we have fine grain access control to our resources and that we can also have a consistent policy across the organization. So rather than individual applications putting together their own access control policy, we want a consistent one across the organization. So Policy Based Access Control allows us to do that. So a standard Policy Based Access Control system would have a decision point, policy decision point. It would have a policy enforcement point at each resource. It would have a policy information point, which is the information identity and an attribute information that we need in order to make access control decisions. And then it would have an administration point which allows you to administer the lifecycle of the policies, the access control policies. The standard back two years ago was XACML and we were very comfortable in that sort of environment. What really surprised me is what's happening now with increased class migration. So if you look at the steppingstones, if you like to a cloud deployment, many companies start with what is derogatorily called Linton Shift. You take your application from on premise you put it in a VM on cloud infrastructure, but that's only the first step. What most organizations then realize, is if they move to a more cloud native process, which means I'm taking my application and designing it specifically for cloud deployment, I can reduce my costs and I can improve my agility. So we take our application, we divide it into his component parts and have these individual containers that are giving access to specific functionality we need for our indication. That means that each container now needs access control. And very soon you find that a standard approach to Policy Based Access Control is found wanting because now what we need is an agile approach. We need a microservices approach where we have a service that is stripped down to its bare essentials and can be deployed at the point of where the application is making the decision we can't afford in the cloud native environment the latency to have a decision coming from a centralized decision point, some at some remote place. We've got to now put our policy decision functionality at that point at which the the application container meets that decision. So it became very much,... I learned an awful lot in doing the report because I could see how we need to make those changes with the organization to accomplish that agility that the cloud native approach provides.

Right. so but the beauty of policies lies in that you can can design one policy that should be applicable on premises and in the cloud, do these solutions that you've looked at also make sure that there is a centralized management, butthe decision made wherever is required?

Absolutely. So what the solutions do is provide that central place for the policies to be created and modified and when they're no longer needed removed, but the actual system now looks after that deployment. So the beauty of it is the developer known no longer needs to know. I now want to put that little solution for an API at that point in that particular cloud service, the solution does that. So all the developer needs to do is say, oh, OK, we're going to now add this component to our policy. So this for instance, say, I have a policy that provides access to a text editor for my journalists. OK, well now I want to add to that policy now I want to say, well, now that's only Monday to Friday, OK, we want to avoid any potential issues we might have on the weekend. So I'm not going to add a context variable to my to my policy, the policy that I'm designing. As soon as I've done that, I just have to press the publish and now the platform feeds that policy or decision to wherever that's needed within my cloud native environment. So it does provide that control, if you like, and the ability to manage deployments for in a cloud native environment.

So that really sounds like a more modern approach to managing entitlements in general. If we look at the market, has it grown? Are there new players in the field? And what has happened when you look at the individual vendors?

The market's grown exponentially over the last two years. We have vendors that basically, you know, because there wasn't the cloud native requirement so many years ago as that requirement has come up, but especially being driven by the market, the market is saying we can't afford a monolithic cloud deployment because it costs too much and it doesn't scale. What we need to now do is move to a two to a containerized or a microservices environment in order to get that agility that we need in our deployments. As soon as you say that a standard approach that we were quite happy with two years ago is found wanting. So we have no choice but to move into a situation where we are using a modern Policy Access Management solution

Right. So, I've mentioned already, this market complex has just been published. So if anybody's interested, please go to our website, kuppingercole.com and look for PBAM as you said. So the acronym should lead you to the right document. And there's the EIC coming up. Will there be some some sessions around that topic as well?

Absolutely. Yes. We are going to be addressing the whole cloud net native, this one thread that follows cloud native deployments. And I would encourage people that are interested in this to attend because it will introduce you to this whole migration that's happening and it doesn't stop to stop just to microservices. What we're seeing now is organizations saying what's happening in our environment is we have now multiple applications that need the same access control policy applied to it. So what we're doing is putting a services mesh in place. So any application working that in that environment will now access the authentication services that are part of the service mesh.

Really interesting. So it's not only technology, it's really also making sure that the whole organization is prepared for dealing with this slightly modified approach towards doing entitlements.

Well, can we just enter into a little bit of a philosophical discussion for a minute? It really means a significant change for your organization because once we're moving from the environment that we were happy with, with, you know, some type of entitlement group managing my policies for my applications, that was fine. But as soon as now we have developers that are doing this and they are actually doing the development of the policy and deploying that we have a different environment. And what I'm seeing is this is sort of a shift from a CIO type of IT organizations managing this through to a CISO organization. The developers, they trust CISOs. So the CISO is setting the security requirement for my cloud environment and they and they're much happier in that situation. So what we're doing is sort of leaving the what we were all happy with in terms of our IT and IAM development and moving it into more of a cloud environment where we have to change our operation to have the obviously the people that do sentiments need to be there. The application owners should be part of those decisions. The developers obviously and the dev ops people, particularly the SecOps people all need to be part of coming up and making sure that we have a secure policy environment that satisfies the resources that we're protecting

Right, and we should not ignore this one elephant in the room, regulators and audit, they are usually used to understanding what roles are, what recertification is, what runtime access based on previously administered access means. Are the solutions capable of providing the same level of evidence? And are auditors happy with that as well?

Yes, we have exactly the same governance requirements as we've had before, and the solutions are all providing governance capability and audit capability. And you mentioned recertification. That sort of functionality is built into these systems as well. But it's a little bit different because now we're dealing with multiple microservices, but it's basically making sure that the approvals that are required are part of that. And you can build that those approvals in real time if you want. So if somebody is trying to access a particular resource, the policy can be told, no, we've got to get approval for that. So that can be done in real time if you wish. So these controls are in place and the governance is very important when you come to a policy based access system.

Great. That really sounds interesting and I'm sure that I will read your document. I highly recommend that our audience reads it. Thank you very much, Graham, for being my guest today. Please head over all to kuppingercole.com for the document and looking forward to talking to you very soon, especially also about that very interesting topic.

Sounds good. Thanks, Matthias.

Thank you. Bye bye.