Analyst Chat #166: Trends and Predictions for 2023 - Policy-Based Access for the Enterprise

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice IAM here at KuppingerCole Analysts. My guest today for the third episode around trends and predictions running up to EIC 2023 is again Martin Kuppinger. He is one of the founders of KuppingerCole and the Principal Analyst. Hi Martin. Good to see you.

Hi Matthias, a pleasure to be here again.

Great to have you. And the aim for this episode is that people really just only want to go, and at least based on this, want to go to EIC because they want to learn more about policy based access control and why this is really a thing. So at the end of this episode you want to go there at least only for PBAC. So what is your opinion, Martin, when it comes to policy based access control being a thing in 2023 and beyond and really gaining traction, especially also in the enterprise?

Yeah, I think this is an area where I have a bit mixed feelings. So let me start with a couple of points. So the first, we had this idea, this idea is not new. We had discussions about ABAC, attribute based access control, which is actually an old term for a lot of things which come back in policy based access control or policy based access management. So we had it in the past and it didn't succeed as expected, as a lot of people in the industry hoped. We have, on the other hand, a strong uptake in policy based access controls, actually in two areas and one is very established, we don't think much about. This is, I think, very cost creating then, when it comes to authentication. So at the level of access management systems. And the other is when we go to the developer space and approaches such as OPA, open policy agent are facing a very significant momentum here. So developers love to work against this, [...] control, why are policies, what is allowed or not, so they can control the authorizations here. And this is gaining very significantly momentum. And then we have the dessert part and that is, we have a lot of systems with static entitlements. And when I look at sort of the root cause of a lot of the challenges we are facing in identity and access management, this very complex creation of role models, all the burden of recertification and the technical connectivity to assist us with setting up connectors in IGA, then they all go back to we have legacy systems, we have still a lot of systems that don't support any policy based approach but work with static entitlements. And so, it will not be easy to move forward. But at the end, I think we need to do more in policy based access. And by the way, if you set up your IGA system right, a lot of that will be already policy based.

I think one aspect that is often underestimated when it comes to policy based access is the creation of birthrights. This is roles, but this is the assignment of roles based on well-defined policies. So that can also change over time. It's not only birth, it's only also growth. So the mover process is included in that as well.

I even do disagree here already. I would disagree. I am absolutely with you when it comes to birthright, and I’m with you when it comes to policies. But saying, this this roles, to my understanding is not correct.

It's access.

It may help in creating birthright policies to have roles. And I never will say that roles must go fully away when we think about policy based access control, they are, so to speak, one attribute But saying, this is about roles, I would definitely disagree with that because it's about, the key part is about policies, where you say, I have a policy that controls the entitlements that are assigned. They may come in form of roles, where a role factually is a combination of entitlements, but a role usually also is a bit bigger than just a set of entitlements in some way. You could say, okay, a role is nothing else than a set of entitlements, but usually there’s a broader context behind the role. And so I think we can work with different constructs here. At the end, the main point is, yes, it's about policies and if you set up your IGA system right, then 80 - 90% of their entitlements someone has, should come via birthright entitlements or in the mover process when you change the things, should come again in automatically.

Absolutely. I think that is a transition scenario that we can look at, keeping with still working entitlement models while moving towards policy based access and finally, hopefully getting rid of the transition phase with such large role concepts being involved. And I think when we talk about moving towards PBAC in the enterprise, we need to have these transition scenarios because roles are well understood, they are well understood when you are highly regulated, this is something that auditors can easily look at, they understand that. But nevertheless, what you described before is totally true. So there needs to be, as I said, a transition phase and a transition period to enable the enterprise for the employees towards PBAC.

But honestly, I talked to a couple of high ranked auditors in the past about this subject, and none of them said, we must have roles. What they want and... no regulation says, you need to have rules in place. There's nothing in any regulation that talks about roles and says you must do it that way. What they say is, you must enforce the least privilege principle and that can be done in different ways and auditors are open to that. So we shouldn't come to a point where we say, Okay, because the auditors have been asking for least privilege and they usually look for role concepts or so, and for some recertification, we do it exactly that way. I think this must not hinder an evolution. And yes, we can talk about governance, at the end, governance in policy based systems, and that that brings a new level, or a different level of complexity. So, currently, our level of complexity stems from the fact that we say, okay, we need to ensure that static entitlements, and that's what we are talking about here when it comes to recertification, it’s reviewing static entitlements and we shift to reviewing policies. So are the policies correct? So we need policy lifecycles, like we should have role life cycles in a well-designed system. So we should have usually an approval of rolls, we should have workflows, we should have a transition of responsibility, of ownership, as it is frequently called. And we need to have similar lifecycles for policies and the other point is that policies make their decisions at runtime based on attributes, and that means the data used in decision making also must be in a good state. So we need some sort of data governance here to ensure that decisions are made on correct data. This is the other level of complexity. I believe, we just recently talked in a podcast about this ownership or chain of custody thing. So about we need to also control data governance, we need to implement data governance properly, in the IGA context as well, and in conjunction with IGA. And this is definitely very important if we want to be successful with policy based controls. So clearly areas where we can use policies way simpler for authentication in access management systems, we already do this very frequently. We have the policies that say, okay, if you have a weak device, then you can do that, if you do a highly risky transaction, you need a [...] authentication, etc., are all well-established, bring in [...] and other factors here. For authorization, in modern systems with OPAs, straightforward and you develop it, and the developers of today of digital service, they love this idea. To work against something where you just say, authorize or not and get a response on that. We probably can extend some things, when you think about a future of 0Auth, which probably would be a separate task, but if you look at open banking, APIs have a bit of more fine grain approaches and scopes in 0Auth and we can move in that direction. The big challenge always will remain with the legacy systems. How do we handle the systems that still live with static entitlements or that still are newly created with concepts that are based on static entitlements? I think hopefully every developer of a commercial off-the-shelf software and a SaaS service gets away from that and moves to policy based access control at least as an option. I think it's truly one of the biggest challenges, that too many systems are built with outdated concepts, relying on static entitlements in place.

But as you said, the changes under way, there is no turning back from this evolution that we are currently looking at. The way is, how do we shape it, how do we shape the transition and how do we make sure that enterprises really make the right steps at the right time? And you said, we need to talk about this and we will talk about that at EIC and there will be tracks around policy based access control, about modernizing authentication and authorization processes, especially for the enterprise, for legacy systems as well. So this is a discussion that we will continue and we need to make sure that also our audience listening to this episode, but also maybe joining us digitally or in person in Berlin for the EIC, learn the right content, talk to the right people who do standardization, who make products, who do the implementation within enterprises, who support them in the strategy. That's us. And really make sure that they take the right steps. What would be your recommendations to look at, at EIC when it comes to policy based access control, where's the beef when it comes to talking policy based access?

So I believe that we have a few sessions here. I really would need to check for them. And, aside of that, I think it's really a matter of conversations, how can we make it work and how can we sort of overcome some of these challenges, and how can we specifically leverage the potential of policies? The charming point is, a policy always has the same construct. It's a subject, it is granted to take actions on certain objects under certain constraints. And these policies have always the same structure regardless of where you use them. So if we do it right, also from a management perspective, we can derive lower level policies. What does a high level policy mean concretely for our technology aspect? I think we can derive it and I think we need to talk a lot at EIC about, what is the potential of such policy based access approaches, because they can be a unifying element across all these different areas, from new digital services to authentication systems to handling authorization, and then we need to look also at zero trust network, or zero trust, not zero trust network only, but zero trust. Zero trust heavily builds on policies. If you look at a NIST concept for zero trust, the policies are at the core. And if we do it right, I strongly believe we can map the identity perspective of policies to a zero trust perspective. Policies come up with a more unified policy system, that so to speak, is the one, to rule them all.

Absolutely. And I think you're perfectly right. There will be lots of interesting sessions around policy based access. But talking to practitioners, maybe also talking to standardization people who make sure that what you just mentioned, the translation of a single policy towards different contexts and then reusing them once built and then reused in various contexts, that is really where the beauty will be, and that is where we should continue our discussion.

Yes. And the industry should be aware, so the vendors, the creators of software that they are lagging behind the demand. So when we look at what we get in from our customers, then the demand is higher than what the industry delivers. So it's time that the industry really rethinks and just to be clear, if you create something which is heavily relying on static entitlements still and doesn't allow at least alternatively for policy based access, then it's not a good software design anymore.

And then again, that is where also EIC really can show its strengths. Making your voice heard as an enterprise, as a standardization body, as a user of the systems at the end to make sure that we really need this functionality, make sure that there are standards, make sure that there are products that we can really use in our transition. Thank you very much, Martin, for joining me for this discussion, for highlighting the policy based access finally really being there, not going away. This is no longer XACML from five or ten years ago. This is here, this is there. And that needs to be well-established and it will start and it will continue at EIC. Thank you very much, Martin, and looking forward to another episode with you.

Thank you for having me here.