Attribute-based Access Control and Dynamic Authorization

The number of digital properties, identities and interaction points the typical enterprise must manage has exploded in recent years. As more and more customers rely on the internet to make purchases, manage financial transactions and exchange sensitive data—both for business and for personal convenience—the amount and types of customer data you must protect have also grown exponentially.

Your ability to support new digital initiatives and use cases is an urgent priority. But you must also be a good steward of the customer data being gathered, stored and used. This presents new challenges and risks.

As the pace of digitalization accelerates, customer data often ends up spread across different applications and directories. It’s also being accessed by more people and in more ways than ever. This puts both your data at risk of cybersecurity vulnerabilities, including internal threats, and your enterprise at risk of regulatory compliance violations.
 

Dynamic authorization can evaluate any data at your disposal, and make real-time decisions to authorize to data, high-risk actions. It can enforce authorization around APIs at data stores, APIs, or elsewhere with out heavy modifications to code.
 

It also inhibits your ability to be agile and responsive to shifting business priorities. When your customer data is spread across applications and directories, you can’t quickly or easily take the actions needed to support the pace of business growth.

None of these risks are acceptable given today’s growing cybersecurity threats, complex regulatory landscape and competitive business environment. Nor are they risks you need to take.

If you’ve been relying on authorization policies that are inflexible or were hastily assembled, or are managing customer data spread across different apps, you can minimize and even mitigate the risks with attribute-based access control (ABAC) and dynamic authorization.

Read on to gain a better understanding of:

• The challenges you must overcome to protect your customer data
• The risks of continuing to rely on role-based access control (RBAC)
• How ABAC and dynamic authorization help you increase security, compliance and agility

Highly publicized and brand-damaging data breaches are evidence of the challenges of securing customer data. With a growing number of employees and external partners requesting access to data, not to mention the rise in data protection regulations like GDPR, HIPAA, GLBA, CCPA, PSD2 and CDR, your ability to govern that access to sensitive data and decide when to authorize high-risk actions is both increasingly complex and even more critical to get right.

But it’s difficult to ensure security and regulatory compliance, let alone ensure a good customer experience, given the many apps involved and the number of people and processes required to make needed changes and updates.

Managing Policy Changes Across Applications is Risky and Time-Consuming

Let’s say there’s an update to a regulation that must be made or a new security initiative you must support. You’d first have to identify the authorization logic silos within the code of each app, the person or people who can modify this code, then convince them to prioritize making the needed changes.

Depending on how many apps are affected, this process alone could take weeks or months. Even if you’re successful in identifying all of the places where changes are needed and all of the individuals responsible for making them, you can never really be sure those changes were applied correctly or consistently across every app.

Responsibility for Policy Decisions Needs to Lie with Those Best Suited for the Job

Aside from the security and compliance risks, there are also many stakeholders who would like to have a say in data access policy decisions, as well as many different types of users accessing the data. Because the data is managed in disparate data silos, it’s typically managed by various teams throughout your organization.

These familiar business realities make updating, auditing and managing authorization tedious and slow at best. Additionally, it raises questions about who should hold responsibility for managing data access policies.

Customer data access and authorization decisions are driven by three key forces: data privacy regulations, enterprise security concerns and customer experience requirements. Specific business functions have accountability for these areas. So it only makes sense that ownership for individual rules and policies should be transferred back to their respective business functions.

Delegating Administration Shouldn’t Mean Relinquishing Control — And It Doesn’t Need To

But you can’t relinquish all control either. You need to maintain governance over data access, but it’s extremely challenging if not impossible to do so without a single source of truth about what authorized access entails. If only you could maintain centralized oversight while also delegating individual policy administration responsibilities to those best suited for the job. You can do both with attribute-based access control and dynamic authorization.

The National Institute of Standards and Technology (NIST) recognizes ABAC as a better alternative than role-based access control (RBAC) for enterprises who must accommodate diverse business cases while ensuring security and protecting against cyber threats. ABAC provides the flexibility to accommodate permissions for different users, environments and conditions, while centralizing control of permissions.

The Risks & Limitations of Role-Based Access Control

Many organizations still employ RBAC alongside LDAP user authentication systems to manage data access and authorization. As the name implies, RBAC enables access to resources or information based on user roles. These roles might be defined by job titles, departments, locations and/or specific duties and responsibilities.

RBAC can be a fine option for simple, static logic. For example, if you want to ensure only those employees in the marketing department and with management responsibilities have access to marketing tools, RBAC enables this control. Beyond that, however, RBAC falls short of providing the fine-grained data access governance and authorization you need to safeguard customer data in today’s complex digital business and IT environments.
 

No matter how well roles and group memberships are defined and managed, RBAC requires reliance on the applications themselves to make decisions on what a user can or cannot do. The approach is risky because it relies on the user’s role as the only context for access decisions. You could theoretically apply other contextual data, like geolocation, device or consent preferences to RBAC to address this vulnerability, but doing so is costly and time consuming.

ABAC: Modular, Flexible and Centrally Managed Access Control

ABAC solutions provide a much more flexible approach to authorization decisions, allowing additional information (aka attributes) to inform policy decisions. By moving beyond roles, ABAC allows the use of granular attributes, including contextual attributes, to authorize an individual’s access.

A key principle of ABAC is the abstraction of business logic from the applications that consume it. It’s no longer desirable to have hard-coded, static logic inside each of our applications and distributed and duplicated across our enterprise. Dynamic authorization recognizes that attributes alone are no longer enough, and context can help us make better access decisions.

Supercharge ABAC with Dynamic Authorization

Dynamic authorization is a specific type of ABAC that is more precise and fine-grained. It assembles the key data attributes that need to be considered at the time of the transaction and evaluates the validity of the access request in real time. This is in contrast to many ABAC solutions which can ingest any attribute but require outside logic to aggregate and send attributes to the solution.

While in both cases, the criteria for evaluating the validity of the transaction is captured in centralized policies, the addition of dynamic authorization helps ABAC solutions go the extra mile by creating user-friendly interfaces that make it quick and easy for business users to build and test policies by layering attributes and ultimately ensure the right people have access to the right resources under the right circumstances.

Having a centralized management solution that enables delegated access control has become a key enterprise requirement, providing policy-based, fine-grained and dynamic authorization for actions and data protection. You’re able to enhance security, quickly react to business changes and regulatory requirements and build the foundation upon which exceptional customer experiences are built.

With dynamic authorization, you can:

• Enforce customer data-sharing consent for regulatory compliance
• Protect data accessed through data stores and APIs
• Enable new digital business initiatives
• Centralize data access governance control
• Externalize policy administration to business users instead of developers
• Govern access to entire resources or individual attributes
• Provide delegated resource management

A fine-grained dynamic authorization solution gives you the ultimate in flexibility and customization. You can enable centralized authorization policies that evaluate identity attributes, entitlements, consents and additional contextual information to authorize critical actions and the retrieval of high-value data.

Companies across industries are using dynamic authorization to determine which data is exposed, to whom it’s exposed and how. You can rely on dynamic authorization to make better, more secure access decisions for your customers, employees and partners, as well as give your customers control and insight into how their data is being accessed. Here are just a few examples of dynamic authorization use cases.

Healthcare

Healthcare workers often share computer systems as they go from room-to-room treating patients and enter information at the nurses’ station. With a dynamic authorization solution, you can restrict sensitive data on these shared systems so it isn’t accessible to those who shouldn’t have access to it.

Telehealth became critical during the pandemic and will continue to grow in popularity. Dynamic authorization lets you restrict provider access to only the patient data and PHI needed for a particular appointment.

Manufacturing

There are often many internal and third parties who need access to certain portions of intellectual property, but don’t need access to everything. Dynamic authorization lets you govern what they can see using fine-grained controls vs. only role-based ones. For instance, you may have several contractors working on multiple projects. Though they share the “contractor” title, their access needs are different. Dynamic authorization lets you ensure they have access to everything they need, but nothing they don’t.

Higher Education

Dynamic authorization policies give you the ability to restrict access based on how a user is currently using the systems. For example, let’s say Jim Baker is both a faculty member and a student. You could create a policy that lets Jim access the grades and personal data of students in his classes, while restricting him from accessing that data for his classmates, even if he’s signed in as a faculty member.

Financial Services

As banks deliver services across the web and mobile, transactions must be dynamically assessed to prevent fraud, and dynamic authorization provides these capabilities. Depending on the activity and risk involved, dynamic authorization can assess whether a transaction should be permitted, denied or elevated to require multi-factor authentication. For example, you may not require customer MFA to check a bank balance, but you would require it to set up a new bill payment. You might also use dynamic authorization to restrict a loan officer to accessing only the customer information required to evaluate and approve a loan application, but nothing else about that customer.

Many financial services organizations are opening their APIs and customer data to third parties either because of regulations like Open Banking or to enable new business initiatives. But customer consent must be given before that data is shared. Dynamic authorization lets you give customers granular control over their data so you can meet the internal compliance or regulatory requirements, or even exceed them to deepen customer trust and create competitive advantage.

Across industries, dynamic authorization addresses the needs of several key stakeholders. From CROs to customers, dynamic authorization provides distinct advantages.

Chief Risk Officer

• Enable risk, and fraud teams to move faster by controlling the access that all digital application teams and channels have to customer data.
• Base logic on consent, attributes or any other data at your disposal, and update it in seconds with an easy-to-use drag-and-drop UI.
• Use all of the risk sensors needed to safeguard your transactions, whether those risk sensors sit in internal systems or on cloud-based services.

IT Leaders

• Centrally control access to critical data and actions across your enterprise.
• Delegate control to the business or others where appropriate; logic can be updated in seconds without requiring app teams to change code.
• Free the business from dependency on software release cycles.

Business Executives

• Increase agility to quickly launch applications, react to market changes and embark on new business initiatives, without sacrificing regulatory compliance or security.
• Free yourself from dependency on IT’s software update cycles.
• Make the changes needed to continually deliver exceptional customer experience while maintaining security and compliance.

Customers

• Deliver the type of convenient and frictionless customer experiences they expect.
• Provide them with full control of their data and preferences, including setting transaction limits, defining timeframes for consents to remain valid, managing permissions for third-party access and more.
   

The pace of change won’t slow down anytime soon. As organizations face increasing regulatory pressure, new security threats and growing competitive pressure, your ability to quickly respond and adapt to shifting business priorities is more critical than ever.

By making the switch to fine-grained and context-aware authorization models, you gain the capabilities needed to be increasingly agile without taking on additional risk. When you’re able to centralize data access governance and control while delegating policy administration to business users, you gain a whole new level of flexibility and confidence. You can:
 

• Improve security by protecting sensitive actions and data accessed through data stores and APIs
• Ensure compliance by streamlining management of data privacy and consent
• Increase agility by enabling new digital business initiatives
   

#3571 | 04.21 | v04