+

Dynamic Authorization: Separating the Fact from the Fiction

While it is predicted that “by 2020, 70% of enterprises will use Attribute-Based Access Control (ABAC) to protect critical assets” (Gartner), a lot of confusion still lingers around what exactly an organization can expect to get out of ABAC, or Dynamic Authorization.

A quick refresher:

Dynamic Authorization: Dynamic authorization is defined as a service that externalizes access control decisions to a decision point that interrogates an information point, typically a directory, to determine a user’s access rights based on a centrally-managed policy.

ABAC: Attribute Based Access Control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). Rules contain “IF, THEN” statements about who is making the request, the resource, and the action. For example: IF the requester is a manager, THEN allow read/write access to sensitive data.

Now that we’ve clarified the terms we’ll be using in this blog, let’s dive into some common misconceptions about Dynamic Authorization and ABAC.

  1. “Using Dynamic Authorization will strongly hinder my system performance.”

A major concern from development teams is the performance of their systems. It seems like every time you introduce someone new to ABAC, and launch into a conversation about “a centralized server”, the conversation quickly halts to, “Woah, is this going to slow things down?” In short, the answer is no. Axiomatics’ decision engine typically adds a minuscule amount of latency (single digit milliseconds). We also have established best practices for optimizing performance and scalability for the entire authorization infrastructure.

  1. Dynamic Authorization requires a customer to consolidate their authentication.”

Externalized Authorization is a compliment to authentication and can be added even if you are already using multiple login credentials. Further, Axiomatics can enforce the use of stronger authentication credentials when accessing critical or sensitive resources and transactions.

  1. My developers can just write their own access control code when building the application.”

Maintaining logic built into an application is exponentially more costly and inefficient. In addition to the up-front developer cost when creating the application, the ongoing costs for making changes in the future can be quite significant.

  1. “Roles and group lists are all I need for access control in our custom built applications.”

Dynamic Authorization frees up your development team to focus on key initiatives and eliminates the need to write many extra lines of code to deal with complex access requirements.

In addition, your application may not have all the needed context available to properly make authorization decisions – for example, the externalized authorization service can connect to almost any data source that provides additional user or resource context.

If you’d like to learn more about the key benefits of Dynamic Authorization, be sure to check out our new White Paper: Why Externalized Authorization? 

Related Articles

Meeting today’s dynamic authorization and access challenges: The Axiomatics story | Dynamically Speaking
Dynamically Speaking
For more than 15 years, Axiomatics has worked with companies worldwide to define and deliver solutions to the most complex authorization and access challenge. In...
Getting started with Zero Trust using dynamic authorization | Dynamically Speaking
Dynamically Speaking
Zero Trust. It’s everywhere. It’s a methodology that’s been around for years, and we are now seeing a significant uptick in the number of enterprises...
The case for dynamic authorization in banking and finance
Attribute Based Access Control (ABAC)
More than other organizations, banks, and financial institutions face the highest levels of scrutiny when it comes to how they protect critical assets and sensitive...