Dynamic Authorization: Separating the Fact from the Fiction

While it is predicted that “by 2020, 70% of enterprises will use Attribute-Based Access Control (ABAC) to protect critical assets” (Gartner), a lot of confusion still lingers around what exactly an organization can expect to get out of ABAC, or Dynamic Authorization.

A quick refresher:

Dynamic Authorization: Dynamic authorization is defined as a service that externalizes access control decisions to a decision point that interrogates an information point, typically a directory, to determine a user’s access rights based on a centrally-managed policy.

ABAC: Attribute Based Access Control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). Rules contain “IF, THEN” statements about who is making the request, the resource, and the action. For example: IF the requester is a manager, THEN allow read/write access to sensitive data.

Now that we’ve clarified the terms we’ll be using in this blog, let’s dive into some common misconceptions about Dynamic Authorization and ABAC.

  1. “Using Dynamic Authorization will strongly hinder my system performance.”

A major concern from development teams is the performance of their systems. It seems like every time you introduce someone new to ABAC, and launch into a conversation about “a centralized server”, the conversation quickly halts to, “Woah, is this going to slow things down?” In short, the answer is no. Axiomatics’ decision engine typically adds a minuscule amount of latency (single digit milliseconds). We also have established best practices for optimizing performance and scalability for the entire authorization infrastructure.

  1. Dynamic Authorization requires a customer to consolidate their authentication.”

Externalized Authorization is a compliment to authentication and can be added even if you are already using multiple login credentials. Further, Axiomatics can enforce the use of stronger authentication credentials when accessing critical or sensitive resources and transactions.

  1. My developers can just write their own access control code when building the application.”

Maintaining logic built into an application is exponentially more costly and inefficient. In addition to the up-front developer cost when creating the application, the ongoing costs for making changes in the future can be quite significant.

  1. “Roles and group lists are all I need for access control in our custom built applications.”

Dynamic Authorization frees up your development team to focus on key initiatives and eliminates the need to write many extra lines of code to deal with complex access requirements.

In addition, your application may not have all the needed context available to properly make authorization decisions – for example, the externalized authorization service can connect to almost any data source that provides additional user or resource context.

If you’d like to learn more about the key benefits of Dynamic Authorization, be sure to check out our new White Paper: Why Externalized Authorization? 

Other Blogs

3 keys to re-evaluate your authorization management
On May 27, I had the pleasure to join the KuppingerCole KCLive event with several industry peers in a panel discussion about  “Enabling the Future...
How OAuth is related to Attribute Based Access Control
What is Authorization? Authorization, also referred to as Access Control, is the process that follows authentication (which checks your identity and ensures that you are...
Modern Enterprise Authorization Management System
Gartner has an interesting article titled “Modernize Your Runtime Authorization” that highlights some aspects you need from a modern enterprise authorization systems. Over the years...