Topics to reflect on internally when considering a new product or solution.

PBAM solutions can be deployed as SaaS (Software as a Service) or on-premises. The solutions in the market support various deployment models, also depending on whether these are modern PBAM solutions or established. The adequate deployment model also depends on the use cases that must be supported, with SaaS deployments being the strategic approach.

The major inhibitor for a widespread adoption of PBAM is integration into applications and services. While this is straightforward in modern application development, existing applications and services must either support standards such as XACML or provide APIs for integrating with PBAM services. While some types of services such as API gateways commonly support such integration, it is rarely found in COTS (Commercial of the Shelf) applications and not even in SaaS services.

While there are many use cases for policy-based access controls and many applications implementing such approaches proprietarily, the strategic move towards PBAM requires a thorough analysis of where such approaches either are already in use and whether these can be integrated into centralized PBAM concepts.

Related to this, analysis of whether and where PBAM already could be used is required. This also requires investigations of potential workarounds and custom integrations, such as centrally managing attributes and custom policies via APIs. This analysis also is required for understanding the potential of a staged shift towards enterprise-wide PBAM.

PBAM is a powerful concept, but also complex. It is already found in multiple areas of IT and further support and evolution is expected. To avoid the sprawl of PBAM silos, a holistic approach is required. Organizations are well-advised in developing a PBAM strategy and architecture first, with a focus on multi-speed deployment of PBAM based on the readiness of the various target environments for different use cases.

With an enterprise PBAM approach spanning a wide range of use cases and impacting many different applications and systems, there needs to be organization alignment for PBAM, specifically with respect to policy management and policy governance. While policy management is distributed, policy governance requires a centralized approach.

Policy decisions rely on both the policies and the information used in the decision process. This information is provided either as context to the request or derived from other systems, the PIPs. Data Governance is required for PIPs to ensure that reliable information is used in decision making.