1 Introduction
Whenever there is a conversation about the Digital Transformation and its effects on modern businesses, it usually inevitably leads to a discussion of various security risks and numerous scenarios cybercriminals can compromise corporate “crown jewels” – the sensitive information a company’s core business depends upon. However, many of those data breaches happen not because of a particularly sophisticated cyberattack but rather because of weak and inconsistent management of access to this information.
Access Management refers to technologies and processes that determine which users can access which resources (systems, applications or data sources). Authentication technologies (that is, means to validate whether a user is really who they claim to be) have evolved dramatically in recent years, going from passwords to biometrics, multi-factor, and risk-based solutions. However, authorization (the process of determining whether a user should be allowed to perform a specific operation or access particular data) has not enjoyed the same level of attention.
Unfortunately, many organizations still see authorization as a job for IT or even worse, for a specific team behind a particular application or database. This leads to implementations that are largely inconsistent, disjointed, lack alignment to existing business processes and often too inflexible to adapt to constantly changing market requirements. On a strategic level, authorization becomes a hurdle for developers and users, inevitably leading to compromise decisions and security gaps.
As modern enterprise IT infrastructures are becoming more complex and heterogeneous, distributed across multiple environments (on-prem, cloud, SaaS, mobile, etc.), the need for consistent, secure, compliant and, last but not least, convenient access management becomes even more apparent. In the end, every decision to give or to deny user access to a resource is a part of a business process and thus a decision for company management, not IT. Unfortunately, despite notable standardization efforts including eXtensible Access Control Markup Language (XACML) for fine-grained attribute-based access control and OAuth 2.0 framework popular for managing access to web applications and APIs, most applications don’t share or integrate their security models.
This means that access control policies have to be defined on a per-application basis, and most businesses have never evolved past the simplest role-based coarse-grained access policies to their IT systems. On the other hand, existing enterprise-wide security policies, which are written in business, not IT terms, are usually difficult to consistently translate into technical measures.
PlainID is a privately held vendor of authorization solutions headquartered in Tel Aviv, Israel. Founded in 2014, the company has pioneered the concept of Policy-Based Access Control (PBAC), a modern approach that unifies static roles with dynamic attributes for more flexible and granular access control policies. KuppingerCole has reviewed PlainID’s solution back in 2017, but major additions to the company’s authorization platform in 2019 warrant another look.
Combining business-focused graphical tools for creation and management of policies and workflows with a powerful run-time decision engine and a broad range of authorization interfaces, PlainID now aims to become the single source of truth for all entitlements, coarse- or fine-grained, managing secure access for all identities, systems, and applications across your enterprise.