1 Executive Summary

This Leadership Compass looks at Policy-based Access Management / Control (PBAM / PBAC) solutions that utilize policies for defining the access entitlements and that are enforcing these policies at the time of authorization. Notably, such systems also can support authentication decisions by integrating with authentication solutions. This Leadership Compasses uses the term PBAM. To better understand the fundamental principles this report is based on, please refer to KuppingerCole’s Research Methodology.

Policy-Based Access Management (PBAM) is closely related to the term ABAC (Attribute-Based Access Control). ABAC is frequently used to differentiate from Role-Based Access Control (RBAC). However, roles are just one type of attribute, thus the line between ABAC and RBAC is blurred, with RBAC solutions supporting dynamic role memberships based on attributes. The primary distinction is between policy-based authorization decisions and decisions that are based on static entitlements, also frequently referred to as standing privileges. In contrast to common understanding, real-time is not a differentiator, because authorization decisions in systems relying on static entitlements also are made in real-time, for instance when checking Access Control Lists (ACLs) vs. Kerberos tickets when a user is accessing files on a Windows file server.

However, there is a real-time aspect that plays a vital role for PBAM gaining attraction. This is about changes to entitlements becoming immediately effective. In the age of agile IT and DevOps (Development & Operations), the inherent limitations of access control approaches that are based on static entitlements increasingly become unacceptable:

• Applications that are developed following agile approaches such as SCRUM are changing rapidly. Static entitlements are not agile and they are difficult, if not impossible, to maintain for such applications.
• Agile development and modern software architectures favor microservice-based models where security in general and authorization in particular are services that can be consumed by the applications. This requires central authorization services that must be dynamic and flexible and thus policy based.
• Complex authorization decisions that take multiple attributes into account can’t be managed well via static entitlements. Policy-based approaches are better suited and also can easily adapt to new requirements such as privacy regulations or changing / added business policies.
• Static entitlements are hard to maintain and have an inherent tendency to get outdated. Complex, inefficient approaches such as recertification are needed. While this is doable at a just acceptable level and with significant effort in static IT environments, it fails in agile IT.
• The rate of change in the adoption and use of cloud services is a lot higher than it ever has been for on premises IT environments. Keeping up with that change requires flexibility in Access Management, which only can be achieved via policy-based approaches, but not based on static entitlements.

Policy-based approaches build on centrally managed policies that are consistent across systems and immediately enforced. When a policy changes, the authorization decisions are immediately based on the changed policy.

Another blurring line is between authentication and authorization. Both are parts of Access Management. Authentication commonly is policy-based, but only covers the initial or continual proof that a user can provide the proof of its identity. Authorization is what happens after authentication when a user accesses protected resources. It is a repeated process with high requirements on performance, scalability, and reliability. PBAM solutions thus must scale well to not become a bottleneck. This also involves the placement of PBAM components, where the policy enforcement commonly takes place very close to the application.

Organizations are well-advised first developing a PBAM strategy and blueprint. The foundation for that is identifying the current and future use cases for PBAM and assessing both the state of the infrastructure and the maturity of solutions in the market to define the PBAM roadmap.

While implementation of PBAM will follow a multi-speed approach, there are elements that must be defined early, for a gradual convergence into a consistent PBAM approach across use cases. Common across the use cases are the policy management and governance elements. Higher-level policies such as generic rules for employee vs. non-employee access or policies derived from regulations such as GDPR impact a range of lower-level policies and must be defined and managed consistently across use cases. We expect the trend to PBAM adoption to continue, driven by adoption in application-level PBAM use for modern, digital services and for managing Cloud infrastructure security.

1.1 Highlights

A policy-based access management system can offer significant benefits to corporations, provided the solution is designed and deployed to meet the organization’s specific requirements.

In developing requirements and deploying a solution for PBAC, the following should be considered:

• Access control decisions should be externalized. Applications that maintain static entitlements at the data level or in own databases to determine user access rights are difficult to integrate. While policies can be used to auto-generate and manage static entitlements, modern applications should rely on external access decision control.
• Policy management should be centralized. While administration points may be distributed for different use cases and while different business units will be in charge of policy definition, management, and governance, policy creation and management need to follow common corporate-wide policies.
• Support for all corporate infrastructure that hosts connected applications and resources, such as: on-premises, cloud, and cloud-native assets, is essential. Decision point deployments should be in close proximity to the connected applications and databases.
• Decision data should be as real-time as possible. For solutions that maintain their own information point data, a mechanism to maintain data quality and data governance is required.
• Data governance, in general, is required for information that is used for decision making. PBAM relies on the combination of policies and current data for making (authorization) decisions at run-time. Thus, both policies and data must be correct and well-governed.
• Support for corporate governance is required. Integration with monitoring and event management should be deployed and tools such as policy analytics should be provided.
• With increasing regulation by government and industry bodies, ensuring compliance requirements are met is essential.
• Overall Leaders are AWS, Ping Identity, PlainID, NextLabs, and Strata Identity.
• Product Leaders are PlainID, Strata Identity, AWS, Axiomatics, Aserto, Styra, NextLabs, Cloudentity, Ping Identity, and EmpowerID.
• Innovation Leaders are Strata Identity, PlainID, Styra, NextLabs, Ping Identity, Aserto, AWS, and Axiomatics.