KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Dynamic, risk-based, attribute- and context-related authorizations are becoming increasingly important for many enterprises. Graham Williamson and Matthias Reinwarth take a look at the market sector for dynamic authorization management and policy-based permissions in light of the recent publication of a Market Compass on this topic.
Dynamic, risk-based, attribute- and context-related authorizations are becoming increasingly important for many enterprises. Graham Williamson and Matthias Reinwarth take a look at the market sector for dynamic authorization management and policy-based permissions in light of the recent publication of a Market Compass on this topic.
Welcome to the KuppingerCole analyst chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. My guest today is Graham Williamson. And this again is a long distance podcast episode because Graham is based in Brisbane, Australia. He is the director of the KuppingerCole branch. Headquartered in Singapore is an analyst in the areas of identity as a service dynamic authorization control and privacy. And this leads us close to our today's topic.
Hi Graham, how are you? I'm fine. Great to have you here again. And last week, uh, I talked with Martin coping about policies as a common language for defining access rights and for controlling access. And today we are going to dive deeper into that topic. We want to talk about policy based access controls or the technical aspect of that. Looking forward to hearing more about that. First of all, maybe Graham, if we start out with a, with a short definition, what is PBA? Yes.
It's um, a technology whose time has come. I like to define it as fine grained business logic, which just Turmans access control to protected resources at runtime. Now I know that's quite a mouthful, but important points are number one is fine grained. So we're able with a policy-based access control to actually use a variety of attributes, including context variables. So it gives us a very fine grained access control is based on business logic.
So rather than many role-based access systems, uh, left up to the it department to do, uh, with policy based access controls, it is the business department. So line of businesses that determine what the logic should be, and then the runtime is an important aspect of it. So these access control requests are evaluated in a real time. So as the user tries to connect to a resource, that's when the authentication occurs and the policy logic is evaluated. Okay. Right.
So from what we talked about last week and what you just mentioned, I think that really is making this kind of access control, this authorization management, much more agile and much closer to between between the definition point of a policy and the actual evaluation. So if you can really change all the policies and the behavior of the authorization system, more or less at run times that true.
Well, Yes, agile is a very good adjective because it allows, it's what it suggests to us that we can make changes to those policies as a business requirements change. And those policies will evaluate attributes as they change. So you're quite right. It gives us a very agile environment, Right? So you have this required time to value for a digital services. So you can really adapt the authorization management to change in requirements, but also to new requirements.
It's not this defining a role, implementing it, assigning a role, and then waiting for it to be active the first time you say next week. So it's really something that is more, yeah. More agile. Yes. Right.
I think, yeah, there are many aspects that you just mentioned also evaluating context, data and context attributes is really something that gains more and more important, especially when we look at, uh, the changing threat landscape over time. I understand that you did quite some research in that area of policy based access control and that we just recently published a market compass around that market area. What are the main results that you would like to point out here? Okay. You're quite correct.
We've just released the market compass for the dynamic access management environment, 2020, and we evaluated nine different products, uh, in that document. And a couple of the things that I found exceedingly interesting is number one, uh, the drivers, the main drivers for moving into a policy based access control environment. The biggie is you have common policy deployment across the enterprise.
So that means that you don't have these individual pockets of system administrators deciding who will access a system on under what circumstances you have an overarching policy that the corporation puts in place that is going to make sure that there's consistency across the organization. And that significantly improves the GRC of the environment that the governance risk and compliance. We can do governance a lot better because we now have a policy that's governing how that access happens.
We can do compliance a lot better because the feedback system will be able to actually identify access that various people have. So although, you know, a standard system will say, this user has access to this application. A payback system allows you to say this application is accessible by these users. And so that, that improves the compliance capability we have. And of course, then that reduces risk. So consistency through a common policy environment is one of the main drivers. Another driver is the ability to accommodate a diverse access control requirements.
So, whereas in a standard role-based system, you've got a static environment that, uh, is put in place to manage entitlements in a policy-based system. You can now incorporate these other attributes. We talked about, for instance, a context variable. If we don't want the finance system to be accessed in the evening, like if it's restricted just to daylight hours or business hours, we can do that quite easily with a policy-based system. So it gives us a much more diverse environment. And the last important driver is the fact that you've got real time evaluation.
So as a variable changes, if somebody moves from one department to another department, the next time they try to access the system, the policy will realize that this person now is in another department and will apply the policy based on the new attribute. So it's very real time environment that we're dealing with here. So those were the main drivers we CA we came up with.
I would like to also talk about the trends, because as you mentioned, uh, within KuppingerCole as a greater realization of that, this agility, this ability to have a policy based environment is becoming more important as market trends change. So for instance, one of the main trends today is the migration to cloud.
Well, if you've got a cloud environment that can be extremely complex and to accommodate that within a role-based system, it can be quite difficult. I remember I did a job once for a large university here in Australia, and they had eight synchronizations happening every night of their identity data to SAS applications out on the internet.
You know, that's a horrendous, uh, vulnerability. Um, if you're, if you're doing that sort of thing with a policy-based system, we can centralize our policies. We can have that SAS application access, our policy-based authentication system when an access is requested, or we can distribute the decision point for our policies to those SAS applications.
Um, and those decision points then are synchronized and we're applying a common set of policies across our enterprise. Um, containerization is an important part of any cloud environment.
And again, a policy system enables us to, um, make sure that those containers are accessing a common decision point. Uh, when an access request is made multifactor authentication, it's here to stay, uh, users, uh, accommodate that now they expected even when they are accessing cloud-based, uh, systems. And again, a policy-based system makes that significantly easier to deploy. And lastly, I'd just like to mention artificial intelligence. That's another area where a policy-based system can very much assist in AI that's happening within the organization for a variety of things.
It could be
And although we had recognized that policy based access controls in mature environment, the trend graph now shows it actually increasing significantly over the next couple of years, simply because of the market trends that we were observing at the present time. So it was a very exciting time to be looking at policy based access control systems, Right? And dynamic authorization management as a concept is around for quite a while, but it did not evolve as quickly as one could have expected.
And that was maybe also based on the fact that traditional applications traditional on premises applications were not really willing to play nicely with suction internalized dynamic authorization management, which then moves is the decision outside of the actual system. And if I understand it correctly from, from what you just described from the market trends that modern cloud-based SAS based applications are much more likely to integrate nicely with such an infrastructure.
Yes, yes, you're quite right. And I like that there hasn't been, they haven't played nicely in the past. And I mean, there's multiple reasons for that, uh, to a degree, uh, you know, everybody felt very happy with role-based approach with Ady groups, with the various technologies that are tried and true, and it takes a while for people to break out of that mold and take the blinkers off and start looking at, um, other options. And that's happening now simply because of these marketing trends, right?
And, uh, as an analyst, I see role projects go horrendously wrong because role explosion and management processes and, and roll governance is really an issue here. And on the other hand, as you described it already, we see the efficiency and the agility of such a policy dynamic authorization management.
Um, very clearly, uh, when it comes to the real life, does this business efficiency really play out in real life environments? Do you have examples where this actually, um, really proves to be the more mature, the more efficient, the more agile approach? Absolutely. There's many, many use cases that have, have clearly demonstrated, uh, that one I was particularly involved in was insurance company. And as you know, uh, insurance companies, uh, deal with multiple insurance organizations that put policies in place for them.
So the main company will put a policy together, but then it is sold to clients through a variety of insurance brokers. Now in a
Now, if John Smith happens to, uh, move to another insurance broker, then the access needs to be changed, which means number one, somebody has got to tell the insurance company that's happened. Number two, somebody within the insurance company has got to go make that change to make sure they now have, uh, the new entitlements. And more importantly, they've revoked the old entitlements because it's very important that you don't allow somebody from one company to see the customers from another company.
You know, that's a basic requirement with a policy-based system that now happens in the background because all of a sudden John Smith is now working for X, Y, Z, a broker. And the policy says tilt contacts as that client. And we'll now give, uh, John access to the clients from X, Y, Z insurance broker. So it happens automatically.
And, uh, in the background and the policy based system significantly improves the efficiency of that operation and reduces his cost From your experience, the, um, the changing role of the business, so that they are in the driver's seat when it comes to defining these policies, is this well accepted? And does this work out, is this really a benefit also for the business?
Okay, Good point. Yeah. There is an effort that must be put into developing the policies, and that will typically require a model that looks at the applications, the corporate applications, and identifies, who needs access to them and the line of business. Now they actual business people need to determine that. So the process is to say, well, what are the policies which line of businesses manage the applications, then what compliance is needed? And this is particularly important for, uh, organizations that have a big regulatory environment, um, ensuring that they're applied is important.
And then the top level is usually the HR department is, is heavily involved in this and the CIO level where we're raising the level of involvement within the company to higher management, who will say, yes, this is the policy that we need to apply across the organization. So it raises the importance of access control within the organization.
And that is good because it makes sure that upper management is aware of those policies, but that whole process takes some time obviously, and take some effort, but the outcome is significant for the organization in that they better understand their business and they better understand the approaches that they need to apply for the compliance that they're responsible for. And it just raises the whole profile of access control within the organization. Exactly. We have KuppingerCole we really endorsed the thinking with, of IAM systems with the concept of the identity fabric.
And as you just said, more mature organizations that are trying to ramp up their IAM, that to make it more future-proof to make it more ready for the digital business of the 2020s. And beyond. At that point, we are really recommending to consider thinking within policies for defining access and for implementing that increasingly using dynamic authorization management tools as part of an overarching identity fabric as an, as an architecture infrastructure for that. And that really plays well together.
It is a shift in thinking of assigning access of defining access, but getting away from large complex role concepts, I think is really also a good thing to do. And moving to more agile, more, faster, and more efficient decision-making processes within the applications. It's really the way to move forward. You've mentioned the market compass already. So of course we would recommend our audience to go to the KuppingerCole website and have a look at the market compass.
Is there any other research, any other information around that you provide that KuppingerCole provides the area of dynamic authorization management? Yes. There's some, uh, really, uh, interesting webinars.
Um, right now one is on the site, uh, the it's called a seamless connectivity, why you need it and how to get it right. So that's in the, uh, webinar, uh, section of the website and there's another one coming up. That's also addressing this whole concept of policy based access control.
So yeah, so a lot of interest on the website right now, particularly within, uh, within the webinars that we're, we're putting out. Great. So to sum it up, this policy-based dynamic authorization management is really a new approach, at least when it comes to the market trends and the reality out there when we are implementing the systems within IBM, it's really something to have a look at and to learn more about if there is interest in that. So for the audience, please head over to KuppingerCole dot com, find the market compass, just register for the webinars.
They're free to have a look at afterwards for the time being, thank you very much, Graham, for being my guest today. And for telling us about your recent research around this area of a policy based access control, any final words you want to add, Just that, um, policy based access control as a technology whose time has come, and we recommend everybody takes a serious look at it, uh, to see how it might fit their environment. Right. And we have a mature market there. So there is quite a variety of products and vendors to choose from.
And I think the market compresses the right starting point there. So thanks again.
Um, Graham for being my guest today, I'm looking forward to having another episode together with you, uh, around the globe. Um, very soon. Thanks again. Sounds good. Thank you. Thank you. Bye-bye
