In a recent post, we demonstrated how centralized authorization represents the most efficient access security approach. But that raises a big question: Why aren’t all access management solutions using it?
In this post, we’ll dive into the challenges identity teams face when adopting centralized authorization — and a new approach that eliminates these roadblocks.
Why centralized authorization struggles to gain adoption
Existing access control solutions like ACLs, RBAC, and ABAC will, in complete transparency, require radical changes to their architecture to achieve centralized authorization. While new centralized solutions like ReBAC, PBAC, and NGAC* have emerged, they present their own obstacles, including:
- Excessive response times: Since each access decision needs a call to an external service, the response time of such services can have a significant impact on the application performance. Minimizing the response time is critical to the success of a centralized access management solution.
- Resiliency concerns: Receiving a response from the centralized service is essential, so the centralized service must provide a service level objective (SLO) that exceeds that of the application uptime requirement. Without a response from the access management service, the application won’t know whether or not to allow an incoming request.
- Policy management complexity: As the central service will provide decisions for all applications, it needs a highly simplified way of managing policies across all applications. Merely aggregating policy management to one console but requiring administrators to actually manage each application separately can create loopholes that threat actors can easily exploit.
- Delayed data availability: If a centralized access management service depends on data being fetched from outside data sources, the reliability and responsiveness of those data sources can severely impact the reliability and responsiveness of the access management service.
- Asynchronous data currency: If the centralized access management service caches data from outside sources, how often is that data refreshed to reflect the latest state? If the original data changes, how does the data within the service get updated?
These factors stop many companies from pursuing centralized authorization. But a new approach can overcome these issues and greatly ease adoption of centralized authorization.
How enterprise-scale access management makes centralized access security feasible
A model of centralized access management that doesn’t suffer from the challenges described above is growing in popularity. We call this novel approach to access security an “enterprise-scale access management” platform. It offers a completely different and dynamic approach to access management as a whole.
As your team researches enterprise-scale access management vendors, look for these key criteria:
Continuous data ingestion to solve responsiveness and reliability concerns
Instead of directly relying on business systems at the time of decision, enterprise-scale access management continuously ingests data from those systems into a central repository. This reduces latency of decisions and increases reliability. The graph database powering continuous data ingestion should provide a response to >95% of the queries within 100 ms, redundancy, and local fallback for resiliency against failures.
Streamlined access management operations
Administrators won’t need to take any operational steps to adjust user permissions. Enterprise-scale access management leverages established business processes and systems for access permission modifications already embedded in your normal systems of record (e.g., ITSM, CSM, CRM, etc.) or existing RBAC systems and directories.
Policy management simplification at scale
Complex policy administration shouldn’t be limited to a handful of technical employees. Enterprise-scale access management providers take a different approach to policy management by:
- Focusing on assets (i.e., data) and not the applications
- Enabling business leaders to codify or at least sign-off on the policies directly in the access system
- Maximizing reuse to leverage existing lower-level components in higher-level policies
- Helping admins visualize how a policy impacts users — and hypothesize how changes will affect them
Contextual access to achieve business efficiency and hardened security
Enterprise-scale access management platforms continuously make decisions based on current conditions. This approach stops users from accumulating vast permissions over time, shrinking the potential blast radius.
At the same time, these platforms are always considering the context of the access request. For example, when a user is attempting to access a customer’s data, what exactly is the user trying to do? Is the device they’re using compliant with organizational policy?
Finally, enterprise-scale access management must apply access policies consistently across all systems and applications, eliminating exceptions that threat actors target.
To learn more, check out SGNL CTO Atul Tulshibagwale’s latest white paper that offers an in-depth look at preventing catastrophic identity breaches with centralized access security. Atul breaks down Google’s centralized access management system to show how it has scaled to trillions of access control lists and millions of authorization requests per second while maintaining <10 millisecond latency at the 95th percentile and availability of >99.999% over three years of production use. Download the white paper today.
Key access security terms
- ACLs = access control lists
- RBAC = role-based access control
- ABAC = attribute-based access control
- ReBAC = relationship-based access control
- PBAC = policy-based access control
- NGAC = next generation access control