Home | Resources | Articles

What is Externalized Authorization Management?

We live in a dynamic world which requires organizations to be more responsive. Typically, information and application access policies are hard coded into the application. That necessitates many months of coding effort to make any policy changes, which no longer fits with the speed of business today.

Externalizing access control decisions to a central decision point, or Externalized Authorization Management, separates policy management from the application lifecycle. Externalized Authorization Management externalizes access control decisions to a decision point that is decoupled from the application. The system interrogates an information point, typically a directory, to determine a user’s access rights based on a centrally managed policy.

Authorization and access rights to an organization’s network or assets are granted dynamically in real-time based on user, data and environmental attributes, such as certifications, IP address, group, department, or employee status.

Decisions on access leverage these characteristics, or attributes, which help define whether they should be granted access to the application and at what level. The decision is based on the data they want to access and the action they want to perform.
Externalized authorization allows for the management of permissions to multiple systems from a single platform, streamlining the access process and reducing administrative burden.
Access control to file shares, network subnets, document repositories and applications can now be made in real time by a centrally managed decision point, using attributes in a user’s directory entry.

Centralization of Authorization

Many functionalities have been externalized over the last few years, such as authentication, storage of data, and logging. When centralizing authorization (left of diagram), an enterprise’s architecture tends to have external authentication as the top layer, which interacts with an external authorization module. All applications within an enterprise have interactions with both layers on a transactional basis.

On the right of the diagram, details a system overview of externalized authorization management in microservice and cloud environments.

The process flow of an externalized authorization setup is demonstrated below in a common enterprise security architecture based on standard components:

The components named in the model are:

Policy Administration Point (PAP): This is the point at which access authorization policies are managed.

Policy Enforcement Point (PEP): PEP intercepts user’s access request to a resource, then makes a decision request to the PDP to obtain the access decision (i.e., access to the resource is approved or rejected), and acts on the received decision.

Policy Decision Point (PDP): The PDP will compare the permissions requested in the XACML request against the mapping of the corresponding role as found in the request to the allowed permissions that can be fetched from PIP & PRP. Based on the findings, the PDP will either allow or deny the request.

Policy Information Point (PIP): A centralized attribute store that contains the information of the attribute values (i.e.: Subject, resource, or environmental attributes) referenced in the policy.

Policy Retrieval Point (PRP): A centralized storage of XACML access authorization policies, typically this is a database or filesystem.

Use Cases & Integration Patterns

These are common externalized authorization and use case patters [elaborate/setup]

Portals and web applications- protect web applications, sites, pages, menus, menu items, regions, portlets, webparts, tables, hierarchical controls, graphs, fields, and buttons.
Relational data- secure query access, mask data at the field-level, filter data at the row-level, and control CRUD operations at the table and database level.
APIs and web services- secure access to external APIs, control access to data, grant permission to application functions and commands.
Mobile applications- role-based and/or attribute-based access control
Content management/ unstructured data- control access rights and usage of content & documents
Spatial data- redact points of interest and details based on user device, user attributes, and geospatial functions.
ABAC log analysis- rich ABAC policies and governance & compliance for any application without code changes and operational enforcement.
Enterprise business & cloud apps- hybrid ABAC and RBAC, data segregation, masking, and data handling & secure control.
Federated authorization- cross domain federated authorization with identity federations.

Benefits of Externalized Authorization

Unified policy model and centrally managed access policies allow changes to policy without requiring code changes to each individual application.
Externalize access control decisions with centralized policy resulting in consistent enforcement across the organization – not relying on individual system administrators.
Single shared infrastructure with delegated administration shared across multiple application landscape, technology stacks, and cloud environments, to improve efficiency and reduce costs.
Safeguard structured and unstructured data with centralized policies, to ensure secure collaboration inside and outside of the enterprise.
Improve business management, enabling decisions to be made in real-time, increasing agility.

Leverage attributes in the policy evaluation process enabling fine-grained authorization to increase control over data.
Increase visibility and control over data by determining who, what, when, where, and why users should have access to information, while identifying anomalies and alerting on risky behavior.
Monitor activities and data access across applications with centralized activity log, simplify audit and reporting to streamline compliance management.

Learn more about our solution for centralized policy management, CloudAz. Explore our unified policy platform.

To comment on this post
Login to NextLabs Community

NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.

Don't have a NextLabs ID? Create an account.

Application Enforcer

Simplify Access & Protect Data Across Apps & Services

Eliminate authorization siloes and extend application security

Externalize attribute-based access control (ABAC) with out-of-the-box application enforcers

Application Enforcer Brochure

Explore the brochure on how to safeguard data across an evolving application landscape

Application Manager for SharePoint Online

Discover how SharePoint's automated rights protection maintains document-level access controls, ensuring security post-download or distribution

Safeguarding Data Across

An Evolving Application Landscape

Securing Critical Data Across Apps

Businesses run on critical data across numerous applications. Ensuring reliable data security in these apps is essential for smooth operations and growth.

Expanding Attack Surface

Driven by the growing business need to share data and automate workflow, the rise in the variety and number of apps and data has increased the risk of breaches.

Embracing a Preventive Approach

With more apps and data than ever, manually detection and response is becoming ineffective and costly. Enterprises now need to automate and prevent.

How can companies automate data security and implement preventive controls across an evolving app landscape & rising volumes of data?

The Solution:

Companies need to externalize security controls and enforce zero trust access policies.

Enforce ABAC & Externalize Authorization

In order to externalize security controls and access control, the solution should incorporate an out-of-the-box policy enforcer that seamlessly integrates with enterprise and cloud applications. The enforcer operates with a robust policy engine to enforce zero trust policies for the application, based on real-time attributes and metadata.

Automation

Automates data security, compliance procedures, and internal controls to enhance competitiveness and agility.

Integration

Out-of-the-box integration with apps, microservices, and business processes without disruptions.

Enforcement

Detects, alerts and applies preventive controls to enforce policy in real time.

Deployment

Runs in cloud natively, deploys using containers in a hybrid and multi-cloud environments.

Application Enforcer

Secure Apps & Protect Data

NextLabs’ Application Enforcer augments an application’s underlying security model, providing an extra layer of controls for organizations with extensive security and compliance requirements, without the need for custom coding.

Externalized Authorization

Modify authorization policies without having to make any code changes to the application itself.

Enforce Least Privilege Access

Uses ABAC to enforce the principle of least privilege, ensuring apps and data are accessed only by authorized entities.

Leverage Data Classification

Automatically identifies sensitive data types based on the app's underlying data model, organizes data into relevant categories.

Collects Access Activity Across Apps

Discerns and collects relevant data to facilitate centralized correlation & detection of anomalous activity.

Native Application Integration

Understands identity system, object & security model of apps, for easy deployment & seamless user experience

Benefits

Protect sensitive data – Control access to sensitive data based on attributes such as data classification, environmental information, user roles, metadata and location.
Improve business agility – Works natively with application and externalizes authorization, slashing application development time and automating change management processes.
Improve time-to-market and reduce costs – Eliminates the need to implement and maintain costly customizations to meet security, compliance, and governance requirements.
Streamline Compliance – Automates the process of auditing authorization and data access to demonstrate compliance to auditors, regulators, and customers.