Organisations are somewhere along the continuum from fully manual identity management to fully leveraged identity and access management.

The manual organisations have no interface between their HR systems and downstream applications. System administrative staff must enter user details into each system to which an employee requires access and there’s no reporting or governance capabilities. These companies are not only wasting time with data entry, creating errors that cause time wastage across the organisation they are also encouraging security problems with de-provisioning, removing entries when staff members leave, generally not occurring or not occurring in a timely fashion. Single Sign-on is only a dream.

In organisations at the other end of the spectrum an employee’s details are entered once, usually into the HR system or, better still, the recruitment systems, and then propagated to the SSO facility or account registration processes for relying applications. Staff have access to the application they need on the first day at the job and are automatically removed on the last day. Managers get regular reports on the access granted to their subordinates and management get governance report on provisioning activity, authorisation activity and any denied authorisation events. It is to these organisations that this blog is addressed.

Arguably the next big thing is Dynamic Authorisation Management (DAM). If you’ve got a good identity and access management environment you should leverage this infrastructure for fine-grained access control on a real-time basis. With a well-designed DAM environment a user accessing an application will have the request re-directed to a decision engine that will interrogate a policy store to determine if the user should get access and the level at which that access should be granted. The configuration looks like:

When the user attempts to access the protect resource the enforcement point, typically Java code or a .NET library sends a request to the Decision Point which retrieves attributes from the Information Point, typically directory, and runs through the policies that have been entered into the system to determine the user’s rights to access the resource in question.

The beauty of this is it happens in real-time so if a person has been removed from an access group they will immediately be refused access to the resource in question. The other big benefit is the application of a consistent set of policies, typically managed by the business units rather than system administrators.

Although there are many variants there are basically two configuration models that can be used to provide this fine-grained control. The discrete authorisation device is a stand-alone, policy-driven decision engine that services any controlled application or device on the network. The other model is the gateway device whereby an API gateway controlling communication between systems, applies the access control policies. Both configurations use a policy store and a repository of identity attributes. Some products require the policy attributes for users to be stored locally, some will access the organisation’s identity store in real-time. Some products are designed for business unit management of policies, others require a system administrator to manage policies.

Regardless of the solution selected, there is little doubt that dynamic authorisation management holds significant benefit for the advanced organisations that can leverage their identity management infrastructure to significantly tighten their access controls and data loss prevention environment.

Stay Safe - Graham