Every day, we authorize access without thinking twice. Think of the last time you flew: You gained authorization to access the aircraft by purchasing a ticket and displaying a government-issued identification card.

An essential security control

While authorization is essentially a security decision engine that must continuously adapt to the needs of the business, it is also critical in establishing a continuous, adaptive, zero-trust framework. It also all-encompassing, touching on the workforce, consumers, customers, citizens, bots, machines and other things.

A complex history and a potentially promising future

Authorization evolved as the complexity of systems increased. The first frameworks were simple access control lists (ACLs), which catalog permissions associated with each resource. Mainframes, network access, custom-developed systems and operating systems typically use ACLs. Trouble is, as organizations came to rely more on computers and systems, managing ACLs became increasingly complex. However, in my experience, most organizations only used authorization sparingly and found little to no return on investment. The authorization implementations I've seen focus on a narrow subset of systems within a business domain and not the entire organization.

The next evolution in authorization was role-based access control, which I detailed in a previous blog post. Then came attribute-based access control, a mix of ACLs and role-based access control, but with a standardized architecture that includes policy enforcement points, policy decision points, policy information points, policy administration points and extensible access control markup language (XACML).

The main goals of attribute-based access control and extensible access control markup language is to externalize authorization, centralize management of policies and standardize enforcement.

<<< Start >>>

<<< End >>>

Three main challenges, and multiple solutions

Organizations face three main challenges: lack of vendor solutions, an inability to manage policies and scaling for performance. While a few organizations have implemented solutions for specific business domains, most choose to build custom solutions due to inflexibility in tools and performance concerns.

The downside of DIY
Organizations have found that mining the rules, reverse engineering the if/else statements and building code containing authorization policies are traditionally among the most complex parts of establishing rigorous authorization. XACML can help sort the policies, but even though it is an open standard, it remains difficult for non-developers to understand and model policies.

The last concern is performance and scale. Authorization systems create a ton of crosstalk between architecture components and using XML-based standards decreases performance.

The market speaks
I've seen a 100% increase in the number of vendors specializing in this space. With zero trust and cloud driving the need, I envision the arrival of even more vendors. Considering that modeling policies and administration is the most challenging part, some vendors have built capabilities using AI and machine learning to generate and manage policies dynamically.

Another advancement in the management of policies is friendlier user interfaces that abstract the XACML complexities. These two capabilities are game-changers and will lead to broader adoption. Also, XACML has adopted JavaScript object notation standards to help with performance and scale challenges, leading to higher performance and less 'white space.'

Use Cases:

Use Case Description
Hybrid IT Access policies, whether moving between on-premises data centers or the cloud, are complex. Authorization can provide a centralized management plan to manage the policies and a common framework to enforce policies.

Commercial off-the shelf software (COTS) /Packaged

 Most COTS and packaged solutions such as customer relationship management and enterprise resource planning systems have authorization and identity and access management (IAM) models. However, with application programming interfaces (APIs) focused on COTS, packaged integration has become feasible.
Legacy Applications Custom legacy applications built as recently as five years use technologies not often used today. Because of this they are not good candidates, as many do not support open standards, APIs or common integration patterns. Modifying them to introduce IAM and authorization is difficult and might not be worth the business risk. However, these are good candidates if the workload moves from legacy to cloud, and if application modernization is in scope.
Business Systems

This is highlighted above with the aviation industry example. In this case authorization fits well for managing, controlling and enforcing access for complex business systems.

 

Recommendations and considerations for implementing authorization

  1. Understand your relevant capabilities, domains and use cases.
  2. Work closely with the business to understand its current capabilities in authorization, its policies and how its policies drive business interaction and behaviors. Start the scope with a specific-business domain in the organization and expand.
  3. Integrate authorization with core IAM processes and tools. This should be another capability within the organization's IAM capabilities.
  4. Focus on applications and systems that take advantage of cloud and workloads going through modernization. They usually integrate with authorization tools.
  5. Remember that open authorization was built for authorization and works in many cases. However, it limits how far it can map claims to scopes, entitlements and resources.
  6. Finally, for performance considerations, cache at multiple levels and even think of moving PDPs and PIPs as close to the applications as possible.

Bottom line

Authorization is a critical capability that all organizations should implement while modernizing their IT, security and business services. Fortunately, authorization vendors have addressed the challenges organizations face. With a zero-trust mindset and strategies moving toward the forefront of every organization, this is a must-have capability to meet zero-trust requirements of least privilege and re-establish trust based on rigorous authorization for every request.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.

Copyright © 2022 Accenture. All rights reserved.

Damon McDougald

Managing Director - Accenture Security, Identity and Access Management Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog
Subscribe