Dynamic authorization for modern identity protection
Joseph Carson
The nature of enterprise environments means your identity risk posture is always changing.
It’s incredibly difficult to manage access to a single identity across today’s hybrid, multi-cloud enterprise using static authorization policies and legacy approaches like Role-Based Access Controls. As a result, far too many identities have excessive privileges they don’t require to do their job. Plus, policy drift and misconfigurations inevitably increase the attack surface over time.
In this blog, you’ll learn why dynamic authorization is imperative for stronger identity security and organizational efficiency. You’ll also see how you can begin to make the shift toward dynamic authorization in your own organization.
Identity authorization versus identity authentication
Before we dig into dynamic authorization, let’s first explain the difference between authentication and authorization. These key cybersecurity concepts are often used together but serve distinct purposes.
To understand them better, let's use the example of a hotel key.
Authentication
Authentication is the process of verifying the identity of a person or entity. In the context of a hotel, authentication is akin to checking if a person is indeed a registered guest of the hotel.
When you check into a hotel, you provide identification (like a photo ID) and a reservation confirmation. The hotel staff verifies this information to confirm your identity. Once verified, you’re given a key card to your room. This process is authentication: the hotel confirms that you are who you claim to be.
Authorization
Authorization determines what resources or services an authenticated person can access. In the hotel example, this would be what parts of the hotel you can access with your key card.
After you receive your key card, you can use it to access your assigned room. This key card might also grant you access to other areas like the gym, pool, or executive lounge if you have the appropriate privileges. The system governing the hotel key card ensures you can only access the areas you're authorized to enter. This process is authorization: deciding what you can do once your identity is verified.
Governance plays a crucial role in both authentication and authorization, ensuring that the processes for verifying identity and granting access are consistent, secure, and compliant with policies and regulations.
Authorization is managed via access controls
Access controls are a cybersecurity framework that determines who can access which resources. Organizations may implement one or more of a wide range of access controls, including the following control types:
Role-Based Access Control (RBAC): Most organizations use Role-Based Access Controls to determine the authorization for an identity based on pre-defined roles, typically related to job title, organizational structure, or seniority level. While this approach is easy to implement, it can be inflexible for complex scenarios, such as hybrid organizations and Agile workstyles. Plus, manual role creation and modification can easily result in misconfigurations and overprivileged identities.
Identity-Based Access Control (IBAC): IBAC focuses on verifying the identity of the user requesting access and making access decisions based on that verified identity. This approach requires clear policies on what each identity can access, which increases management requirements as each access request needs to be defined. It works well for consumer-based access to web portals and services, for example, but not as well for access to business resources.
Policy-Based Access Control (PBAC): Access is based on defined policies that can incorporate roles, attributes, and other conditions. It provides comprehensive control but requires careful policy definition and management.
Rule-Based Access Control: This approach uses a set of rules (more specific than broad policies) to determine access permissions. For example, rules can be based on conditions such as time, IP address, or other specific criteria.
Context-Based Access Control (CBAC): CBAC considers the context of the access request, such as the user's location, time of access, and the device being used, to make access control decisions.
Attribute-Based Access Control (ABAC): Access is based on a combination of attributes. It's highly flexible and can handle dynamic conditions but may be complex to manage.
Risk-Based Access Control: Risk assessments factor into dynamic authorization decisions, such that higher-risk access requests undergo additional scrutiny or require additional authentication steps.
On their own, each of these access control types doesn’t represent a comprehensive approach to authorization that’s suited for the modern enterprise.
Dynamic authorization combines the best of these access control frameworks for the most flexible, adaptable, and efficient solution.
What is dynamic authorization?
Dynamic authorization is a modern security approach that determines access rights in real time based on various factors. Unlike traditional static authorization methods, where access control decisions are based on predefined roles and permissions, dynamic authorization adapts to the current context and changes dynamically.
Key aspects of dynamic authorization include:
1. Context awareness: Dynamic authorization accounts for context of the access request, such as the user's location, device, time of access, and current threat levels.
2. Attribute-Based Access Control (ABAC): Dynamic authorization decisions are based on attributes related to users, resources, and environmental conditions.
3. Real-time decision making: Access requests are evaluated in real-time, ensuring that the most current and relevant information is used for authorization decisions.
4. Policy enforcement: Dynamic authorization policies specify conditions under which access is granted or denied. You can update policies and manage them centrally, so you can adapt to changing requirements.
5. Risk assessments: As risk scores change, so do access requirements. Dynamic authorization has an inherent, risk-based model for making decisions.
6. Fine-grained control: Dynamic authorization is granular, so you can define precise and nuanced access rules. For example, a user may have permission to view data, but not alert it or download it. Or, they may be able to access only certain areas of a database, rather than the entire system.
Why dynamic authorization? Your identity security risk profile is always changing
When they consider their identity security risk, most people think of external factors, like the increase in ransomware and emerging cyberattack techniques. But there are also numerous internal factors that determine your risk profile, for example:
- The traditional definition of organizational “role” no longer holds true, as many organizations are matrixed, and many processes are Agile. Therefore, access needs for each user are constantly changing and original permissions granted during onboarding quickly become outdated.
- Technology stacks are always changing, especially in complex, multi-cloud environments. Cloud environments experience rapid shifts with new identities (especially machine identities) created constantly, and entitlements provisioned and removed at breakneck speeds.
- Supply chains and partner relationships frequently change as different parties need access to data across diverse infrastructure. A mix of federated apps/services restrict identity monitoring and limit understanding of privileged behavior.
Despite the reality of a dynamic environment, only 21% of enterprises worldwide say they currently determine user access in real time, based on risk, according to our most recent survey of IT and security decision-makers. The majority rely on fixed policies based on organizational role or user attributes.
As the risk environment becomes even more distributed and complex, the traditional, static approach to authorization won’t be able to scale.
In this next section, you’ll see how dynamic authorization gives you more flexibility, greater control, and stronger security.
Dynamic authorization through privilege elevation
In a dynamic world, identities should never be granted standing permissions. They shouldn’t have any permanent or long-term access to resources.
To address this requirement, dynamic authorization follows a just-in-time model that aligns with least privilege, zero trust best practices. Policies limit privileged access to the bare minimum necessary to do a job, for the minimum time necessary.
With dynamic authorization, higher levels of access are only granted via privilege elevation. Elevated access only exists for the time it’s needed and expires automatically as soon as work is complete.
Instead of providing broad access based on groups, roles or attributes, dynamic authorization policies are granular and situational. They consider exactly what users or machine identities will have permission to do once they gain access to an enterprise system.
Continuous identity verification supports dynamic authorization policies by double checking that users are who they say they are. For example, by implementing MFA at depth, you can interrupt a potential attack, not just when an identity initially logs on to enterprise systems but also when they attempt to elevate privileges. If an identity isn’t validated, it can’t progress, and authorization is revoked.
Adding intelligence to dynamic authorization
The next level of dynamic authorization involves adding Artificial Intelligence (AI). In terms of identity security, organizations are increasingly leveraging AI to monitor behavior and detect potentially malicious activity. Intelligent authorization is a very near reality. In this case, Machine Learning models account for changing risk factors, such as profiles of similar identities, behavior patterns, data sensitivity, location, etc. to base predictions of risk and continuously update access controls and authorization policies as conditions change.
The question is whether companies will want to implement autonomous AI authorization or interactive AI authorization, which includes a human in the loop. Should AI decide whether access is automatically granted based on risk, or should a human make the final decision based on the AI model’s recommendations? The main difference is where the auditing and explainability occurs during the process.
Balancing security and productivity
Dynamic authorization allows you to become more cyber resilient, as you’re better equipped to adjust to change. In terms of security and compliance, you can show auditors, regulators, and cyber insurance companies how exactly you align with least privilege, zero trust requirements to eliminate broad, standing access.
Dynamic authorization also makes your organization more operationally efficient. When you implement dynamic authorization, you reduce time wasted on granting and waiting for access. Employees don’t have to manage the burden of remembering and securing passwords. Plus, because IT teams don’t have to worry about manual configurations and constant adjustments, they can spend their time on higher-value activities to improve the security and resilience of your organization.