How policy-based access control improves agility and security
Tony Goulding
People with deep experience in IT and security operations, compliance, and incident response have been in the trenches. They’ve learned from those experiences—including their mistakes—and they have stories to tell.
Creating policies, such as policy-based access controls, provides an opportunity to curate and codify those experiences so that others don’t have to learn the hard way.
Policy-based access controls provide guardrails that control access within certain parameters or thresholds. In this blog, you’ll learn how policy-based access controls reduce your risk of identity-based attacks and you’ll see how automating those controls can ensure consistency, reduce errors, and save you time. You’ll also learn how Delinea Platform helps centralize and manage policy-based access controls.
A hiking analogy for policy-based access controls
I’m an avid hiker. I relish the opportunity to get away from my desk and go exploring. Sometimes, I’m following trails I know well, but other times I’m not, and I find myself in a place where the signposts aren’t as clear. You can think of these different situations in terms of access controls.
- Role-based access control (RBAC). Think of RBAC as a well-worn path through the woods – familiar, easy to follow, and works well for most situations. RBAC relies on static, predefined roles with fixed permissions. There's no real-time assessment of anything that might dynamically affect access. So, when an unexpected snowfall covers your path, or an access scenario that your roles hadn't considered, you're at risk.
- Attribute-based access control (ABAC). Think of this as a network of trails through the forest. You can customize your route based on your needs, but it requires more planning and navigation skills. It’s very flexible and supports fine-grained access controls for highly specific and nuanced access control scenarios. ABAC relies on policies to define which attributes are evaluated to grant access. This can translate to complexity and a potential barrier.
- Policy-based access control (PBAC). Policy-based access control relies on institutional or tribal knowledge. They act as a compass, steering decision-making processes and providing a framework for various actions. While there is a well-maintained trail system with clear signage, there is also some flexibility for taking side paths based on specific conditions. PBAC may use a combination of roles and attributes to determine access. It's a good balance between ease of use and customization. With PBAC, like ABAC, access is granted based on policies that specify which attributes are assessed, also potentially leading to potential barriers and complexity.
- Rule-based access control (RuBAC). RuBAC is sometimes used interchangeably with RBAC, ABAC, and PBAC; it can be used in all three control mechanisms. For example, rules can be used in RBAC to add a sprinkle of conditional access to the static role/permission model, such as only granting access to a server during specific hours or from a trusted IP address range. In PBAC, each policy can be considered a complex ruleset that defines how attributes are evaluated.
Navigating the access control labyrinth
For strong identity security, you need policies to address many situations, such as checking out a vaulted Secret, establishing a login session, elevating privileges, validating users with MFA, and triggering automated actions such as access request workflows or access removal.
Why do you need this?
Picture a ransomware gang mounting an identity-based attack using phished credentials. Their attack playbook includes all the steps necessary to escalate privilege, perform reconnaissance, persist in the network, weaponize and deliver payloads, install malware, create a command-and-control backchannel, and execute the attack.
PBAC can disrupt this attack by ensuring account access and permissions are minimal and insufficient to execute steps of the identity attack chain, forcing the attackers to adjust at every turn.
That's ideal.
The reality is that IT, security, and IAM teams juggle an ever-growing list of accounts, credentials, and permissions for human and non-human (machine) identities. Password complexity varies, and routine password rotation doesn't always occur. As your business scales, this fragmented approach becomes a maintenance and security nightmare. Granting or revoking access is a slow, manual process, often involving multiple administrators and layers of approvals.
The sheer number of disparate access control policies, policy engines, rule sets, identity forests, and code bases becomes overwhelming, leading to toxic combinations, inconsistencies in enforcement, and potential security vulnerabilities. Compliance audits are even more arduous, requiring sifting through mountains of documentation, often outdated or incomplete. This lack of control also hinders agility; responding to changing business needs is bogged down by the need to rewrite application code to adjust access privileges.
You can't keep access control policies in your head or written down (though that's an excellent place to start with a policy template). They're hard to manage, adjust, and enforce, especially as risk conditions and context change.
How does this access management chaos affect your business?
The consequences of this access control disarray are far-reaching. Security breaches become more likely due to human error and outdated permissions.
- A disgruntled employee with lingering access privileges could wreak havoc on your data.
- Accidental exposure of sensitive information can occur due to a user exceeding their authorized access level.
- Productivity suffers as users grapple with complex login procedures and struggle to remember which credentials grant access to which applications.
- Compliance fines loom large due to the difficulty of demonstrating consistent policy enforcement.
This lack of control also hinders agility. Responding to changing business needs is slow and cumbersome. Imagine needing to update a critical access control rule across dozens of applications. This is where automation comes into play.
Automating policy-based access controls
Automation is essential for implementing policy-based access controls as it ensures consistent and efficient enforcement of security policies across the organization. By automating these controls, organizations can reduce the risk of human error, streamline compliance efforts, and respond swiftly to access requests and changes. This not only enhances security but also improves operational efficiency, allowing IT teams to focus on strategic initiatives.
If your organization is fragmented and distributed across geographies, functions, and IT environments, an automated approach to policy-based access controls is the only way forward.
Automation brings consistency to avoid security gaps. It also contributes to speeding up incident investigations and streamlining audits, making enforcing policies easier and ensuring they're being followed. A centralized platform for automated access policy controls makes administration seamless by hiding the underlying complexity and providing you with management controls that are easy to use.
With a central platform, you can apply policies for multiple identity security use cases, including configuring identities, provisioning user permissions, elevating privileged access, monitoring and alerting, and auditing.
Integrations with Identity Governance and Administration (IGA) tools further streamline policies for user provisioning and deprovisioning. With policy-based access controls, when new employees join the company, their access privileges can be automatically granted based on their role and department, as defined in the IGA tool. Similarly, when an employee leaves the company, their access can be automatically revoked, ensuring that no lingering permissions remain.
This automation not only saves IT time but also minimizes the risk of unauthorized access during the critical JML (joiner, mover, leaver) phases of the employee lifecycle.
Policy as code: Automating policy-based access controls within the Delinea Platform
Imagine a single, unified policy system that governs access across your entire IT environment. That's the potential of policy as code.
Policy-as-code is an approach to automating access policy controls in which policies are defined, updated, shared, and enforced using code. It allows you to enforce security and lower risk by systematically creating policies and automatically verifying those policies are being enforced in line with security standards like least privilege access.
Delinea is leveraging policy-as-code within our identity security platform to make policy automation reliable, dynamic, and scalable. This approach allows us to quickly update functionality with version control, automated testing, and automated deployment.
With Delinea, customers can quickly transition from manual or static policy management to a more dynamic and scalable approach that lets them address rapidly changing risk conditions. You can start with out-of-the-box privileged access control policies for fast time to value and configure policies to match your own organizational and compliance requirements and risk threshold. Everything is transparent.
Within the Delinea Platform, administrators can see all policies and share them with others, so you can explain your policy approach and demonstrate security best practices to auditors and regulators.
Here's how it works behind the scenes.
Delinea’s identity security policy engine leverages Open Policy Agent (OPA)
Open Policy Agent (OPA) provides a high-level declarative language that specifies identity security policies as code and simple APIs. OPA empowers you to manage access control from a single location, eliminating the need to chase down policies scattered across infrastructure, applications, microservices, Kubernetes, CI/CD pipelines, API gateways, and more.
This decouples policies from code of individual systems, making them easier to manage and update through a central policy decision point. Polices are applied consistently across all systems that integrate with OPA, eliminating the need for manual configuration in each system.
With OPA, you can define access control rules using a common, human-readable language called Rego. Rego makes policies easy to understand, facilitating collaboration between IT and security teams.
Let's say you need to grant the marketing team access to a new customer relationship management (CRM) system. With OPA, you simply define the access rules in Rego, specifying which marketing users can access the system, what data they can view, and what actions they can perform. Need to grant temporary access to a contractor? With OPA, you can create a temporary policy that grants the contractor the necessary access for a specific timeframe.
Living with legacy?
Hexa, an open-source policy orchestration software, uses Identity Query Language (IDQL) to bring identity and access policies into code for large-scale automation. It serves as a bridge for existing applications with entrenched policies by translating legacy policies into a format compatible with OPA, facilitating a smooth transition.
Web Assembly Container (WASM) makes policy-based access control implementations portable.
An essential part of access control policy-as-code is security. Delinea is exploring WASM for several reasons. WASM runs efficiently on any platform, including web browsers. WASM modules are smaller and lighter than traditional container images, enabling faster startup times. They also run in a sandboxed environment, enhancing security within containers.
How to start implementing policy-based access controls
Policy development starts with discovery. Tap into that cadre of experts within your organization and experts in identity security. Translate their war stories into access control policies that will address the most common vulnerabilities in the identity attack chain.
That said, even your most experienced, battle-scarred experts can’t anticipate everything. What about those “unknown unknowns?”
Cloud Identity Entitlement Management (CIEM) and Identity Threat Detection and Response (ITDR) solutions can be a game-changer. They perform an initial discovery of your existing access controls, identifying all the scattered permissions across your network. This initial mapping aids the re-engineering and refactoring process, allowing you to consolidate policies into a centralized location.
Prepare for rapid change
Policy-as-code allows you to modify access controls quickly and efficiently. This fosters agility, enabling you to adapt your security posture to meet your business's ever-evolving needs.
This newfound agility empowers your business to move faster and innovate confidently, knowing that your access controls can keep pace.
Break free from the labyrinth of access control complexity and navigate a brighter future.
Extend privileged access, everywhere, with Delinea Platform