Moving Towards Policy Based Access Control is the Future of IAM
As more and more businesses are moving to the cloud, managing access permissions has become a daunting, yet crucial task for maintaining information security. Plain ID provide an elegant solution that eliminates role based definitions, and aligns them with the company policy instead. CMO Gal Helemsky explains. Share
How was Plain ID founded?
PlainID was founded a little more than 2 years ago by 3 co-founders, all with vast experience of over 20 years each in Identity and Access Management (IAM).
We founded the company because we realized something was missing in the IAM area. We’ve been implementing IAM in different organizations, but we couldn’t provide the full required solution because the current technology lacked the abilities we needed.
To those who are not familiar, can you give us an overview of what is IAM?
Identity and Access Management typically deals with 3 main areas:
- Identity- how do you see the user in the online world
- Authentication- how do you prove the identity of that user
- Authorization- how and which permissions do you grant that user or what can the user do and see
PlainID offers a comprehensive solution for authorization management and control, whether in the cloud, mobile on on-premise.
Authorization is recognized as the main gap in IAM solutions today, by NITS (The National Institute of Standards and Technologies), and by main analysts like Gartner. Most organizations are struggling with this challenge, and lack the ability to efficiently manage what can each identity do and see.
Today, most of those definitions are managed within repositories, using provisioning and static roles, this is the known – Role Based Access Control (RBAC) method.
Authorization mechanisms are mostly static, predefined and highly complex to maintain. Organizations are dealing with thousands or even millions of entitlements. Much of that process is done manually, and requires recertification over and over again.
This situation isn’t going to improve anytime soon. Complexity is just increasing, as organizations are expanding to the cloud, and implementing more applications to support their business needs. They need to be more agile, support on demand computing, and the dynamic nature of a fast-moving business.
Requirements are also changing because assets, data and information are no longer confined to the internal network; they are accessible in the cloud and mobile environment. Data is available for employees as well as partners, and contractors and more; this result in increasing security challenge, and organizations can no longer rely just on RABC, just on admin-time authorization, they need a better solution that provides tighter control.
Another aspect of that challenge is that today, access decisions are managed in different places. Some organizations have Identity Governance and Administration (IGA) –, where some decisions are managed. Anothers are API gateways, web application gateways, cloud vendors etc.
Decision points are distributed there isn’t any one central place for access decisions.
PlainID offers one layer where you can manage business policies in a near native language way, and connect it to the implementation policies. For example, you can define that traders can mark positions only in their own region from 8:00 till 17:00, and only from the office. To that business policy you can add the relevant technical implementation – whether it’s an on premise, cloud or mobile application.
Another example – Developers can access development specs, those can be stored in Amazon S3 buckets, or on the internal file server. PlainID enables you to manage your business policy and connect it to the relevant implementation, providing a flexible way to manage access decisions, to any environment.
Policy based access control dramatically reduces the amount of definitions you need to manage. With PlainID you can reduce several hundreds of static roles to just one policy statement.
PBAC (Policy Based Access Control), Combines RBAC (Role Based Access Control) and ABAC (Attribute Based Access Control). Using PlainID you can map to existing definitions of identities, roles and attributes.. Add to that environmental attributes (like time, location, events, etc.), and then the resources with their meta data -. All those make the building blocks of the policy.
What kind of assets are most vulnerable and how does your authorization solution help to secure them?
It really depends on the organization and its resources; the system itself is very flexible. It lets you define any type of resource you want to control access to; it can be a financial transaction, an account record, a document, a website or an email.
The most important assets or pieces of data are the ones that the organization cares the most about. You can place more control over them, and less over the lower priority assets.
Eventually you can manage a policy rather than static role definitions. You can have a wider range policy or a tighter policy. The decision of what you want to protect is based on your preferences.
It sounds like moving to a technology like yours would require a lot of adjustment from the client’s perspective.
It might sound so, but it’s not necessarily correct. We understand it’s not always trivial to move to policy based access control, so as part of the product, we provide a set of tools that assist our clients in the adoption process. There are 3 main stages to the adoption of the product:
- Create – Set the building blocks, discover existing identities and resources data. Consolidate – Build your policies, using our policy studio and Policy mining tool
- Control – Deploy your approved policies to start better controlling access.
PlainID sits on top of existing decision points. We integrate with leading IGA products, API gateways and access management solutions; we also provide a run-time authorization module. You can continue using admin-time authorization, while gradually moving to fine-grained & contextual run-time authorization.
Organizations are struggling today with identity and access management, especially when they want to scale up internally or migrate to the cloud. This struggle might result in loss of control over distributed assets. That is one good starting point to use PlainID, we bring back the control, by connecting the organization’s defined identities with cloud resources.
Another good starting point is modernize the data center. Let’s say you want to convert older apps to be more friendly and graphic like a mobile interface. First, you’d need to develop a native mobile app, and expose the business logic in API’s on a resource server. All layers of that solution will require the same access controls. PlainID sees the existing access controls, and can convert them to the new required standards.
PlainID reduces the efforts around authorization management and control. Having a single layer of policy-based access control enables organizations to move forward to new technologies, while enhancing the efforts that have already been made.
How does PlainID coincide with 3rd party services that organizations are using, like cloud storage and CRM’s?
That’s the whole point behind collaboration. In the past, data used to be limited primarily to the use of the internal organization. Now there is more external use, and that’s part of the challenge. You need to provide access to other types of users coming from external sources. Part of this problem is the need to support federations, as well as support distributed identities.
As mentioned before, PlainID supports different types of applications and platforms, whether they are cloud based or on premise.
What trends can we expect to see in the future of IAM?
Plain ID’s solution is certainly the future, Policy Based Access Control will drive forward the IAM world, as the classical, static control methods are no longer manageable.
Organizations are looking for better control, in a way that is easy to scale with, and move faster with, that’s what PBAC is all about.