Dynamic Authorization with Policy-Based Access Management

Traditional or static authorization methods no longer meet the demands of today’s digital business environment. Data breaches are on the rise (a 23% increase in 2021, as per the Identity Theft Resource Center), forcing organizations to re-evaluate their security and compliance practices. 

Using Open Policy Agent (OPA) to enforce dynamic authorization across all company data, resources and applications can help you meet compliance and privacy requirements, prevent breaches and keep your authorization layer up-to-date in real-time. 

This article discusses dynamic authorization, its implementation methods and its advantages over static approaches.

Dynamic authorization is an access control method in which authorization decisions are made dynamically in real-time, using policies that consider varying user attributes, such as time of day, location and IP address, or factors like risk scores. These policies are managed centrally and automatically enforced. Dynamic authorization is also known as external authorization management because it decouples the authorization logic from the underlying application code. 

After receiving a query input, the dynamic authorization system identifies the nature of the request and the target application or data store. It then evaluates the request against policies, known static data and external policy data before sending a decision back to the application. All these processes happen in real-time, based on dynamic context and without delays for the user/service requesting access. Dynamic authorization is often coupled with dynamic authentication to ensure the entire Identity and Access Management (IAM) access process occurs in real-time.

Learn more about Dynamic Authorization for Zero Trust Security.

Dynamic authorization methods, such as role-centric attribute-based access control (RABAC), attribute-based access control (ABAC) and policy-based access management (PBAM), involve a higher granularity than their static counterparts. 

With traditional role-based access control (RBAC), user roles are set once and access is granted based on static role assignments. This practice leads to cybersecurity gaps, as employee roles can change over time and role explosion leads to scaling issues and mismanagement of the entire system. Role explosion introduces the need for Identity Governance to make sure that users should still have access to resources through existing role associations.  

Static access control solutions are not suitable for a frequently changing environment. Gartner estimates that 95% of all digital workloads will use cloud-native deployment by 2025. In addition, data-driven enterprises are shifting to centralized data warehouses for economic benefits, such as reduced costs and increased operational efficiency. With the popularity of the cloud — and centralized data sources — having adaptive control over who or what can access your content is more critical than ever. 

Fine-grained authorization methods, such as RABAC, ABAC and PBAM, can make authorization decisions based on a real-time evaluation of attributes. For example, you might want to restrict access to confidential data assets or network applications to only people working on-premises during office hours. With RBAC, that would not be possible as anyone with the appropriate user level would be able to access these assets, even while working from home on a less secure network. 

Using policies to check these dynamic attributes, such as location and time of day, before granting access ensures that employees can only attempt to access resources from inside the company network and during certain hours.  The key is continuous access evaluation.  What has changed since a few movements ago, which may affect the access rights the users should have, are they still on the same network?

Read our whitepaper to learn more about why RBAC is not enough. 

Here are five advantages that dynamic authorization methods have in comparison to RBAC and other forms of static access control:

With dynamic authorization, you gain a higher level of specificity when setting parameters around data access. You can control not only who or what can access a resource, but also the actions they are allowed to perform with it. You can authorize complete access or limit it to read/write functions based on the user ID, IP address, location and other attributes as needed. 

Decoupled policy as code allows you to set up a central authorization system to control policy changes without changing anything at the application level. By having a single control management system, you can more easily reuse policy code, audit policies in the future and monitor them in real-time across the entire organization.

According to our 2022 Cloud-Native Report, 64% of developers felt that setting up IT controls was the biggest challenge of cloud-native expansion. With PBAM, a broader range of stakeholders can understand policies written as code and saved as text files in source control systems for version management. Non-coders and business users can use an authorization policy management interface to define and test policies, reducing the burden on IT team members. 

Policies managed dynamically in real-time keep authorization decisions in sync with session context, services, third-party data sources and policy changes. This capability leads to more accurate and relevant decision-making and reduces service delays. Utilizing fresh context to help make decisions reduces the time for inadvertent or unintentional access based on out-of-date entitlements and configurations.

Dynamic authorization with a central control plane allows you to monitor policies and compliance violations in real-time, leading to an immediate response in case of non-compliance. Automatically enforced policies ensure that only complaint code is implemented during development. Since policies are instantly rolled out to all connected systems from the control plane, you can also easily take advantage of new business opportunities while meeting their associated compliance requirements. 

OPA is a simple but powerful policy engine that uses real-world external and static data to make contextual authorization decisions for your cloud-native stack. OPA works for various use cases, including applications and infrastructures, and externalizes authorization decision-making from the underlying systems or services. Policies and policy data are updated in real-time and distributed to your application’s PDP to support continuous dynamic authorization. 

Styra DAS is a control plane for OPA that provides policy-based access life cycle management for all authorization use cases, including APIs, applications, services and infrastructures. It has OOTB built-in policy libraries to help you meet security and compliance requirements and allows you to manage policies for your entire cloud-native stack from one central control plane.

Styra DAS features include a graphical user interface (GUI) for defining policies and compliance data visualization. Users can also test the impact of their policies before implementing them using the Decision Replay function. Moving from manual review processes to automated guardrails means developers have more time to focus on business features and reduce the time-to-market. 

Try Styra DAS Free today and get a dynamic authorization solution up and running within minutes. 

Authorization means who or what can access data or a resource and what actions they are allowed to perform. 

Authentication is the process of verifying a user’s or entity’s identity. Authorization determines what access rights they have. Authentication precedes authorization in the IAM process.