With the proliferation of APIs across an enterprise, it becomes increasingly difficult to fully understand what APIs are exposed and how. This is why a mature authentication & authorization layer is needed to securely expose your APIs and manage their access. Here are five things developers need to know about policy-driven authorization and API security. 1. The heavy lifting is already done You have already defined what the business object is for the API. For example, you have already decided you want to look at medical records and what you want to do with that record such as viewing it, d ..read more

Despite the increased visibility and significant pressures of their job, the majority of the time CISOs are not given a voice with the board and security is often viewed as a cost as opposed to a revenue generating function. However, they are still held accountable for cybersecurity breaches and attacks. And this accountability doesn’t only come from internal stakeholders. Recently, the U.S. Securities and Exchange Commission (SEC) brought charges against a company’s CISO in connection with a cybersecurity incident. Now, the SEC is requiring enterprises to increase the level of transparency ar ..read more

As enterprises continue to adopt and migrate data, applications, and assets to the cloud, new challenges and opportunities arise. It is a part of the cloud architect’s role to address these challenges and ensure the enterprise’s cloud system is optimized, monitored, and maintained to protect the data within the system. Some common challenges cloud architects face include: Taking legacy, on-premises applications and shifting them to run better as cloud applications. Some of the applications in question are likely to be homegrown, and all will have been deployed in a manner that did not account ..read more

What is authorization? Authorization, also referred to as fine-grained access control, is the process of ensuring users have access to resources and allowing them to perform relevant actions on the resources – but only to the extent allowed by policies and constraints imposed by the organization’s business, legal or any other categories of requirements. These rights can be as simple as viewing a file (a grant permission) or denying the ability to view a file (a deny permission). A traditional authorization architecture is role-based access control (RBAC), in which a user has a specific role as ..read more

Our team had a great time at the Gartner Identity and Access Management (IAM) summit in London, UK discussing the latest innovations and trends in the identity industry. We spoke with our Chief Product Officer, Mark Cassetta, and VP Marketing & Communications, Kelly O’Dwyer-Manuel, about their time at the conference and to share some of their own highlights from the event. What was your biggest takeaway from the event? Mark: For the last twelve months, we have been seeing signs of a convergence between traditional cybersecurity teams and IAM. The opening keynote of this show “Treat Cyberse ..read more

One of the most common questions I hear from identity or security teams when it comes to policy-driven authorization is about how to structure policies. On the whole, policy is a better way to express authorization (when compared to other methods such as access control lists) because of its expressiveness, ease of read/write, and audit. Specifically, we’re often asked whether the policy structure should be hierarchical or flat. While it is possible to implement an external authorization solution leveraging either structure, understanding the nuances of each approach is vital, as it significant ..read more

ALFA, the abbreviated language for authorization, is an easy-to-write authorization language that uses a lightweight syntax and implements attribute-based access control (ABAC). ALFA uses attributes (key-value pairs) inside policies to convey authorization statements. We won’t get into every aspect of policy authoring today. For a brief overview of what a policy is, check out the ALFA Language Basics. Using policy structure and combining algorithms to make a policy easier to read Have you ever found yourself with a long, complex list of checks that must all be true for a given object and actio ..read more

We recently sat down with our Chief Technology Officer, David Brossard, and Vice President of Customer Relations, Matt Luckett to discuss how policy-driven authorization can help improve auditing. What are the most typical pain points enterprises experience when it comes to auditing? David: The number one pain point I see is that existing identity governance and administration (IGA) systems give enterprises a false sense of security. They give this false sense by only doing audits on data they have available. If it is an audit on who has access to what data, that insight often doesn’t exist in ..read more

Background Attribute-based Access Control (ABAC) leverages attributes in combination with a set of policies to determine authorization decisions. A request is sent from an application, API, or another component that acts as a Policy Enforcement Point (PEP). The Policy Decision Point (PDP) receives the request and applies it to the authorization policies that it has in place. While doing so, the PDP might leverage one or more Policy Information Points (PIP) in order to retrieve additional attribute values. Attributes are bags of values An example Incoming request: “Can Tintin enter the EU?” Po ..read more

More people are working in borderless environments as enterprises have shifted to remote or hybrid workplaces. According to Upwork, an estimated 32.6 million Americans will work remotely by 2025, which is about 22% of the workforce. Plus, more organizations are hiring employees from all over the world. Both of these shifts in how the world works means there is a higher importance placed on collaboration as the world becomes borderless. The pandemic accelerated enterprises into the future of work The future of work has always been headed in the direction of being borderless. However, what was g ..read more