Policy-based Access Management (PBAM) Reference Page

originally posted: https://axiomatics.com/resources/reference-library/policy-based-access-management-pbam

Policy-Based Access Management (PBAM), also known as policy-based access control (PBAC), is a security approach that reduces risk by limiting access to sensitive data.

While other forms of access control, such as role-Based access control (RBAC), grants permission based on the roles of a user (i.e the Manager has access to all documents in an organization while a Sales Team Member does not) PBAM provides access control through the use of policies. With PBAM, access is granted only to users who meet certain criteria. For example, maybe you only want your employees to access company data during their working hours  and from work issued devices.

PBAM makes it possible to enforce permissions dynamically using policies that consider attributes such as user identity, device, location, and risk level — safeguarding critical data and reducing the risk of hackers moving laterally within the organization.

Why PBAM?

Organizations can expect the following when they implement PBAM:

• Centralized policy management: PBAM enables policies to be placed in a singular repository system which allows for simplified policy management, and limits risk to sensitive data. It especially helps reduce the amount of administration burden that is associated with managing access control across multiple platforms.

• Flexibility of access controls: PBAM allows for flexibility by granting or denying access to users based on specific attributes in real-time. For example, perhaps Lisa typically works from Arizona, but now she is requesting access from Illinois. Through PBAM, her access can be denied as the request comes through, reducing the risk of unauthorized access to sensitive data.

• Entitlement efficiency: RBAC has been the main solution to try and eliminate the complexity of entitlement management. However, it often relies on static entitlements which creates its own set of issues. PBAM, on the other hand, moves away from static entitlements and thinks in plain old English, enhancing efficiency in more ways than one.

Deployment

PBAM can easily be deployed using traditional server or cloud technologies.

Key components of any deployment include::

• Managing policies via Policy Administration Point (PAP)

• Storing policies via Policy Repository Point (PRP)

• Policy decisions at run-time via Policy Decision Point (PDP)

• Additional information context via Policy Information Point (PIP) used by the PDP

• Integration via Policy Enforcement Point (PEP)

Cloud-native environments can easily take advantage of flexible configuration options such as using  API’s or configuration files.  They also benefit from technologies such as Kubernetes by leveraging their built-in fault tolerance and scalability features.

PBAM can be deployed through different strategies including software appliances, hardware, cloud native environments, cloud-based Software-as-a-Service (SaaS), and DevOps workflows.

How PBAM aligns with Zero Trust Architecture

The backbone of the Zero Trust strategy is the motto “never trust, always verify”. In its simplest terms, you can think of Zero Trust in the same way you think of a house. You may want your kids to have access to the living room and the kitchen, but there may be a need for additional checkpoints in the kitchen. For example, you most likely don’t want your kids accessing the oven without supervision. But, you want it to be possible for yourself to still have access to these things.

This is where the principles of Zero Trust come into play. Zero Trust makes it possible to safeguard these areas of the house so that only the right people have access to the right things, under the right conditions, at the right time. It’s no different with your organization’s data.

There may be times when you want your team members to be able to access data only within certain limits. For example, team members can only access a certain document during their working hours and if they’re accessing it from a company approved device. Combined with the PBAM approach, Zero Trust makes it possible to reduce risk and safeguard your data in real-time based on dynamic attributes.

PBAM makes it so that policies can be moved to a centralized location, allowing for simpler policy management. Additionally, it makes sure that your organization’s policies are in compliance with ever-evolving government standards and regulations, while reducing the risk of hackers moving laterally within the enterprise.

Here at Axiomatics, we’ve helped organizations of all sizes in different industries (healthcare, financial services, manufacturing, public sector agencies, etc.) safeguard both complex and simple data through Zero Trust and PBAM. Want to learn more? Check out this blog on Zero Trust for more information!

PBAM Standards

A key aspect of PBAM is its ability to integrate seamlessly with other systems while aligning with industry standards such as eXtensible access control markup language (XACML), Abbreviated Language for Authorization (ALFA) and AuthZEN, ensuring consistency and interoperability across platforms.

Our solutions are developed in the standard-based language of XACML; a response/request protocol and reference architecture. ALFA is another standard-based language that simplifies the process of creating and maintaining authorization policies by providing a more intuitive and less verbose syntax compared to raw XACML. Whether using ALFA or XACML, organizations can expect access to a centralized policy management repository, simplified policy creation, and flexibility.

OpenID AuthZEN is a working group that is dedicated to developing standards and promoting interoperability in the authorization realm — Axiomatics is among the founding members of the group and our CTO is one of the co-chairs. The group’s goal is to create a standardized framework for applications to communicate with PBAM systems which ensures seamless, standardized authorization across enterprise IT environments.

It is important to note that PBAM solutions that don’t incorporate standards can expose enterprises to vendor lock-in for authorization management.

Axiomatics and PBAM

Axiomatics understands that data is important to your enterprise. No matter where it’s stored or how complex it is, we can help you safeguard and secure it. Our team has experts in defining requirements and tailoring our solution to meet your policy-driven authorization needs.