Access control is a critical enabler of most business systems. It governs and which trusted identities can access digital assets based on appropriate assurance levels (often within a zero trust framework). These controls are designed to protect resources from unauthorized access, while facilitating legitimate use.
The main challenge (and customer critique) of existing approaches is the level complexity (i.e. you need specialist support) and the challenge of scalability.
How existing approaches work
Let’s take Role Based Access Control (RBAC) as an example. RBAC has been a popular model since its birth in the 1990's and is still in use today as a key offering of major IAM vendors. It works from the principle of ‘least privilege’, and requires a system administrator to assign rights based on roles within an organization. Each role is defined with a certain area and level of access based on three principles: role assignment, role authorization and permission authorization.
While still popular in many large organizations, this approach runs into problems quickly with more roles than users or employees, users with multiple roles, the cannibalization of roles and roles becoming obsolete or no longer relevant. It also relies on manual input and constant maintenance while becoming overly complex, and unable to scale effectively.
Perhaps the most common approach used today is Attribute Based Access Control (ABAC), also known as Policy Based Access Control, which became popular in the 2010s. ABAC offers more granularity than RBAC as it determines access based on a number of attributes (such as title, location, team, etc) concerning the user, defined by an access policy.
But ABAC runs into similar challenges with the manual maintenance of an increasingly complex collection of attributes and granular policies that take a significant resource cost to implement and maintain. Scaling complex authorization policies also becomes very challenging.
Compounding this is the rapid rise of IOT and connected devices that require automated intelligent authorization, something a bit out of reach for both major approaches.
So how do we optimize? We get smarter by using knowledge
The complexity and flexibility of modern software and services means we need granular flexible access control for users. The more granular, the closer the data reflects the real world and the more control a business has in managing access. But the granular control policies can’t be static, they need to be dynamic and responsive to changing context.
At IndyKite, we use graph technology to capture contextual data in a flexible data model that can be used to drive dynamic access policies.
By interrogating the continuously changing context KBAC can unlock higher risk protection, better security, better user experience, and dramatically reduce resource costs, while uncovering new insights for product creation or value realization.
This means that you as the administrator can design access control policies for a complex user group that work at scale, rather than hard coding a static policy.
See it in action
Scenario: you run a loyalty program for a large retailer and want to connect family accounts.
To connect family accounts and share access and perhaps authorize certain actions, we need a dynamic access policy.
To create it, drag and drop (or write if you prefer) the access policy you want to employ in your IndyKite administration console. This policy will define the access and actions the user is authorized to do. The policy can also define additional authorizations the user can deploy, such as delegated access to their loyalty account, shopping list, coupons and importantly - payment methods. For example, the user may choose to allow their child or partner to authorize payments of up to a nominal amount, let’s say $15. The authorization token is stored in the graph to facilitate the payment authorization when triggered by a transaction.
The user can adjust this at any time and should a relationship change (or delegation removed) at any point, the access policy will reflect the update.
In this example, you not only set up a dynamic policy for your customers that will scale well, you also give the user power to share and adjust the policy based on their needs.
Scenario: you run a large global shipping company that has thousands customers all with large workforces. Further your customers have logistic partners and vendors that provide services to them and to their competitors. All actors need various secure access to your freight management platform.
In this scenario, access control can get complicated and messy very quickly. You have employees, clients, client’s partners/vendors, and other third parties all requiring access to your platform and data on certain shipments for various reasons. The partners and vendors may also be serving more than one of your clients.
To ensure secure and appropriate access, we can use Knowledge Based Access Control, via the IndyKite platform, to not only capture the users and organization they represent, but also the relationship they have to other users, other organizations and relevant shipments. This relationship data makes it possible to develop access policies that ensure a third-party vendor can be connected to multiple clients, without client data being inappropriately accessed.
Realize the value
In these two examples, we realize value in achieving efficient and effective access control. But is that it?
Of course not.
With a flexible data model driving these policies, we can also use the contextualized data, captured by the knowledge graph to gain valuable insight. This data can then be used to build new services, achieve efficiencies and improve customer experience.