The Lay of the Authorization Land - SGNL
Identity and Access Management (IAM) is typically divided into the Identity part, which deals with user authentication and the Access Management part, which deals with authorization. Authorization in enterprises is the ability to determine the assets a principal may access and how they may access those assets. At an airport for example, authentication is when airport security identifies you as the passenger and authorization is when a gate agent lets you board a specific flight…
The Cyber Hut Comment: An introductory article by SGNL looking at the world modern digital asset access control.
They focus on boiling down the access control focus to data - whether that is focused on consumer records for example of changing of a user password. They see data as the lowest level asset that needs protecting across the enterprise landscape. The article goes on to describe the main user types - mainly IT users, normal users, extended workforce (E.g. contractors), partners, organisational customer users and customer users.
They then introduce the concept of an “asset access path” - essentially the linkage between the subject (end user) and the object (the thing they want to gain access to) and the associated actions (what the subject can do against the object). Clearly the objects being protected will be varied - from cloud systems, on-premise files, infrastructure (servers and the like) and internal applications. All of which likely to need different integration options and contextual analysis.
A policy is then used to link subjects to objects - and the article gives us a tour of existing concepts such as ABAC (attribute based access control), RBAC (role based access control) and a mention of JIT - just in time access control - none of which the article claims are really delivering all the access control needs of the modern enterprise.
The article argues that this standard employee to asset access control piece is not being fulfilled by the market, which was the inspiration for SGNL to startup and focus on improving this perceived gap in the market.