Runtime authorization is a key cyber defense control that enables zero trust access. That’s why runtime authorization has become a focal point for developing the next generation of identity-centric access controls. This includes both human and nonhuman use cases supporting the high volume and velocity of access to modern apps, computing units, data objects and underlying networks.
Traditional runtime authorization controls and related policy management practices are typically homegrown and deployed on-premises. These authorization systems are limited in their ability to scale and address business needs, specifically when policy evaluation becomes dependent on the relationship among entities. This situation is increasingly unsustainable. Weak runtime authorization controls not only expose organizations to a higher level of access risk in cyberattacks, but also increases the cost of access management and hinders digitalization initiatives.
What to do about it?
Modern runtime authorization use cases require stateless authorization decision points that enable policy definition to be decoupled from policy decisions across different operating environments. This approach enables system owners, together with risk managers, to govern policy management practices while enterprise architects and technical professionals govern the technical implementation.
A Key Challenge
Runtime authorization design and implementation are challenging because one-size runtime authorization control does not fit all use cases. These use cases protect human and nonhuman entities’ access to a mix of actions and target objects. Unfortunately, no single technology covers all scenarios. The components for each use case vary by the complexity of the policy to be enforced and the context of protection. Some low-assurance use cases may simply require an authentication event to grant coarse-grained access to some data or applications. But as the policy complexity increases and the target objects become more sophisticated, you need more advanced policy management and enforcement mechanisms.
Figure below shows key runtime authorization use cases.
Runtime authorization systems require an architectural view of the end-to-end access path. This path spans from the authenticated subject to the target object, considering all tiers, intended actions and computing environment requirements. Each authorization control in this path requires a set of policy management capabilities to define and maintain what rules should be enforced as well as support runtime services to evaluate and enforce the policies in real time. Also, where the workload nature is ephemeral with high volume and velocity characteristics, authorization systems may rely on intelligent services, using machine learning, to assist with policy and entitlement modeling.
The following figure shows the runtime authorization key capacities.
The Next Step
Technical professionals should recognize that:
- Authorization policies are a manifestation of how a business operates in terms of access to business processes and underlying functions, data and technologies. The quality of any authorization system depends on how well policies are managed and distributed to relevant authorization decision points.
- Authorization tools are made of many interdependent components that query policy data and make an algorithmic authorization decision. That is why it is important to define multiple authorization architecture patterns to simplify the design process and ongoing management of authorization components and metadata.
To deliver effective and efficient runtime authorization controls, security and risk management technical professionals should:
- Architect modern runtime authorization controls. Identify and remediate policy management and policy enforcement control gaps by using the runtime authorization functional framework and access patterns.
- Implement finer-grained runtime authorization solutions for cloud environments by including key patterns. Example are cloud, API, microservices, DevOps pipeline and key access, as well as by enhancing apps and data (structured, unstructured and analytics).
- Evaluate and adopt emerging fine-grained runtime authorization frameworks and technologies. Begin by assessing frameworks such as OPA for native cloud systems. In addition, investigate graph database technologies to model and store policies when decisions are dependent on complex entities’ relationships.
If you are interested to learn more, the following Gartner research report provides further guidance (available to Gartner subscribers):
- Architecting Modern Policy-Based Runtime Authorization (Published 2 December 2020 – ID G00729503)
- Guidance for Modernizing Authorization Architecture (Published 26 June 2020 – ID G00724885)
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.