Verifying identities in cyberspace is a prerequisite to knowing what those digital personas are allowed to do. Access to information and systems can be granted depending not only on the level of assurance that proper verification has taken place but on other factors as well. For example, entitlements and rights can also ascribed based on contextual information, the requested resource, and the action being performed. These four things together give the most power and flexibility when defining security policy.
Today, however, most security policies are encoded directly within applications. This is problematic for a number of reasons including the following:
An alternative approach is to centrally manage, store, and enforce security rules. When this tact is taken, applications call into a centralized authorization server to render decisions about whether or not access should be granted. This decision can be based on the role of the requester or a set of attributes that represent that entity. Depending on the complexity of the policies, a role-based approach to access control can lead to an unwieldy system. To avoid an explosion of roles, a more find-grained approach known as Attribute-Based Access Control (ABAC) can be used. This tact is often implemented using a standard called XACML, and is implemented by our partner, Axiomatics, in their policy server.
Twobo Technologies possesses in-depth knowledge of entitlements management. We are helping organizations understand how best to enforce access control in an increasingly distributed world where the cloud is a reality. If you are wondering about such things, please contact us with your questions.