Why you need policy-based Identity Governance

Policy-baed Identity Governance
Identity Management ERP

Why you need policy-based identity governance and administration

This five-part blog discusses why IDM alone is not enough to protect your ERP. This series explores the following topics:

  1. The four threats to your ERP posed by user access request management
  2. Top 7 Challenges with IAM
  3. A risk-based approach to application access governance
  4. Why you need policy-based identity governance and administration
  5. Access control capabilities & access governance options


Throughout this blog series, we have discussed Identity Access Management (IAM) and its limitations. In part 4, we will talk about policy-based access and why it is important for identity governance and administration.

There are two types of identity and access management: coarse-grained (also referred to as Role-based) and fine-grained (policy-based). To understand policy-based access, we should look at how identity management began. When identity management came to market 20 years ago, systems’ access was governed by roles. Initially, access security relied on the role-based access control (RBAC) method. Identity management solutions work with RBAC to control who can or cannot use systems or access data based on their role. This role often maps to the person's position or team.

For example, an employee for Company A has access to invoicing records for Company A and only those invoicing records. If the employee attempts to access invoicing records for Company B, the system denies access. On the other hand, the accounting team has access to all invoicing records. 

However, businesses aren't that simple, and access controls need to take into consideration:

  • Who can read invoicing records?
  • Who can create or change invoicing records? 
  • Who needs the ability to create, read, write, and delete records?

Unlike the accounting team, the employee only needs to read records. In this instance, we can control how users access data based on their roles. This is generalized or role-based access control. Role-based control uses a single attribute to determine whether a user can access a system or data source. 

Role-based access works for simple systems, but it doesn't scale. As organizations and data grow and become more complex, a role-based system is no longer sufficient. A role-based approach creates many problems in modern organizations with hundreds of applications, clouds, and databases. 


What is fine-grained (policy-based) access?


Fine-grained access control, or policy-based access control, grants access based on more than one condition.

Continuing from our example above, Company A is a customer with operations in both Atlanta and Los Angeles. Each city has a billing specialist  to manage purchases. If you followe the recommended principal of least privilege, access to billing records for the billing specialist  needs to be limited to their specific city. In this instance, we have three criteria for controlling access to data: role, location, and access type (read-only).

In this example, the Atlanta billing specialist can read billing records only for Atlanta, and the billing specialist for Los Angeles can access only the Los Angeles records. 

This example implements fine-grained access control. It grants access to the billing specialist based on their role, location, and access type. In the example, the billing specialists have read-only access. Additionally, fine-grained access control can allow the billing manager to access both cities or restrict access to one city and allow them to read and change data if required.


Why is Policy-based Access Control Important?


In the cloud, storing large amounts of information together offers a significant competitive advantage. However, this data can vary in type, source, and security level — particularly when considering data security compliance laws and regulations regarding customer data and financial information.

Role-based access control works when data can be stored separately and access to specific data types can be assigned. But when data is stored together in the cloud, fine-grained access control is necessary. This is because fine-grained access allows data with different access requirements to reside in the same storage without security or compliance issues. In short, fine-grained access control allows data with different access requirements to exist within the same data store. This granularity level gives organizations complete control over their data access control policy.

A fine-grained access control solution is imperative with the increasing complexity of data, rapidly changing roles, and rising security breaches. The flexibility, usability, and simplicity of fine-grained access control allows businesses to mitigate risk easily and reliably and provide auditors with the information they are looking for.

SafePaaS is a unique solution that provides your organization the ability to grant fine-grained access because we contextualize down to the element of data and the element of security at the very lowest level. SafePaaS has the unique ability to protect your data and your privileges in a way that generalized role-based IDM tools can’t. Organizations need assurance at the transaction level and not just at the role level.

Read part 5 to find out about the access control capabilities you need & access governance options.