KuppingerCole Report
Executive View
By Graham Williamson

Symphonic – Intelligent Authorization

There are several trends that continue to make the use of identity information for access control more complex. The prevalence of smartphones as the end-user client of choice, the increasing use of API channels needing access to corporate data and the increasingly complex hybrid cloud environment all serve to increase the complexity of managing authorized access to protected resources. Symphonic Software makes the task of orchestrating information points and resolving the complexities of modern authorization a little less daunting.
By Graham Williamson
gw@kuppingercole.com

Content of Figures

  1. Figure 1 Authorization Services Environment

1 Introduction

Over the past decade information technology environments have become increasingly complex as organizations grapple with accelerating technology advances and rapid migration of social mores. Organizations are increasingly seeking solutions that permit line-of-business applications to access corporate data while ensuring access is both appropriate and authorized; adhering to appropriate regulation is expected.

Smartphones are now the predominant end-user device. In the past, when a user’s access was from a PC on company premises, it was relatively easy to secure access to corporate data but now there is a requirement to manage access from coffee shops, via a highly portable device with a tendency to be lost or stolen.

AI programs with a rapacious appetite for data often use APIs to diverse applications and data repositories, adding a requirement for sophisticated key or token management to the access control task. Developers are often left to their own devices with inadequate direction on how to secure and monitor API activity; a policy-based authorization service can significantly mitigate this vulnerability.

Corporate applications increasingly reside in various hybrid environments, from on-prem applications at one end of the spectrum to containerized cloud environments on the other, all with the need to access company data. This diverse environment makes consistent access control even more difficult to achieve.

The accelerating complexity of IT environments is fueling the adoption of Authorization services, as opposed to more simple role-based access control environments. While ‘role’ is an important attribute, for instance, the Chief Financial Officer gets wider access to corporate applications than an Accounts Payable Clerk, these days a finer-grained access framework is needed. Additional personal attributes must typically be evaluated. Has a user been trained on the application they are trying to access? Is an access request coming from a user currently traveling in China? Is a user’s behavioral analysis risk score adequate for the application being accessed?

Device attributes must also be evaluated. Is the smartphone password-protected? Has the device been jailbroken? Is the corporate data container installed?

In an environment with such complexity an Authorization service is typically employed to facilitate fine-grained, context-aware, access control with centralized administration for consistent application of policy.

An outline of Symphonic’s solution is as follows:

  • Policy Enforcement Point
    A facility to allow an application to apply the result of a request for an access control decision when a user seeks access to a protected resource. For legacy systems the PEP is a few lines of code inserted into the application but increasingly APIs are being used to request access and receive the response from the decision point.
  • Policy Decision Point
    The core of the authorization service that queries the appropriate data sources to form an access control decision, and evaluates a request against the policies established by the business to determine the correct decision for user access to a requested resource.
  • Policy Information Orchestration
    The facility that ensures the data returned to the decision point query is sourced from the correct repository and is combined or transformed where necessary to allow a policy to be appropriately evaluated.
  • Policy Information Point
    Typically, one or more data repositories that contain the identity or other attributes and contextual information needed to make a decision regarding the requested access.
  • Policy Administration Point
    The facility that allows access-control policy to be defined. The UI must accommodate the intended user-base, for technical staff a programming interface is typically used, for a business user a natural language expression builder is more appropriate.

The way in which these components support the requirements of the relying applications is critical to the success of an authorization service. The “Trust Framework” for each Symphonic deployment is configured to the client’s environment. Symphonic provide interfaces to attribute repositories and credential stores, and integration packages for specific industry risk-scoring services are also offered.

2 Service Description

Symphonic have adopted ‘Intelligent Authorization’ as a key marketing message for their solution. This is illustrated by the sophistication in the ...

Login Get full Access

2.1 Policy Enforcement

Symphonic provide diverse solutions to suit most client architectures. Typically existing infrastructure components such as firewalls and API gateways ...

Login Get full Access

2.2 Policy Decisions

Access control decisions are determined by the PDP via an analysis of the pertinent policies for the requested access. A typical response will be eith ...

Login Get full Access

2.3 Policy Information

The policy information point (PIP) must accommodate the requirements of the decision point. This means that an organization’s data repositories must ...

Login Get full Access

2.4 Information Orchestration

Symphonic’s mission to provide their clients intelligent authorization is focused on the provision of a unified view of the attributes and contextua ...

Login Get full Access

2.5 Administration

Symphonic have developed a sophisticated policy framework development tool as a result of their experience with customer installations. Policy adminis ...

Login Get full Access

2.6 Development Environment

It is important that the release of configuration updates or policy tree change be properly controlled.

Symphonic’s design principles facilitate ...

Login Get full Access

3 Strengths and Challenges

Undoubtedly there is a trend towards fine-grained authorization of a user accessing a protected resource, rather than simply relying on corporate auth ...

Login Get full Access

4 Related Research

Leadership Compass: Access and Federation – 71147
Leadership Compass: Privileged Access Management – 79014
Leadership Compass: CIAM 2018 – 79059
Leadership Compass: Adaptive Authentication – 79011
Architecture Blueprint: Hybrid Cloud Security – 72552

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top