1 Introduction

Over the past decade information technology environments have become increasingly complex as organizations grapple with accelerating technology advances and rapid migration of social mores. Organizations are increasingly seeking solutions that permit line-of-business applications to access corporate data while ensuring access is both appropriate and authorized; adhering to appropriate regulation is expected.

Smartphones are now the predominant end-user device. In the past, when a user’s access was from a PC on company premises, it was relatively easy to secure access to corporate data but now there is a requirement to manage access from coffee shops, via a highly portable device with a tendency to be lost or stolen.

AI programs with a rapacious appetite for data often use APIs to diverse applications and data repositories, adding a requirement for sophisticated key or token management to the access control task. Developers are often left to their own devices with inadequate direction on how to secure and monitor API activity; a policy-based authorization service can significantly mitigate this vulnerability.

Corporate applications increasingly reside in various hybrid environments, from on-prem applications at one end of the spectrum to containerized cloud environments on the other, all with the need to access company data. This diverse environment makes consistent access control even more difficult to achieve.

The accelerating complexity of IT environments is fueling the adoption of Authorization services, as opposed to more simple role-based access control environments. While ‘role’ is an important attribute, for instance, the Chief Financial Officer gets wider access to corporate applications than an Accounts Payable Clerk, these days a finer-grained access framework is needed. Additional personal attributes must typically be evaluated. Has a user been trained on the application they are trying to access? Is an access request coming from a user currently traveling in China? Is a user’s behavioral analysis risk score adequate for the application being accessed?

Device attributes must also be evaluated. Is the smartphone password-protected? Has the device been jailbroken? Is the corporate data container installed?

In an environment with such complexity an Authorization service is typically employed to facilitate fine-grained, context-aware, access control with centralized administration for consistent application of policy.
 
An outline of Symphonic’s solution is as follows:

• Policy Enforcement Point
  A facility to allow an application to apply the result of a request for an access control decision when a user seeks access to a protected resource. For legacy systems the PEP is a few lines of code inserted into the application but increasingly APIs are being used to request access and receive the response from the decision point.
• Policy Decision Point
  The core of the authorization service that queries the appropriate data sources to form an access control decision, and evaluates a request against the policies established by the business to determine the correct decision for user access to a requested resource.
• Policy Information Orchestration
  The facility that ensures the data returned to the decision point query is sourced from the correct repository and is combined or transformed where necessary to allow a policy to be appropriately evaluated.
• Policy Information Point
  Typically, one or more data repositories that contain the identity or other attributes and contextual information needed to make a decision regarding the requested access.
• Policy Administration Point
  The facility that allows access-control policy to be defined. The UI must accommodate the intended user-base, for technical staff a programming interface is typically used, for a business user a natural language expression builder is more appropriate.

The way in which these components support the requirements of the relying applications is critical to the success of an authorization service. The “Trust Framework” for each Symphonic deployment is configured to the client’s environment. Symphonic provide interfaces to attribute repositories and credential stores, and integration packages for specific industry risk-scoring services are also offered.

2 Service Description

Symphonic have adopted ‘Intelligent Authorization’ as a key marketing message for their solution. This is illustrated by the sophistication in the ...

2.1 Policy Enforcement

Symphonic provide diverse solutions to suit most client architectures. Typically existing infrastructure components such as firewalls and API gateways ...

2.2 Policy Decisions

Access control decisions are determined by the PDP via an analysis of the pertinent policies for the requested access. A typical response will be eith ...

2.3 Policy Information

The policy information point (PIP) must accommodate the requirements of the decision point. This means that an organization’s data repositories must ...

2.4 Information Orchestration

Symphonic’s mission to provide their clients intelligent authorization is focused on the provision of a unified view of the attributes and contextua ...

2.5 Administration

Symphonic have developed a sophisticated policy framework development tool as a result of their experience with customer installations. Policy adminis ...

2.6 Development Environment

It is important that the release of configuration updates or policy tree change be properly controlled.

Symphonic’s design principles facilitate ...

3 Strengths and Challenges

Undoubtedly there is a trend towards fine-grained authorization of a user accessing a protected resource, rather than simply relying on corporate auth ...

4 Related Research

Leadership Compass: Access and Federation – 71147
Leadership Compass: Privileged Access Management – 79014
Leadership Compass: CIAM 2018 – 79059
Leadership Compass: Adaptive Authentication – 79011
Architecture Blueprint: Hybrid Cloud Security – 72552