Ensuring the Security, Compliance and Agility of Digital Initiatives with Dynamic Authorization

Even before 2020, digital transformation initiatives were monopolizing the attention of most enterprises. Lines of business were attempting to outmaneuver the competition with experiences that would win customer loyalty and steal market share. IT departments were focusing on access and data security and technical enablement of the initiatives. And compliance departments were striving to ensure adherence to GDPR, CCPA and other regulatory requirements. 

Then earlier this year the pandemic appeared. Suddenly, everyone was working from home and any customers still physically interacting with brands shifted to 100% digital—or very close to it. Organizations with five-year digital transformation plans have been forced to get their digital infrastructure in order much faster than previously anticipated.

To accomplish this shift successfully, organizations must keep their eyes on three fundamental aspects of digital business: 

• Security: With new apps, new partnerships and new functionality, how can businesses protect customers from fraud and secure their data?
   
• Compliance: With so many additional use cases, are organizations remaining in compliance with privacy regulations?
   
• Agility: How can we do these things and continue to launch fresh apps, integrations and other initiatives faster than our competitors?

These three things are among the most difficult aspects of digital transformation. If left unaddressed, they can slow digital initiatives to a crawl. 

And oftentimes, one culprit makes this transition extremely difficult: authorization.

One of the reasons organizations overlook authorization as a cause of slowed digital transformation is because authorization is often done using OAuth throughout the organization. In these enterprises, authorization enforcement is coded into various applications, API gateways and other layers of infrastructure. This makes it incredibly difficult to audit or update, and It’s not until you step back and look at the big picture that you begin to really see some of the issues.

You might be thinking: “But Dustin, that’s why we have an authorization standard called OAuth!” You’d be right for calling that out, since OAuth is the gold standard of authorization and the recommended way to do it. However, there are a few areas where OAuth falls a little short. 

Decentralized Enforcement

Gold standard or not, enforcement of access via OAuth is often implemented in various apps and layers of your infrastructure. As mentioned above, that can make it very difficult to audit or update. Imagine a situation where you need to change the authorization rules in a similar way across all applications, or a situation where you need to evaluate how access is granted to any app that has access to sensitive customer data. Pretty much any scenario that requires you to evaluate authorization beyond a single app will be difficult with OAuth alone.

Authorization and Data Access

OAuth generates tokens that are then passed to a resource (e.g., an application or a section of an application). If the token is valid, then access to that resource is granted. It does not help control access to data. For example, once access to a resource is granted, that resource or application may need to access data about a customer. Access to that data is not easily controlled by OAuth. Once access to the resource is granted, the resource’s access to data is out of scope—no pun intended. 

Dynamic Authorization Scenarios 

OAuth is great at controlling access to resources in static situations. If a certain type of user is always allowed to have access to certain types of resources, then OAuth works well. However, with more and more digital initiatives, we’re frequently seeing complex authorization scenarios that aren’t easy for OAuth to handle. The common thread in these scenarios is that the rules for authorization change depending on the situation. Take an example where customers are granted access to reports based on how many points they’ve purchased with a company. Just because a person is a “customer” doesn’t mean they should have access to a particular report, and the rules will change from customer to customer, depending on how many points they have. Consent enforcement also falls into this category. The consent a customer has given will vary from customer to customer and differ every time. We’ll dive into additional dynamic authorization use cases in the “Use Case” section below. 

Predetermined Access

Another complexity that comes with dynamic authorization scenarios is that the authorization logic is often determined before it is enforced. The system that mints an OAuth token isn’t the same as the server that gives access to the resource. What if an attorney is authorized to access only 20 specific documents that pertain to their case out of millions of documents in the system? It is potentially inefficient to sift through the millions of potential documents and stuff authorizations to those 20 specific documents into a token. Practical limits to token data also can come into play. This situation can be problematic at scale with traditional authorization.

The good news is that there is a type of solution that can overcome these fundamental authorization issues and streamline authorization to ensure agility, security and compliance with new digital initiatives. They’re called “dynamic authorization” solutions.

Dynamic authorization is: 

Real-time enforcement of the fine-grained business logic around what users can see and do, in what context, and for what purpose.

Dynamic authorization generally goes above and beyond traditional authorization in four key areas: 

Real-time Enforcement

Unlike traditional authorization, dynamic authorization can make real-time decisions on what to authorize. This means you don’t have to pre-determine what access is needed when a token is minted, and token data limitations or computation do not need to be taken into account.

Insight beyond Identity 

Traditional authorization is focused around identity attributes and roles, but dynamic authorization can consider any data that an organization has at its disposal. This can include identity data and roles, third-party APIs, accounting systems, custom logic or any other data source.

Fine-grained Attribute-based Access Control (ABAC)

Dynamic authorization is fine-grained. This means that it considers the context of each request—unlike traditional authorization, which typically has static rules for access.

Centralized Administration

Dynamic authorization gives you a centralized policy administration point where any user—GRC, business owners or anyone else—can manage policies. Tools like PingAuthorize have an easy-to-use drag-and-drop interface for business users to manage policies.

Now that we have dynamic authorization defined, let’s talk about how it can help you speed your digital initiatives. Dynamic authorization:

Doesn’t Require Code Changes

Even if traditional authorization is centrally managed, your resources servers or API gateways still have to understand how to respond to a token and appropriately enforce access. This logic is likely hard-coded, especially in advanced use cases. With dynamic authorization, your business logic can be centrally administered and enforced. This means that applications teams don’t have to change their code. They never even have to know their request for data or for an action is going through dynamic authorization policies. All they see is whether the action is approved or the authorized data that is returned.

Makes Audits Easy

Auditing authorization can be a resource drain that slows your digital initiatives. Trying to get a hold of numerous business units to determine where the code is for authorization, and what its enablement is, is a tall order. Even getting the right people onto a meeting is probably tough. Centralized administration makes it simple to see all of the authorization logic across all apps in one place, smoothing the path for audits. Centralized enforcement also improves auditing and reporting by ensuring the administrative rules are being adhered to by all apps.

Allows New Use Cases

A central administration point that appropriate stakeholders can be granted access to ensures that changes will be easy to implement. Changes can range from new security rules, new privacy rules that need to take consent into account in different ways, or new business use cases that require new authorization rules.

Numerous dynamic authorization use cases across industries are tough to handle with OAuth and traditional authorization. While every use case is unique, a frequent commonality among these situations is that the authorization rules are based on user consent, internal or third-party data sources, or other information outside of “identity data” that can change from user to user.

The problem is that if you have issues dynamic authorization can solve, those issues usually are not labeled with “// dynamic authorization issue” in the code. For that reason, I’ll list a few examples of use cases where dynamic authorization can help in a few industries. This list is by no means exhaustive. Instead, it’s meant to help you identify areas where dynamic authorization may be able to help in your own business.

Healthcare

• Practitioners often share consoles at healthcare and other medical facilities. In time-sensitive scenarios, you may not want to force a new sign-in that delays use of the console, but instead want to evaluate the time of last sign-in or other data to determine the likelihood that the current user is actually the signed-in user. If that likelihood is low, you can skip requiring a sign-out and simply prevent certain actions from occurring or sensitive data from being shared.
   
• With the proliferation of telehealth in 2020, healthcare providers may also want to restrict patient data and protected health information (PHI) to only that which telehealth providers require for a particular call.
   
• A healthcare provider may want to restrict a practitioner’s ability to look at other practitioners’ patients, perhaps by referencing the scheduling system and knowing that the user is not scheduled to work at the time the data is being requested.
  
  

Manufacturing

• Shared project activity abounds in manufacturing. Many internal and external parties (such as project managers) with similar roles don’t need access to everything but require access to different sets of data, and dynamic authorization can help control what they can see in a fine-grained manner.
  
  

Higher Education

• In higher education, users may often have multiple roles. If a user is both a faculty member and a student, dynamic authorization can prohibit that “student’s” access to a classmate’s grades and personal data, even if they’re signed in as a faculty member.
  
  

Financial Services

• Financial services organizations can limit information that lenders can view so lenders don’t see customer information that isn’t required to evaluate and approve a loan application.
   
• Financial services organizations could restrict access to high-value transactions (such as an electronic funds transfer) under certain conditions. For example, they may want to deny transfers over $10,000 if the account is less than a day old or if a third-party API says their credentials have recently been compromised.
   
• Financial services organizations may want to allow customers to grant account access to financial advisors. In these situations, the financial advisor should only have access to a portion of the account (such as the last year of transactions or whatever the customer has chosen to grant them). Dynamic authorization can appropriately enforce access in this scenario.
  
  

General Dynamic Authorization Scenarios

• Many types of businesses have call centers. These organizations may want to restrict customer information that customer service reps can see or edit. For example, you might allow the CSR to see only the last four digits of SSN and credit card numbers, and not allow them to change the primary email address on file for users.
   
• Many types of organizations must abide by the rules of GDPR, CCPA, CDR or other privacy regulations. A core tenet of these is enforcing customer consent. Since the consent given will vary from customer to customer, enforcing that consent is, by nature, dynamic authorization.
  
  

Again, this list is not exhaustive. It is only meant to give you an idea of the types of scenarios in which dynamic authorization can help.

As enterprises move faster than ever embarking on new digital initiatives, they must ensure that they are secure, compliant and agile. With new and more complex digital use cases emerging, relying on OAuth alone might create complexities that slow digital initiatives. In these cases, dynamic authorization solutions like PingAuthorize can help.