Adaptive Policy-based Access Management


Adaptive Policy-based Access Management (APAM) is a Policy Based Management System for Access Control where Policies are applied at runtime to make Authorization decisions based on Contextual Attributes in the broadest sense.

Adaptive Policy-based Access Management is part of the broader User and Entity Behavior Analytics as applied to Adaptive Risk or Risk Based Access Control.

Adaptive Policy-based Access Management (APAM): The Future of Authentication and Authorization[1]#

Over the past several years, there have been a lot of discussions around terms such as RBAC (Role Based Access Control), ABAC (Attribute Based Access Control), Dynamic Authorization Management (DAM) and standards such as XACML. Other terms such as Risk Based Access Control (RiskBAC) have been introduced more recently.

Quite frequently, there has been a debate between RBAC and ABAC, as to whether attributes should or must replace roles. However, most RBAC approaches in practice rely on more than purely role (i.e. on other attributes), while roles are a common attribute in ABAC. In practice, it is not RBAC vs. ABAC, but rather a sort of continuum.

However, the main issue in trying to position ABAC as the antipode to RBAC is that attributes vs. roles is not what the discussion should be about. The difference is in how access is granted.

Some years ago, I introduced the term "Dynamic Authorization Management” for what some vendors called "Entitlement Management", while others used the term of "Policy Based Management System". This has been about the contrast of doing authorizations based on statically defined entitlements (such as in system that rely on ACLs, i.e. Access Control List, e.g. Windows Server) and authorization decisions made at runtime based on policies and context information such as the user, his roles, etc. – in fact a number of attributes.

Even longer ago, the term PBAC had been introduced, With the A in PBAC standing for “admission”, because PBAC was a standard introduced at the network level.

However, you could also argue that systems such as the SAP ERP systems or Windows File Servers do authorizations dynamically, for instance in Windows by comparing ACLs with SIDs contained in the Kerberos token. Nevertheless, the entitlements are set statically. Admittedly, after various discussions with end users, the term “dynamic” appears to not be clear enough for distinguishing various approaches.

While common, static approaches at best translate policies in static entitlements, this step is lacking in what I now will call Adaptive Policy-based Access Management (APAM). And that is what really makes the difference: Policies, applied at runtime to make decisions based on context in the broadest sense. Whether these are roles, IP addresses, claims, or whatever – this is the essence of the entire discussion that we have seen going on for years now.

It is not a question of whether RBAC or ABAC is right. It is about moving towards APAM. The advantages of APAM are obvious:

  • APAM by default is a security service, i.e. externalizes security from the applications (theoretically, such a concept might be implemented into applications, but there is little sense in doing so).
  • APAM will automatically reflect policy changes. Policies,
  • APAM when implemented right, can be expressed in a business-friendly notation.
  • APAM is adaptive, e.g. it takes the context into account.
All the aspects we had discussed as advantages for Dynamic Authorization Management logically apply to APAM, because this is just a new term for what KuppingerCole previously named Dynamic Authorization Management. Admittedly, it is a better term.

More Information#

There might be more information for this subject on one of the following: