As we’ve seen, organizations traditionally streamline provisioning through sets of templates that are packaged together as “roles” and are used to grant access in an RBAC model. These templates are relatively rigid and do not respond well to edge cases or dynamic business changes.
MachinaTM consolidates policy fragments into a centralized attribute-based access control system that goes beyond the traditional RBAC model to also evaluate data identity and request context. Leveraging additional attributes when rendering an access control decision adds flexibility to handle edge cases, new business contexts, regulatory changes, and much more.
Machina includes a number of components by default that enterprises often attempt to cobble together on their own, but they can only integrate a subset of these capabilities, usually confined to a few isolated silos. No other solution on the market today delivers a massively scalable key management system with a data attribute store, a highly flexible attribute-based policy engine capable of making just-in-time decisions, and an extensive set of SDKs and APIs to simplify consistent data handling across a complex hybrid landscape. There’s no longer any need to manage policy and protection separately in every silo.
- When it comes to the risks outlined in the prior section, Machina feeds real-time intelligence about every access request into governance efforts, which can make data-driven decisions based on how access is actually functioning instead of speaking in hypotheticals.
- The perceived complexity of scaling and managing an ABAC model is just that: a perception. RBAC models, which require a tremendous amount of planning to think through every potential edge case in advance, are fundamentally a different beast. ABAC models require you to just describe the facts, not forecast an uncertain future.
- And although handling multiple variables in an access decision gives the appearance of complexity, Machina customers report that they manage fewer policies in fewer places much more simply than they ever did before. Machina makes precise policy easy for administrators to write by translating natural language policies into XACML-compliant code that can be enforced dynamically in complex, real-time environments.
Access decisions often involve decrypting data under the right circumstances, but with Machina, encryption is just one form of access control. Building a policy-based access control engine around a key management system makes dynamic decisions possible at scale with high performance. The keys travel with the data, but unlike traditional key management services or hardware security modules, access controlled by Machina leverages the key’s attributes, not the key itself. Instead of defining policies based on access to a key, with Machina I can describe my data using attributes and then use those attributes when writing policy.
This innovative approach to controlling access policy decisions through attribute-based key release has led to integrations with AWS, Google Cloud, and Microsoft Azure. With these and other well-known partners, Machina integrates to enrich real-time decision-making with external attributes, function as an externalized or step-up authorization framework to provide a policy decision point over other enforcement mechanisms, and provide dynamic authorization to data and resources. Machina integrates easily with authoritative data sources through standards like SAML, SCIM, and OAuth, and it’s important to note that customers can use their existing IAM or key management service with Machina as desired through the strength of these partnerships.
It’s also important to note how Machina represents an improvement on template-based approaches to security. Template models require big, up-front, granular decisions that lock organizations into a framework identified some time ago that likely no longer matches the dynamic state of today’s business. Policy can be changed based on a group or an individual template, but data cannot be removed from that template. To effect a change, administrators must deny access, reclassify, and reissue the data. This is exceedingly challenging for operational teams and end users.
Our clients tell me that template-based models–and most RBAC models leverage templates–can’t scale. Their users are perhaps sophisticated enough to choose from four templates, but what the organization really needs to handle the dynamic complexity of its business are four thousand templates. With a data identity store, Machina allows organizations to customize attributes, adding or changing and dynamically enforcing those changes as the business evolves.
Machina also provides visibility into the way access is actually being granted–not just how it is supposed to be granted. This real-time feedback is exactly what is needed to create roles of any stripe, but RBAC-based solutions are challenged when it comes to providing this level of visibility.
With Machina Decision–an API-driven service layer–customers enable just-in-time enforcement of attribute-based policies across applications and repositories. Machina Console logs every transaction request, providing extensive visibility into access granted or denied. Users typically ingest these logs into a SIEM or other event or alerting tool to learn from actual access behavior patterns.
Changes to Machina policy can be made just-in-time (JIT) to increase security or reduce risk based on observations; this policy dynamically affects data handling rules across a complex landscape without requiring new security templates, new roles, or application logic changes.
Implementing Machina into an application is as easy for a developer as using Stripe or Twilio to handle payments or messaging, and it’s free and easy to get started. The few lines of Machina code abstract complex business logic out of the application so it can be managed centrally by administrators.
When it comes to authoring access policy–like the examples below that come from the use cases discussed previously in this series–Machina Console supports full separation of duties, provides simulation capabilities to understand projected impacts, and captures detailed versioning and visibility to audit every policy and rule change. Some customers grant supply chain vendors the ability to write–but not implement–policy in shared applications to standardize access control rules within a federated use case and reduce supply chain risk.
The landscape of our world had changed. It’s no longer sufficient, or even reasonable to continue doing the same things we’ve always depended upon. The network firewall has crumbled, cloud is the new normal, and policy is now the new perimeter we must enforce around the assets we value. Address a changed and changing world by implementing the attribute-based access controls of Machina.
Part 7/7 ABAC Blog Series: Policy is the New Perimeter