By Gerry Gebel, VP of Business Development at Axiomatics
As businesses continue their mass migration of data, applications, workflows and other business assets to the cloud, federal agencies are following suit, and for a good reason.
By utilizing the cloud, federal agencies minimize their overall IT costs, while increasing scalability, modernizing their IT infrastructure and enabling collaboration among development teams to help solve complex challenges.
In addition, cloud platforms like AWS and Microsoft Azure offer easier, more affordable and flexible data storage systems compared to traditional storage solutions like on-premise relational databases.
There are many advantages of cloud deployments.
However, they do not come without risk. A common challenge is cloud security.
Cloud platforms often include built-in security features like Identity and Access Management (IAM) to help control access to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services.
This is where we begin to see limitations in the built-in security features when dealing with, the security of transactions and data in these platforms.
Not to mention, cloud platforms introduce new technology capabilities (such as orchestration) that require IT employees to examine new processes, including security methods.
It is critical to enhance the basic security capabilities of the cloud platform and cloud data service providers to ensure the high levels of access control federal agencies have in their on-premise systems translate to the same fine-grained levels they require in the cloud.
Augmenting Built-In Security Features
Out of the “box”, cloud platforms don’t offer much sophistication for a policy-based approach to both securing and sharing data.
We see new security products are emerging to protect the cloud, but in some cases, these only focus on a single aspect, such as the security of the infrastructure and containers instead of protecting the data itself.
One example is AWS.
AWS has an “IAM” strategy focused on authorizing administrators to spin up/down servers, databases, containers, etc.
Still, the AWS “IAM” strategy is limited because it focuses on the infrastructure instead of the data.
AWS uses the same legacy identity/role/group-based approach to authorization, which is not fine-grained enough to secure critical information federal agencies hold like national security information or personally identifiable information (PII) on American citizens.
Federal agencies require more advanced security measures than what cloud providers offer.
Security controls must address the legal requirements for the proper handling and sharing of sensitive digital information.
The security protocols must also implement access policies consistently across cloud platforms, instead of acquiring the additional risk and cost of cloud platform-specific security tools.
Security tools must also be built and deployed in the cloud, so they can be managed the same way any application workloads are managed.
Implementing Dynamic Authorization to Protect Cloud-Hosted Data
Federal agencies can extend access control capabilities beyond what cloud providers offer with externalized dynamic authorization delivered with Attribute Based Access Control (ABAC).
Dynamic authorization for cloud-hosted data works by leveraging access control and organizational policies to decide what resources can and cannot be accessed.
Federal agencies can access additional context like risk score, device information, location, etc. when deciding on access decisions.
Policies are an exact reflection of federal requirements and are easy to decipher.
(See how your organization can Enable Digital Transformation with Dynamic Authorization. Courtesy of Axiomatics and YouTube.)
With dynamic authorization, federal agencies can define their data access policies once and apply them consistently on-premise and in cloud deployments.
Federal agencies ensure secure access to applications and data in the cloud while also realizing a wide range of other benefits, including:
- Running an access control service in cloud platforms directly with protected applications and data provides best-in-class system performance.
- In addition, this approach permits federal agencies to operate the security infrastructure in the same way that applications are managed.
- Dynamic authorization for cloud platforms saves developers a significant amount of time because application development accommodates the microservice approach of bounded context and calls external services for security functions.
- Developers are no longer bothered with adding security code to their APIs/microservices. Instead, they can call another microservice to process access decisions.
- Application maintenance costs are significantly reduced by separating security logic from the application.
- By moving security logic to a dedicated service, access policy changes are implemented independent of the business logic code, resulting in a much easier/quicker access policy change process.
- A dedicated dynamic authorization service can respond faster to policy change requests because code changes are eliminated.
- Instead, policy changes are made in the authorization service through configuration and delivered to the runtime services.
As more federal agencies continue to tap the power of the cloud and migrate their infrastructure to cloud platforms, the need to address complex access control use cases for cloud-based resources is only going to grow.
The federal government houses massive amounts of sensitive data that can threaten the security of millions of citizens.
By leveraging dynamic authorization delivered with ABAC, federal agencies enable secure access to sensitive information assets such as applications and data that are now stored within cloud platforms, as well as the administration of cloud deployments.
About the Author
Gerry Gebel, Vice President of Business Development at Axiomatics
Gerry is the vice president of business development at Axiomatics.
In this role, Gerry supports the sales, marketing and product teams by managing strategic partnerships and alliances. Before joining Axiomatics, Gerry was vice president and service director for Burton Group’s identity management practice.
He covered topics such as authorization, federation, identity and access governance, user provisioning and other IAM topics.
Gerry has more than 15 years of experience in the financial services industry, focusing on security architecture, middleware support and mainframe systems.
Axiomatics Federal, Inc., the leader in fine-grained dynamic authorization for customers and partners of the federal government, was recognized in American Security Today’s 2018 ‘ASTORS’ Homeland Security Awards Program.
Axiomatics Federal, Inc. received the Platinum Award in the ‘Innovative Access and Authentication System Solutions’ category.
“Since IT environments are becoming increasingly complicated, federal agencies, like the Department of Homeland Security, are finding new ways to manage their complex and changing access control needs,” said Craig Gilley, president of Axiomatics Federal, Inc.
“The Axiomatics Policy Server does just that.”
“This award establishes the Axiomatics Policy Server as the go-to dynamic authorization solution for Federal agencies and I couldn’t be prouder of this accomplishment.”
Dynamic Authorization solutions from Axiomatics enable accelerated digital transformation, greater business agility and responsiveness, effective governance, and an improved customer experience:
- Centrally-managed, policy-based approach to managing authorization
- Reduction in time spent managing authorization
- Reduction in time spent onboarding new users, and have access evolve over time
- Reuse authorization policies across other IT environments
- Enable centralized audit reporting
Axiomatics Takes Platinum in the 2018 ‘ASTORS’ Homeland Security Awards Program
Best Best IT Policy Mgmt & Authentication
Axiomatics Policy Server
The Annual ‘ASTORS’ Awards Program is specifically designed to honor distinguished government and vendor solutions that deliver enhanced value, benefit and intelligence to end users in a variety of government, homeland security and public safety vertical markets.
Over 130 distinguished guests representing National, State and Local Governments, and Industry Leading Corporate Firms, gathered from across North America, Europe and the Middle East to be honored among their peers in their respective fields which included:
- The Department of Homeland Security
- The Federal Protective Service (FPS)
- Argonne National Laboratory
- The Department of Homeland Security
- The Department of Justice
- The Security Exchange Commission Office of Personnel Management
- U.S. Customs and Border Protection
- Viasat, Hanwha Techwin, Lenel, Konica Minolta Business Solutions, Verint, Canon U.S.A., BriefCam, Pivot3, Milestone Systems, Allied Universal, Ameristar Perimeter Security and More!