At #7 on our list of “Top 20” SOC Capability Areas is Authorization Management. This is the 3rd of 4 separate “Access Control” capability areas that are often addressed together – Identity, Authentication, Authorization, and Privacy/Confidentiality Management. (We discuss the complexities of Auditing separately.)
Authorization capabilities provide control over all Access Control decisions. Security Operations rely on capabilities in this area to both manage roles and grant/revoke access based on the organization’s security policies. Of course, there are a range of Authorization approaches for implementing access control. All balance the ease of management against the flexibility of object owners making their own individual decisions on authorizing access.
Discretionary Access Control (DAC), like what most users do with files on their MAC or Microsoft Windows desktop/laptop systems, provides the greatest flexibility to data owners or data “custodians”. But this also impacts the ability for Security Operations to enforce corporate policies, or even simply revoke permissions on specific objects for specific subjects without completely revoking credentials for the subject’s identity.
Non-discretionary Access Control approaches seem attractive to many organizations, because administrators centrally manage all access controls, for all subjects and all objects, across the entire organization. Centralized control provides greater consistency across the organization, but increases the administrative burden on Security Operations, sometimes significantly. Role-Based Access Control (RBAC) is one non-discretionary approach that attempts to simplify the administrative burden by placing subjects (users) into Roles (or groups) and granting/revoking permissions on objects to any subject granted that role (or in that group). This simplifies management but surrenders granularity of control. Attribute-Based Access Control (ABAC) is another non-discretionary approach that improves granularity of control by using conditional rules based on specific attributes of both subjects and objects. In practice, ABAC has proven to provide better flexibility but also comes at the cost of increased administrative overhead for the Security Operations team.
Mandatory Access Control (MAC) approaches, primarily used in military environments, are another attempt to balance flexibility with centralized, non-discretionary policies and controls. Similar to ABAC, MAC uses labels (rather than attributes and rules) on both objects and subjects to enforce access policies. This can be very effective for consistency across the organization, but does add to the administrative burden on the Security Operations team.
This is not intended to be a primer on Authorization, but simply an acknowledgment that most Security Operations teams will eventually be responsible for a combination of these Authorization Management approaches requiring a range of enabling capabilities. Some that are native as part of the infrastructure components, and others that are selected and deployed to Authorize (or prevent) access across a range of the organization’s core business systems and services.
This article barely scratches the surface of the need for Authorization Management capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Authorization Management capabilities to support your own Security Operations efforts.