How to Enforce an Access Control Policy
Access control is the process of dictating who or what can access resources and assets and what actions are allowed once access is granted. An access control policy, by way of an enforcement mechanism, puts those parameters into action.
Safeguarding data, IT systems and applications requires a robust access control solution, especially where financial, medical and other sensitive data is concerned. Failure to comply with privacy laws can lead to fines and loss of revenue, while breaches can result in a lack of public trust. GlobalScape estimates a single non-compliance event can lead to $4 million in lost revenue.
Access control systems can’t be effective without stringent policy enforcement. These policies need to be well-defined and take into account the requirements of your system or application.
This article discusses access control policies, their purpose and how to enforce them effectively to increase security and prevent unauthorized access.
What is an access control policy?
An access control policy is a set of rules, guidelines or instructions that govern the use of IT resources and assets. Once access is granted, the policy also contains rules concerning operations the authorized user can carry out.
A policy often includes the following elements:
User | A user account or entity that requests access |
User group | A set of users that perform a similar task |
Role | A set of permissions assigned to users or user groups |
Operation | The actions authorized users can perform (create, delete, modify, view and so on) |
Object type | Classification of the resource the actions are performed on |
Resource | The asset that is being accessed |
Resource type | Classification of the resource according to predefined categories |
A system owner or administrator can create policies in an IAM tool by assigning permissions to users and user groups. Then, a policy engine like Open Policy Agent (OPA) can leverage that permissions data to inform enforcement decisions throughout an IT environment. Policies can also include dynamic attributes such as user location, time of the day and other user or API attributes.
According to a report by Cybersecurity Insiders, 72% of companies prioritize security when choosing an IAM solution, and this line of thinking extends naturally to authorization. For fine-grained access control, policies can be custom coded to combine rules for specific scenarios. For example, for user access to highly sensitive information, a policy might dictate that an authorized member of the organization must be present on-premises during working, or on-call as an engineer, and use a company device.
Access management policies typically fall into one of three broad types:
- Organizational policy: Policies that manage resource usage across the entire enterprise based on need-to-know, authority, responsibility and other factors.
- System-specific policy: These policies only define security guidelines for a single system or network. Senior management still defines these policies but the technical staff maintains and implements them.
- Issue-specific policy: Policies pertaining to specific points within the system. These policies may define access to an application or manage authorization between different services.
Access control policy enforcement with OPA
Open Policy Agent (OPA) is a policy engine that unifies policy enforcement across the entire cloud-native environment. Before OPA, policies were often hard-coded into applications or policy systems were created for each new component.
With the proliferation of microservices and cloud-based systems, built-in authorization is no longer a practical solution. According to our 2022 Cloud-Native Alignment Report, 97% of IT decision-makers confirmed the rapid adoption of cloud-native tools and technologies within their organizations. The many elements involved in modern IT systems and applications mean developers can no longer keep implementing a new custom authorization solution for each one.
OPA solves this scalability problem by decoupling the access control functionality from the underlying software. As a fully decoupled policy engine, OPA can be deployed next to a service, container or infrastructure layer to handle all authorization decisions. As a domain-agnostic solution, OPA can be deployed for various use cases in the cloud-native stack and integrated with enforcement points. Policy code can also be reused as often as needed, saving developers time and effort.
OPA usually requires three inputs to reach a decision — a query input, policy and policy data. For policies that support external data, OPA has multiple ways of injecting this data from different sources in JSON format. Developers can extract data, convert it into JSON and transfer it to OPA.
OPA and Rego: A unified policy framework
OPA policies are authored in a policy language called Rego. Rego is a high-level declarative language created to express policies as code. With policy as code, developers only need to worry about what to include in policies rather than how to implement them over complex systems.
A high-level language also makes it possible for non-technical personnel to understand policies and their implications. Rego is more expressive than other role-based access control (RBAC) or cloud Identity and Access Management (IAM) languages and allows policies to be fragmented to reflect proper ownership within the organization.
With a single framework for authorization and policy, organizations can deploy OPA within any of their systems and get centralized monitoring and enforcement of all policies.
Discover how Netflix, Atlassian and SugarCRM use OPA and unified policy as code to scale their systems and increase security.
Managing OPA with Styra DAS
Styra Declarative Authorization Service (DAS) is the industry’s first policy lifecycle management platform for enterprise-grade OPA deployment. With Styra DAS, you get centralized management of OPA deployments across all enforcement points within your organization. The software includes built-in Policy Packs and support for integration with the most popular OPA use cases.
Styra DAS automatically updates OPA to the latest version and allows you to monitor, audit and validate policies from a single location. The Styra DAS Policy Builder is a graphical user interface (GUI) for visualizing policy as code. Team members with little knowledge of Rego can still define policies using the point-and-click interface and communicate these policies with a broader range of stakeholders.
Styra DAS Free can help you get started on a small scale or you can request a demo and talk to one of our engineers about Styra DAS Enterprise. Both versions have access privileges to the full suite of features.
FAQs
What are the advantages of policy as code?
Policy as code is a method of defining and managing policies using code. Policy as code improves security and scaling through automation, enables companies to align on a single standard for authorization and helps teams improve faster time-to-market by reducing human errors.
How can I learn policy authoring in Rego?
The Styra Academy offers free courses on OPA policy authoring in Rego. Learning a policy language requires time and attention, but will significantly improve your organization’s ability to define the right access control policies to secure your environment.