A Primer on Policy-Based Access Management (PBAM)

4 min read

Policy-based access management (PBAM) uses decoupled policy as code and a policy engine to provide real-time authorization decisions throughout the cloud-native ecosystem.

This article presents an overview of policy-based access management, its benefits and implementation methods. 

What is policy-based access management? 

PBAM is a policy-based access control model. Policies are written in a high-level language and enforced using policy as code. A decoupled policy engine, such as Open Policy Agent (OPA), is deployed alongside application components to handle all access control requests and return them to a sidecar proxy or policy enforcement point (PEP). OPA policies are written in the Rego policy language

Policies can be written to have OPA evaluate contextual information and dynamic attributes before allowing user access. With OPA and PBAM, organizations can implement attribute-based access control (ABAC), role-based access control (RBAC) or both. System administrators can select the granularity of access control policies according to their operational and security needs.     

Most traditional policy-based access control (PBAC) methods rely on an eXtensible Access Control Markup Language (XACML) architecture and are mainly used for on-premise systems. However, these methods can’t support all exposed APIs in a microservice or provide the agility cloud-based workloads require. Eventually, OPA was designed to improve the XACML architecture and address the challenges of cloud-native development. 

According to Gartner, 85% of companies will follow the cloud-first principle by 2025 and won’t be able to execute their digital strategies without cloud-native tools. OPA is a graduate project of the Cloud Native Computing Foundation (CNCF) and is the standard for cloud-native authorization. Organizations can improve collaboration and have centralized control over multiple cloud systems and environments by unifying policy enforcement with OPA and PBAM.    

Watch our webinar to learn more about why you need a standardized approach to authorization.  

How does OPA work?   

OPA replaces the policy decision point (PDP) within a typical XACML architecture. When an application receives a user request, the policy enforcement point (PEP) sends it to OPA. After evaluating the request against a policy and sometimes additional data input, OPA returns the decision to the PEP, which denies or grants access. This decision is sent back as JSON over HTTP, allowing OPA to integrate with any programming language.  

As a decoupled policy engine, OPA can be deployed via a library file, daemon or as a sidecar. By offloading policy decision-making from the software, OPA allows you to make policy changes that do not impact the application functions or availability. This proximal location to infrastructure also keeps latency and delays to a minimum. Multiple OPA deployments can all be managed using a central control plane. 

4 benefits of policy-based access management

Businesses can achieve the following benefits by deploying OPA to implement PBAM:

1. Decoupled authorization

By externalizing this functionality from the application logic, you can make policy changes easily and reuse the same code for multiple deployments, saving time and effort. 

Modern microservice applications may consist of hundreds or thousands of services. A single policy decision point would not be able to handle that amount of traffic and eventually prevent scaling. A decoupled policy engine that can provide authorization at all different application layers and be deployed externally with each component solves this problem.

2. Unified policy framework

Individual services in a microservice application are often built using different programming languages, resulting in a polyglot architecture. A single organizational standard for policy lets you control and monitor policies across multiple systems and applications using the same policy language and tools.

Organizations can also improve collaboration between teams and policy authors can easily communicate policy requirements and downstream implications with other stakeholders.  

3. Reduced overhead and time-to-market

Deploying OPA to implement PBAM provides enterprises with a comprehensive authorization solution, removing the stress of designing in-house access control. Developers gain more time to work on the business functions of applications. 

Enterprises often have trouble keeping up with the agility of their smaller competitors. With a built-in PBAM solution, organizations can gain some of that agility and reach a faster time-to-market on their products. 

4. Security and compliance

PBAM allows you to establish fine-grained access control to protect sensitive data and prevent unauthorized access. Using dynamic attributes to define policies will enable organizations to implement Zero Trust and the least privilege security principles better. PBAM also improves your security model by setting parameters around remote access to highly sensitive information, ensuring employees can only access it on-premises. 

Having centralized control over organizational policies means you can monitor them from a single control plane. Compliance policies are automatically enforced and any violations are caught in real-time, allowing you to respond quickly. According to GlobalScale, a single non-compliance event can cause businesses to lose $4 million in revenue. 

How to implement PBAM with OPA and Styra DAS

With Styra Declarative Authorization Service (DAS), developers can concentrate on formulating policies rather than dealing with their implementation. The control plane comes with shareable policy packs that can be tailored to organization-specific needs. 

Policies can be pushed out to the relevant OPA deployments and updated automatically. With policy-based access management through Styra DAS, system owners can fully control the entire policy lifecycle, from authoring and testing to deployment and audits. 

[add image here]

Meeting security and compliance requirements becomes simpler with real-time policy monitoring, audits and impact analysis. A live graph shows compliance violations in real-time within the dashboard. Organizations can also use Styra DAS to quarantine a system and perform forensic analysis in case of a security breach. 

Book a demo today to see Styra DAS Enterprise in action. 

FAQs

What is an access control policy?

An access control policy is a set of rules, guidelines or instructions that define who or what can access a resource and what they are allowed to do after gaining access to the system. Policies are written in policy languages, such as Rego.  

Who uses OPA? 

OPA has seen widespread adoption by large organizations and smaller teams alike. Notable names such as Capital One, Snap and T-Mobile use OPA to handle authorization within their systems. You can find the complete list of adopters here.

Cloud native
Authorization

Entitlement Explosion Repair

Join Styra and PACLabs on April 11 for a webinar exploring how organizations are using Policy as Code for smarter Access Control.

Speak with an Engineer

Request time with our team to talk about how you can modernize your access management.