Authorization Control Plane
Monitoring access, maintaining visibility, and detecting anomalies, in an era of APIs requires a blend of cyber security and API access management. Cloudentity’s Authorization Control Plane (ACP) provides a lightweight layer of authorization, centralizing access control across multiple environments. Add in multi-tenant support for B2B and B2B2C, OWASP Top Ten API protection, MFA at the API endpoint and a no-code UI and you have a sophisticated layer of authorization that enables your digital transformation efforts.
Securely Modernize Legacy Applications and Deliver New Business Initiatives
Modern applications add a variety of new entities to your applications. From microservices to containers, to APIs and on-demand computing, modern infrastructure is more complex than legacy applications and requires new approaches to secure. By extending identity to each service, API, and client across the ecosystem, you can be confident that your applications are protected from malicious activity.
Cloudentity’s Authorization Control Plane enables modern applications to maintain Zero Trust by ensuring that contextually-aware authorization happens at every API, service, and transaction keeping your users and data secure.
Data Level Authorization for OWASP Top 10
OWASP’s list of Top 10 API vulnerabilities showcase why API security goes beyond what API Gateways and API Management tools offer. Data object authorization is a necessity to protect your applications from API attacks. Cloudentity’s ACP provides data object level authorization, providing a means to create authorization rules based on the actual transaction data not just what service or client is connected to it. This boosts your data loss prevention (DLP) efforts by ensuring that even is scopes fail, sensitive data isn’t shared with an unauthorized user.
Up to 100x Performance
Performance matters when planning for scale. Cloudentity’s Authorization Control Plane was built from the ground up to provide performance at scale.
Authorizing every user and service requires low latency and high throughput to provide a frictionless customer experience. Compared to similar solutions in the market, Cloudentity’s ACP delivers 60x the performance of OAuth token minting and evaluation and with 90% lower latency.
Support for the Latest Standards
Cloudentity’s ACP supports the latest standards including OAuth 2.1, FAPI R/W, OIDC and SAML v2, delivered at lightning speeds. Cloudentity’s ACP comes with prebuilt connections to make integration into your existing IDP(s) a snap, allowing a simple means to unify user identity into a single source of truth.
Monitoring transaction risk for users, services, and things requires collaboration with third-party providers. Cloudentity’s Authorization Control Plane (ACP) integrates with leading cyber security tools like WAF, threat intelligence, and fraud detection providers to provide insight that can be used to establish risk.
Using these risk scores, authorization is managed in real time to be reduced, revoked, or even “stepped up” providing a frictionless approach to identity security.
Learn more about our partnership with Signal Sciences.
Consumers have been empowered by data privacy laws to take more control over their personal data. How it’s used, what it’s used for, and whether or not it’s shared with third-parties all require explicit permission under GDPR and CCPA.
When users record their consent preferences—either for environmental variables. (IP, Device fingerprint) acceptance or granularly (data object usage) — each consent is stored in the Privacy Ledger, making it accessible to services for validation and enforcement of consent preferences before sharing data.
Determining which APIs are passing sensitive PII, PCI or HIPPA data and which are communicating more benign traffic is a foundational aspect of the ACP. The inbuilt classification engine quickly discovers what API endpoints are passing sensitive traffic and provides actionable intelligence on what policies are relevant, mandated or superfluous. Utilize detailed NIST based policies based on data classification types. To ensure the requestor is properly authenticated (MFA vs password), How the service is communicating (TLS vs mTLS), and what sensitive data objects a service is receiving (Full user record vs unique UID).
Data Normalization with the Identity Hub
The Authorization Control Plane supports integration with your existing identity and authentication providers allowing you to take advantage of the OAuth and authorization capabilities within the solution without replacing your existing IAM product.
Integrate with multiple identity providers and normalize disperse identity attributes to provide a unified authorization layer regardless of your source of user attributes.
Identity is the singular most important point protection of Cloud-Native & API-first services.
However most organizations have several if not dozens of different Identity stores, across social IDPs (LinkedIn, Github, Facebook) + Public Cloud IDPs (Google, Amazon Cognito, Azure B2C) + Legacy IDPs (Forgerock, Ping, Oracle) and even bespoke ones for existing applications. The Identity Hub aggregates and normalizes these data sets using OIDC, SAML, SCIM, SQL, NoSQL, REST and LDAP to ensure each user, group, roles data looks the same before the application Authorization process begins.
Authorization Defense in Depth
Security has been honed on a perimeter focused, defense in depth strategy. With Kubernetes, Service Meshes and 5G, perimeter-based security is no longer enough. Instead a Zero Trust model of security is required, requiring identity and authorization for all services regardless of where they are in the ecosystem. Now services can be on a public, private, cottage cloud, in an IOT node or even on a user’s device. This restructure in application architecture moves identity and authorization to the forefront and requires an authorization defense in depth strategy.
API, Scope and Data Governance
APIs, OAuth Scopes & Claims are the Roles of the 21st century. Every development team uses them differently and creates a fragmented approach to data security, data translation and authorization management. Governance needs to be simpler. Cloudentity’s ACP brings a robust layer of governance showcasing a catalog of APIs across the entire API infrastructure—including across multiple gateways— detailing who the clients are for those APIs, analyzing what data those APIs and clients are processing and normalizing how those APIs are protected.
Data privacy laws require extensive record keeping and collection in the event of a data breach. Documenting which APIs are using PII data, how the APIs are requesting that data from consumers and if consumers granted the permission to collect and process the location is a requirement to comply with global data privacy regulations like GDPR. Cloudentity’s ACP provides a full audit trail, exceeding the requirements of the data privacy laws and providing true visibility into personal data collection and usage across your API ecosystem.
Delegated Administration Designed for B2B2C, B2B2B2C
Business thrive based on their ability to drive top line revenue with new customer and partner business opportunities. ACP allows organizations to move faster with their partners and internal development teams with built in logical separation between tenants, workspaces and applications all with centralized governance and coupled with distributed policy decision and enforcement. Each tenant and workspace is allowed to add their own IDPs and data normalization mapping but MUST adhere to the authorization security polies set globally
Engaging the developer has been the Achilles heal of Identity and Security teams for the past decade because Identity and Security have given them more work or stopped products in their tracks. A core tenet of the ACP is making the developer’s life easier. Secure OAuth flows are now dead simple
- Scopes and Policies are automatically populated,
- No More LDAP Clients, User context is passed in the exact format the developer requires
- Authorization as code
- Consent is externalized
- Security has finally become an enabler