How Identity Orchestration Enhances Amazon Verified Permissions

Authorization is at the foundation of modern security and one of the keys to zero trust. On Tuesday, Amazon Web Services (AWS) made Amazon Verified Permissions generally available. 

This new product enables fine-grained authorization at scale and allows enforcement of granular access control. It was purposefully created for developers building new applications running natively on AWS. 

Fine-grained authorization for all apps — on-prem and in the cloud for AWS customers

Amazon Verified Permissions separates authorization logic from the business logic within applications, using Cedar as the language to define access policies. In this way, it makes policies easier to manage, reduces or eliminates the need for developers to write policies, and leads to easier and better governance. 

As organizations migrate software and services into the cloud, this framework can prove transformative. However, it is not without its challenges. The majority of organizations use more than one cloud today and an estimated 75% of workloads are still on-premises. While these applications can make a remote call Verified Permissions to get an authorization decision, the data used to reach that decision are unlikely to reside within AWS platform.

As an AWS launch partner, Strata’s Maverics Identity Orchestration platform works with AWS to extend policies and enforce them across clouds and on-premises applications. 

Challenges Maverics solves for Amazon Verified Permissions 

Certainly, Amazon Verified Permissions is an elegant solution to a complicated problem. With this offering, AWS not only increases the capabilities for customers running workloads on AWS (which is vast) but also elevates the industry as a whole. 

As a single identity provider, though, there are limitations to the amount of interoperability possible across the identity stack and in a multi-cloud world.  

Identity Orchestration brings together a number of identity services that fit different purposes for what they’re needed in an organization’s identity fabric.

There are three primary use cases where Maverics helps Amazon Verified Permissions customers: modernizing applications for multi-cloud/hybrid-cloud, automated authorization, and continuous access evaluation. 

1. Modernizing on-premises apps for multi-cloud & hybrid-cloud

As stated earlier, Amazon Verified Permissions is a game-changer for Amazon’s customers. Most organizations today don’t have just one identity provider (IDP), so identity information is spread across clouds, not just on AWS. Additionally, most businesses have significant investments in applications that still run on-premises.

Before being able to move to the cloud, legacy applications must be able to speak modern identity standards. Modernization is a lengthy and costly process that often creates inertia and stops zero trust initiatives. To address the hybrid-cloud challenge, Identity Orchestration with Strata provides authorization enforcement for applications that run on-premises or in the cloud.

Maverics can integrate with Amazon Verified Permissions and be the front end to dozens of different identity providers behind it. Multi-cloud identity can work with Amazon Verified Permissions and make it possible to mix and match the attributes that are in various IDPs and third-party attribute stores to be used in authorization decisions.

Maverics also makes it possible to add Amazon Verified Permissions to existing legacy on-prem apps without any app refactoring required.

2. Automating complex authorization policies

With Amazon Verified Permissions, developers no longer have to write fine-grained authorization services directly into applications — something that can lead to rewriting whenever an organization’s access policies change. The value lies in being able to implement robust authorization processes and security measures in a fraction of the time and effort.

Amazon Verified Permissions is a rule engine, and for it to make its decisions, it requires attribute data. However, incomplete data hinders authorization decisions. Maverics can augment API calls with additional context and data by defining database connections and other identity services. In doing so, Maverics creates a user flow that provides the additional runtime attribute data from 3rd party stores that the application needs in the format it requires. 

To provide a comprehensive, fine-grained authorization solution for legacy applications, Strata has integrated Maverics with Amazon Verified Permissions. Orchestrator instances can run in the cloud or on-premises, giving you greater control over your user flows and allowing you to cache the authorization decisions and data.

3. Continuous Authorization Enforcement Protocol (CAEP)

Achieving zero trust is a long, winding, and never-ending road for most organizations. Attack vectors —from credential stuffing techniques to phishing and ransomware—keep expanding, and our highly interconnected systems, applications, and devices add to the challenge. It isn’t enough to simply ensure a person is who they say they are at initial authentication; it’s also necessary to keep checking throughout their active user session.

Maverics enables support for Continuous Authorization Enforcement Protocol (CAEP) between applications and Amazon Verified Permissions by also acting as the continuous runtime policy enforcement point. Maverics allows for the continuous ingestion of Amazon Verified Permissions signals and enables the assignment of risk levels at runtime to users for various sensitive tasks and resource access.

By continually checking authorizations and risk signals throughout a user session, not just at login, Maverics can enforce real-time changes made in Amazon Verified Permissions that may change what data and resources a user can access in their active session. For example, denying a user access to some data in the event that they have left the company amid a transaction.  

Benefits of Maverics for Amazon’s Customers

Strata’s Maverics Identity Orchestration Platform empowers organizations by providing an identity fabric that abstracts applications from identity. By natively integrating with cloud platforms, cloud identity systems, and on-premises identity and application infrastructures, Maverics decouples apps from identity and streamlines processes.

Some key benefits Maverics Identity Orchestration provides Amazon customers are outlined below:

Seamless policy enforcement across identity platforms 

Most organizations have a complex multi-cloud and multi-provider mix and must manage permissions across services and providers. Managing this complexity means programmatically working with access policies across cloud providers. 

However, the reality of being able to effectively enforce policies across clouds, such as on Microsoft Azure, Google Cloud, Okta, and other providers, consistently at runtime is complicated. With Maverics, policies written in Cedar can be used with legacy, on-premises applications and project those policies to apps running on any cloud — public or private. 

Identity Orchestration provides an application policy enforcement point and runtime orchestration to simplify workflows and boost productivity. 

Quickly build automated authorization and robust security policies 

Manual policy translation opens the door to human error, resulting in policy inconsistency between platforms. Running Strata’s Identity Orchestration solution with Amazon Verified Permissions makes it possible to control and secure the applications AWS customers already have without rewriting your apps. 

Identity Orchestration bridges all existing applications — whether on AWS, on a different cloud, or on-premises — to the verified permissions policy and enables consistent governance and access controls. 

Externalize authorization and let developers do what they do best

Amazon Verified Permissions dramatically cuts down on the development time that’s traditionally associated with adding fine-grained authorization to an app. Instead of authorization code residing within an application, it sits outside. Maverics makes it possible to change rules as needed — without having to refactor each application. Managing complex, multi-cloud environments and closing in on zero trust is easier.

This approach simplifies things for developers and security teams — particularly in modern cloud environments that incorporate numerous web applications on the same cloud platform. 

Orchestration is the key to modernizing authorization

For AWS customers looking for a way to simplify administration, reduce costs, and enhance security, Amazon’s Verified Permissions can help. These industry advancements are significant and offer an excellent framework for improving business. While AWS Verified Permissions is a considerable step forward, a true cross-platform, multi-cloud model is required.

Identity Orchestration with Strata’s Maverics Platform helps organizations get the most out of Amazon Verified Permissions. Learn more about how Maverics can help you modernize and improve authorization management and security in AWS on the Amazon Web Services blog: Applying Fine-Grained Authorization to Legacy Apps with Strata Identity Orchestration and Amazon Verified Permissions.