Skip main navigation

Adaptive Authorization

In this video, you will learn about adaptive authorization and how it is used.
6.6
Adaptive authentication we have mentioned briefly already. This is a risk-based approach, is a dynamic method of authorization based on things like geography, time, client or other factors. What is permitted for an account changes then based on any of these factors. And the type of authentication, when we were looking at authentication, the type of authentication can change as well. So here we’re looking at this from an authorization perspective. But we have looked at this dynamic risk-based approach from an authentication perspective as well. So it’s linked to adaptive authentication. Usually you see the processes being operated in tandem. So here, the authorization changes on posture. And you can see this with something like network access control.
54.2
When somebody with a laptop connects via VPN, their levels of permissions may change from those that they have when connected directly to the network. So here, for example, what we can see, we may see, is that the user starts to experience a restricted level of access when logging in remotely. Or they have some kind of posture control. The network access control checks to see whether their device is up to date in terms of the patches, the antivirus signatures. And if not, access is then tailored, perhaps just to the internet, and they lose access to other privileged resources until they’re up to date, until their updates have been completed. So this is a very strong model.
106.8
And again, very increasingly popular and a much newer model in terms of being adaptive, in terms of being risk-based. Again, with anything adaptive, with anything that links to risk, as I’ve said before, we need to understand what our risk posture is to understand the risk environment appropriately. Do our VPN users have access to our ERP system, to our finance system? Perhaps, perhaps not. But you need to make the choice. You need to understand that there is a decision there. Not taking the decision, just allowing access to everything is a decision in its own right. And it is better to have an informed considered decision around this kind of access rather than just to provide access.
149.4
You have an identity and access management system. You have an approach to authentication and authorization whether you realise it or not. It is what you do day-to-day. And that may not be structured, it may not be process-driven, but that’s what you’re doing. So that is your approach. If you don’t have a formal approach, this is your approach by de facto.

In this video, you will learn about adaptive authorization and how it is used. For example, if an employee accesses a network via a VPN instead of their unmasked IP address, then their usual level of authorization and permissions may change.

Reflect and share: Adaptive authorization is closely linked to adaptive authentication and they often occur in tandem. Can you think of some other instances where adaptive authorization and authentication might occur? Share with your fellow learners below.

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education