NextLabs CloudAz Product Update – February 2023
Summary of CloudAz’s 2022 releases
NextLabs CloudAz (aka Control Center) is a zero-trust unified policy platform and authorization service providing dynamic authorization and attribute-based access control (ABAC) for applications and policy enforcement points anywhere on-premises and in public, private, or hybrid cloud. It is powered by a dynamic authorization policy engine (PDP), which utilizes attribute-driven policy to determine what access rights should be granted.
CloudAz policy engine uses real-time contextual information to evaluate conditions in policy set to make authorization decision. These conditions are based on user, environment, and resource characteristics (“attributes”), which are evaluated in real-time to determine what permission a user or subject should be granted to applications, APIs / microservices, business transactions, and data. This policy engine is able to account for changes in user status or changes in the resource. For instance, if an employee moves to a different department within the company, no new policy needs to be created since policies are evaluated against the latest set of attributes without the need for manual intervention.
2022 releases include enhanced Kubernetes support to allow seamless cloud-native deployments and extended microservices support for containerized architecture to be deployed, upgraded, and scaled independently. New additions improved continuous availability of the PDP, along with PDP sidecar for microservices access enforcement. Several advanced features are added to policy administration, policy lifecycle management, and policy governance. Significant improvements are also introduced to policy obligation, attribute management, and identity provider integration. Added support for Format Preserving Encryption Key Management and Policy Validator greatly expanded security and policy testing capabilities of CloudAz.
Additional details of the enhancements and new functionalities in the CloudAz 2022 releases and its integrations are as follows:
Deployment:
- Updated database support for latest versions of Oracle, Microsoft SQL Server, PostgreSQL, and IBM DB2 for cloud provider database service, managed database, and self-managed database
- Enhanced Kubernetes templates to allow seamless deployment of containers to cloud platforms
- Enhanced microservices support for containerized architecture to enable service-based deployment, CloudAz microservices are built in such a way that each microservice can be deployed, upgraded, and scaled independently
- PDP sidecar for microservices access enforcement to control authorization in a microservice architecture using centrally managed policy
Policy Controller:
- Improved continuous availability architecture by adding the application authentication support in the policy controller
- Enhanced the performance of transferring policy activity logs to CloudAz ensuring real time reporting of audit data
- Expanded Policy Controller plugin management to fully automate the integration of dynamic attribute retrieval from any source
Policy Management & Governance:
- Added support for policy conflict management to allow seamless distribution of policies
- Extended policy obligation configuration to support multi-value attributes and enhanced obligation functionality to use attributes from any sources
- Added several advanced policy administration, lifecycle, and audit features to improve policy governance
- Improved policy lifecycle management with approval workflows, adding to the version control and policy rollback capability
Attribute Management:
- Extended attribute provider framework to allow easy integration of dynamic attribute retrieval from any source, including built in support of SCIM protocols for Policy Information Points (PIP)
- Enhanced attribute management by adding support for enrolling attributes from ECM and Collaboration System such as SharePoint in the CloudAz Web Portal
- Improved attribute management to automate attribute synchronization from LDIF files and added support to archive inactive attributes
- Enhanced auditing by providing interface to log additional attributes for authorization requests
User/Identity/Permission:
- Enhanced CloudAz authentication by encapsulating user permissions (delegation policies) in OIDC Token
- Enhanced SSO authentication by migrating Azure Active Directory integration to more secured Microsoft Authentication Library (MSAL)
- Improved Identity Provider (IDP) configurations for LDAP and SAML 2.0
API/SDK:
- Enriched SDK allowing companies to centrally manage authorization policies and view the permissions for resources and applications
Web Portal & Administration:
- Improved policy administration including user centric UI, REST APIs for delegated administration, and segregation of duties facility
- Improved UI, navigation, and usability of the CloudAz Web Portal
- Updated CloudAz Administrator App to a service-oriented architecture along with improved security and better user experience
Security:
- Added support for Format Preserving Encryption (FPE) Key Management
- Enhanced CloudAz’s key and certificate management
- Enabled secured connection for messaging protocol
- Enhanced security of CloudAz installer packages and container images
Policy Analysis & Testing:
- Enhanced policy analysis and audit facility with full audit trail capability
- Integrated Policy Validator with the CloudAz Web Portal so policies can be previewed to validate correct decisions, allowing administrators to test out policies before they are published
- Added support for creation of test plans in CloudAz Policy Validator to automate validation checks, ensuring consistent policy enforcement.