Control Center
How It Works
Creating Policies
The Control Center is the attribute-based policy platform that fuels our other products. Organizations can author policies in a user-friendly business language so you don’t need to depend on programmers to create or change policies. Each policy represents a condition or set of conditions that affects whether a user will be authorized or denied access to specific information and the ability to perform certain functions with that information and under what circumstances.
The policies and rules are based on Attribute Based Access Control (ABAC). Attributes can represent information about the user, the data or the environment. For example, attributes can define citizenship, security clearance, department, data classification, project, location, device type, and time of day.
Authorization policies are created to allow or deny access based on certain criteria—to access an application or edit a document for example. Organizations can also create policies to audit or monitor activity. The policy framework supports versioning control and policy simulation and validation so you can do what if analysis and determine the outcome under a set of circumstances. This enables organizations to ensure their policies have the desired outcome and can understand the effect of any changes.
Centralized Policy Management
Centralized policy management provides control over policy creation, enforcement and changes. Typically, policies are created for individual applications or circumstances and are applied in silos. This makes it very difficult to consistently enforce policies across applications and geographies. Now you can create a single policy that spans all applications—maintaining visibility and control.
Administration functions are also streamlined. You can delegate responsibility for specific applications, who can see which policies, and who can edit. You can also delegate certain individuals for authoring and managing, reviewing and approving, system monitoring and compliance monitoring.
Policy Evaluation
Once policies are reviewed and approved, they get distributed to the policy engine (Policy Decision Point or PDP). The PDP receives authorization requests at runtime from the application, evaluates the policies and returns a decision. The policy engine can be deployed in an embedded fashion or centrally in the network. Embedded deployments gain very high performance benefits. Central network deployments are typical for legacy applications, mobile apps, or other environments where you cannot embed a PDP. An example of this would be when you use JavaScript and need to render the UI dynamically. Once distributed, policies are locally stored in a persistent secure cache in case network connectivity is lost.
Attributes are retrieved from the application or other sources, such as LDAP server, customer management system, or HR system. The system utilizes the attributes about the user, the data and the environment to determine allow or deny.
Activity Monitoring and Auditing
All of the policy decisions and conditions are stored in a central audit server. The system uses this information to provide visibility into user activity through various dashboards and reports. Organizations can define rules to highlight suspicious behavior and issue alerts. The information can be exported into SIEM and other threat detection systems for further analysis.