Tell us about Axiomatics and how you came to be involved with authorization technology.
Axiomatics was founded in 2006 and today is a leader in enabling digital transformation and cybersecurity with dynamic authorization. Our offices are in Stockholm and Chicago, but our customer base is truly global, including Fortune 500 companies and governments. Personally, I’ve been involved in software technology for more than 15 years in a variety of roles including most recently as a country manager for CA. I was brought on board at Axiomatics as CEO about a year and a half ago.
There are many different types of authorization products on the market. What is unique about Axiomatics?
What makes us unique is that we are on the authorization side of data protection. Our solution grants (or denies) access for users to applications or specific data by asking questions – who, what, where, how and the like – to authorize that not just the person, but the context of the access request. Our technology uses information such as what computer is being used to access the data, the location of the user, time of day and the like to understand if the request fits the access policy a company or organization has set. We’ve essentially developed a fast, dynamic method of writing policies in a progressive fashion using who, what, when and where parameters. This policy language is called eXtensible Access Control Markup Language (XACML), is now published and maintained by OASIS who are committed to “advancing open standards for the information society.”
Tell us about ABAC – what is about and why different
Regular access control is based on what role a user has, their basic credentials. The role is what determines what you can do and see in a given portal. In contrast, Attribute Based Access Control (ABAC) utilizes contextual parameters such as name, location, time, project, assets, credit scoring, whether the company has done business with you, and the like. The modeling itself is key here and that is the challenge to customers. You need to keep the permissions from being too complex but at the same time, build enough context, through various attributes and values, to be able to effectively control who has access to what and when.
What are the some of the verticals you deal with and the challenges they pose?
We work across several verticals. In the banking and financial world, you have complex regulatory frameworks regarding what customer data can be shared with third parties and often access to that information needs to be restricted to certain people at certain times. For example, you may not want an employee of the bank, who normally does have access to various accounts while at work, to have access to that same information when logging in on vacation in Hawaii. We ensure that the data is only accessed by the right person at the right time in the right context. Another example is a federal employee who might change units temporarily within an agency. That means the data that was relevant to him or her has changed. With our technology, when you change, your permissions change. Healthcare is also a significant vertical given the massive amounts of data that need to be accessed to treat patients, run trials and more. For example, claims investors for insurance agencies need access to specific relevant data on demand.
What impact do you think General Data Protection Regulation (GDPR) will have?
GDPR is a primer for a lot of stuff. Many providers are trying to grab a piece of that market and I think you’ll see different vendors taking a shot at that. At the end of the day, GDPR is about protecting and handling personal data in a responsible way and returning the power to individuals to manage their data. What we provide is the ability for anyone to enforce access to that data in real time so that if an outside source wants access to your data, you remain in control of whether they receive it.
What are the risks associated with the extensive dispersal of data across large number of platforms and users?
While plenty of security options exist, you can never fully avoid password breaches. What companies need to be doing is looking at the access users have to data lakes, big data – that is the real wild west of application development. You have massive data lakes that are easily accessible to many users and, without a doubt, we’ll start seeing many breaches to these data sites over the next few years. It isn’t enough to place a ‘security fence’ and assume your data is secured. Rather, smart policies need to be put in place so that, for example, an API can’t just short circuit access controls.
What are the most significant challenges and trends you see in this industry?
The No. 1 challenge is awareness. It isn’t easy to see things from an outside perspective and to understand what your vulnerabilities are. Even if you do understand, protecting data typically requires a trade-off between usability and accessibility. However, if you understand the threats, you can put controls into place – anything from biometrics to dynamic authorization – that protect your data but still allow the right people an acceptable level of usability. As far as trends, there are a few we can talk about. One is that everything is going digital, whether its modern companies or older ones, and that means more data being shared and accessed by more parties. In addition, you see that more and more companies are moving into a microservice architecture and decentralized app development. That is where we come in as an external provider that builds faster and more secure data access authorization. We also see that from a customer or user perspective that things are changing rapidly. Because of the Cambridge Analytica scandal, Facebook’s value dropped overnight and is continuing to drop. Incidents like that will trigger people to want or demand to oversee their data including who accesses it. While GDPR was obviously already set to be implemented before the scandal broke but it was really riding the consumer trend of increased interest and need for greater data privacy.