And why should it be a consideration when mapping out your security architecture?
Neo-Security Architecture is a modular and open-standard-based security architecture that aims to secure and assert legitimate access to APIs and services as well as web and mobile applications.
The Neo Security architecture is intended to be used as a roadmap, to be ready when new needs arise. It provides a blueprint architecture that can be used to map new and existing systems against the functions needed to scale securely.
A centralized system for managing Identities, Token issuance, Federation, and so on is critical to building a secure and scalable API platform.
The main design principle is “Separation of Concern,” where each sub-system within the architecture has a singular responsibility, which helps architects map a problem onto an architectural solution. It also provides the benefit of scaling over time; for example, when new standards arise, old components can be integrated with new ones, providing a broader scope of functions.
The second principle is that the architecture is based on standards. Each function should use the appropriate standards available to integrate with edge applications or internally. This principle makes it easier to replace components when needed and helps to assert that security is maintained.
There are three main pillars of the Neo-Security Architecture:
- An Identity Management System
- An API Management System
- An Entitlement Management System
Each of these encapsulates a system function that is loosely coupled with the others. At the heart of the architecture is the Identity Management System, responsible for asserting identities to other systems using Security Tokens.
Identity Management System
The primary responsibility of an Identity Management System (IMS) is to handle identities within the system. It should directly authenticate users as an Identity Provider (IdP) or by using a Federated Identity via another IdP.
The IMS should authenticate directly or via federation, both Customers, Employees, and Partner users (or whatever type you may have). This by no means indicates that they will obtain the same level of access, but the process of establishing proof of identity is the same no matter what the user type.
The API Management System
Moving to an API-driven and/or microservice-based architecture requires more systems to work together. The first step is to have an identity management system in place, as described above. This allows the APIs (Microservices) to pull the identity out from the APIs and manage it centrally.
The API Management System (AMS) is the logical structure of API deployment. Its purpose is to service data and functions via APIs and other types of services. It depends on the Identity Management System for all identity-related operations pulled out from the API Management System and contained within the IMS. The AMS acts as the police and enforces access policies based on the identity information found in the tokens issued by the IMS.
There are three distinct functions of an AMS that, when needed, are represented in this architecture; Securing access to APIs, integration of APIs into services, and developer access to APIs.
The Entitlement Management System
The last pillar in the Neo Security Architecture is the Entitlement Management System (EMS). It provides Attribute-Based Access Control (ABAC), a more powerful entitlement mechanism than the traditional Role-Based Access Control (RBAC). ABAC provides flexibility and preciseness by providing a policy framework where administrators can author security policies enforced throughout the entire architecture.
ABAC takes the following into account for an authorization decision:
Attributes of the subject (user)
- The context in which the decision is made
- The action that is being performed
- The resource that is requested
It then applies the configured policies to come to an allow or deny decision. The Entitlement Management System is responsible for managing and enforcing these policies and distributing these to each sub-system that needs enforcement.
The approach’s benefit is that authorization policies need not be known when designing a system but can be added later and updated as the business requirements evolve.
Use the Neo-Security Architecture as a blueprint for a road map to set the direction for new projects and understand what functions are already present in the organization’s infrastructure. Often a function exists but is in the wrong place to operate to its full potential.
The Neo-Security Architecture is built on open standards that are accepted and adopted by the market. In the architecture, dedicated services are separated in respective modules and interact through APIs, which provides easy integration and future scalability, and secure access to data.
This article is just a summary of this architectural approach. To dive deeper into each part of the Neo-Security Architecture, visit Curity’s resource library, where you will find a comprehensive overview of each of the three pillars; Identity Management System, API Management System, Entitlement Management System.