Cloudentity TrUST Engine is a combination of APIs, services and practices to allow you to define security policies and directly apply polices to tools such as the MicroPerimeter™ Sidecar or Gateway — the TrUST Engine provides a single source of truth no matter where enforcement occurs.
TrUST Engine umbrella you will find following services:
AuthZ service - the heart of the engine responsible for storage, management and validation of the authorization policies.
Permission Service - Cloudentity unique view on
thingspermissions and consent that enables to you assign and manage corse and fine grained entitlements for mentioned entities.
Risk service - highly performant risk engine that enables to to calculate and distribute the risk attached to
thingsas well as transactions performed by them.
Cloudentity provides comprehensive authorization for Users, Services and Things using a combination of controls including
Attribute Based Access Controls (ABAC)
Role-Based Access Control (RBAC)
Advanced Risk Based Authorization Capabilities (RADAC)
Additionally, Cloudentity is able to communicate with existing authorization and fraud engines to inform the authorization model with real-time threat information such as compromised IP address, devices or other contextual, custom validation elements.
The Cloudentity trUSTengine™ allows the modeling of complex decision trees to provide flexible and adaptive authentication and authorization flows. These models can be applied on when the client first authorizes, but can also be applied at any point during the application flow. This allows for non-binary access control to protected resources, meaning high-value resources (e.g. a financial transaction) may require additional authorization than a low value transaction (e.g. accessing corporate content).
The non-binary aspect of the access control is expressed not only in adaptive decision-making capabilities informed by dynamic attributes and states, but also in non-binary decision outcomes that adapt to the situation and context. The TrUSTengine™ gives far more than a simple yes/no decision; it supplies mitigation steps in order to guide the client on how to overcome initially denied access.
TrUST Engine components
Cloudentity’s AuthZ service provides a Single Source of Truth for security policy management Users, Services and Things. The flexible API utilizes a pluggable validation architecture to support hybrid authorization models that span across roles based, attribute based, and risk based, micro-segmentation. Policies are applicable for both inbound and outbound transactions (ingress and egress) and provides context-based authorization including user, device, application, transaction, and location attributes.
The Cloudentity Permission Service can be used to model RBAC,ABAC or fine grained entitlement assignment scenarios. This service allows the specification of permissions and grants, either on a per-tenant basis or at the system level. Cloudentity Permission Service is used as a permission definition, grant and storage model; however the permissions evaluation and enforcement might be distributed between the Cloudentity TrUST Engine and application specific logic that can be utilized to provide permission grants for fine grained authorization.
Risk Service is highly performant risk engine that enables to to calculate and distribute the risk attached to
things as well as transactions performed by them.
The Risk Service engine is build based on stream processing technology, it accepts multiple sources of events with data relevant from security perspective. It filters the important ones and calculates risk levels for User, Services Things or transactions. Out of the box the Cloudentity Risk Services comes with the threat modeling responsible for calculating risk based on internal Cloudentity Events like failed authentication or authorizations, unknown consumption devices or IP etc… however it can be extended to utilize external sources. Example of such an external system can be a Web Application Firewall providing additional information about the suspicious activity.
Please see Risk Service API Specification for more details.
Please see How to integrate with TrUST Engine for more details.