Vendor Assessment: PlainID

Next Generation Authorization – A Market Overview

Company Key Facts

	Web – https://www.plainid.com/  LinkedIn –  https://www.linkedin.com/company/plainid/  Twitter –   https://twitter.com/plainID_authZ  YouTube –  https://www.youtube.com/channel/UCj-HHmt6HiDOGDcy-voyR_w  BrightTALK – https://www.brighttalk.com/channel/18611/
Founded Date	2015
Founders	Gal Helemski, Oren Ohayon Harel
No. of Employees	~70
Total Funding	$21 million
Locations	Tel Aviv – Israel, New York – USA
In Their Own Words	“Authorization Management Plain and Simple”

Funding

Source: Crunchbase

PlainID have had four official funding rounds, labelled as “Seed”, “Series A”, “Venture” and “Corporate” – raising over $20 million in total. Their most recent round was December 2020.

Source: Crunchbase

Customer Case Studies

Technology Key Facts

Technology Review

Overview

PlainID is a mature best of breed dedicated authorization provider.  Their focus is on the area of policy based access control (PBAC) which they see as the natural successor to both role based access control (RBAC) and attribute based access control (ABAC).

They see their Policy Manager as being the gateway that allows the close involvement of business stakeholders in the creation of security controls and authorization rules.

They leverage a mature policy decision point (PDP) and policy enforcement point (PEP) model where assets under protection range from the standard web application through to microservices and native data.

PBAC

PlainID sees PBAC as a generic means to describe business processes and workflow.  They distance themselves from the likes of XACML in the sense that they see PBAC being applicable to many different asset protection scenarios and business objectives.

They see the likes of compliance, digital transformation and the increased use of microservices, the rise of zero trust,  and the increased need for collaboration as part of the complex supply chain as a key driver for PBAC based systems.

Dynamic Authorization

PlainID also references dynamic authorization as a key requirement for the modern enterprise.  They promote the fact that legacy access control systems were heavily reliant on static data – identity repositories with profile, role and group data.  Not only was this static, but it didn’t take into account context such as environmental data or security operations alerts.  PlainID promotes the vision that this extra data is essential in the modern authorization landscape and sees authorization context as also expanding into the area of business meta–data, allowing the real data owner to be involved in the authorization policy design process.

Solution Review – Microservices

Microservices are the go-to for many organizations as they look to build out agile, lean and responsive backend services that power mobile, consumer and employee functions.

A major requirement for a microservices environment is the ability to serve a high volume of transactions with a very low latency – making authorization a potential bottleneck during the process.  PlainID looks to decouple the management aspect as well as the PDP and PEP components away from the underlying microservice.  

They provide a sidecar which sits alongside the microservice in the same container and contacts the related PDP as necessary to process the inbound request.  The sidecar is acting as the PEP – but at times also the PDP – negating the need to increase unnecessary traffic flow outside of the pod.

Solution Review – Open Policy Agent

An extension in detail regarding microservices protection, is PlainID’s dedicated support for Open Policy Agent (OPA).  OPA provides a consolidated framework and language for describing access control logic.  This “policy as code” framework allows enforcement to be deployed against a generic set of assets in a declarative manner.

PlainID aims to solve the issue arising from a lack of centralised management of the OPA enforcement network as well as more structured governance – by providing storage of policies and their rules which the OPA based enforcement points can leverage.

Solution Review – Portal Access

Web application portal access has often been controlled natively within the application itself.  This often results in static and hard to change rules that control user data and functionality access.

PlainID articulates the need to externalise the PDP process from the web application layer in order to allow both the portal that deliver user functionality and the downstream applications to focus more on business logic, making them more agile and decoupled from the authorization and policy layers.  This provides a better foundation for adaptability and future change.  Web applications can interact with the decoupled PDP via API.

Solution Review – Application Access

Employee application access control often leveraged a standard design pattern that followed a policy agent and central – yet relatively local – PDP model.  The policy agent was a piece of code that would typically sit within the web container where single or multiple applications were deployed.  The agent essentially intercepted traffic requests and performed coarse grained authentication and session validation with authorization often based on HTTP headers.  

The agent was a very specific deployment artefact tied to the web container language and configuration.  The tight coupling removed some need to alter the underlying application, but transferred the operational burden of distribution, installation and integration to a policy agent team.

PlainID aims to solve this issue by leveraging RESTful APIs that allow for any application to generically receive policy query results.  This removes the reliance on particular web application language and framework requirements such as only working on Java or .Net applications.  Many organizations will have a multitude of application coding choices such as PHP, Ruby, node.js, Go and others.  By leveraging an API first approach, applications can natively make authorization queries using inbuilt HTTPS libraries.  The PDP in this case would receive identity and environmental information before returning which assets and actions the user should be granted access to.

Solution Review – Data Access

Data is often the last, yet most important aspect of user to asset access control.  Regardless of how the data is delivered – be it a mobile application, single page application or SaaS application – the data component is a basic foundation to business operations.

The use case here is to restrict which data is queried from an underlying SQL repository.  The interception can occur in two places – either via a gateway or a JDBC virtualization layer. 

 In both cases there is a call out to the PDP which in turn will return a set of filters that the interception layer will use to retrieve data from the underlying source.  PlainID offers out of the box integration with Google BigQuery and data gateway vendors Denodo, Data Virtuality and Dremio.

It is interesting to note that the data query is the area of modification, not the filter of data that is returned from the source.

Solution – IDP Decoupled Authorization

Many organizations that will be leveraging commercial off the shelf authorization software, will likely be relatively mature when it comes to identity and access management capabilities.  Many will have one or many identity providers (IDP) which will handle authentication and token issuance use cases.

IDPs will typically have a long lifespan – perhaps 3-7 years –  and are often tightly integrated into persistent profile stores – aka user profile directories.  

PlainID argues that results in relatively static access control decisions based on coarse grained groups and roles and doesn’t take into account run–time environmental data or more dynamic context.

Here they articulate an externalised authorization architecture pattern that consumes the identity data generated by the IDP before providing more fine grained authorization data to the downstream systems in the form of secondary tokens or indeed perhaps back to the IDP before tokens and session material are released.

How They Do It

PlainID provides two main components to help deliver their authorization capabilities.  A Policy Manager and a Partner Manager.

Policy Manager

Their Policy Manager is described as aiming to provide a centralised management control plane with distributed enforcement.  It seems the Policy Manager is being used as a tool to capture details regarding the business process that is being protected.  This provides a decoupling effect from the enforcement process. 

It seems the main audience of the Policy Manager is the business owner – the individual who can describe the business outcome and workflow that needs protecting – which PlainID sees as a necessary collaborator to the IT operations stakeholders when it comes to rolling out high scale authorization.

The relationship to the business process owner drives a need for features such as policy version control, roll out simulation and approval.

The Policy Manager also provides a range of insights and analytics capabilities which can assist in separation of duties monitoring and reporting.

Policy Manager Features and Capabilities:

• Policy Lifecycle Management
• Runtime Access Decisions
• Advanced Analytics
• Rapid and Controlled Deployment
• Policy Mining
• Contextual & fine-grained access
• Virtual identities
• Universal Authorization
• Graphical UI & REST API
• Visibility and Investigation
• Version Control
• Compliance and SOD control
• Approval Workflows
• Built in Support for Leading Standards (LDAP, SQL, REST, SCIM)

Partner Manager

The modern organization is a mix of partners, complex supply chain interactions, federated user communities and distributed channels of revenue.  That entire “B2B” ecosystem is generating a new set of identity and access management requirements.  The PlainID Partner Manager is solely focused on the B2B set of use cases such as delegated administration, user onboarding and management and access control.

PlainID articulates the need to manage “partners as organizations” allowing a client to manage specific user communities with distinct administrative controls and policies.

The narrative for leveraging such a concept is that it will help to drive business revenue through better access to protected assets by resellers, channel partners and distributors.

Partner Manager Features and Capabilities:

• Consolidated Admin Console
• Access Role Automation
• Delegated Administration
• Self Service

The Cyber Hut Comment

Their administrative console is firmly focused on generically consuming business outcomes and assets within a policy and an access control mindset – allowing a nice abstraction between business process and the underlying enforcement function.  An extension to support the likes of OPA and data as a first class citizen shows PlainIDs ability to adapt to emerging patterns of authorization demand.

The relatively recent emergence of identity centric security, zero trust architecture and distributed working with complex supply chains should see PlainID short listed by organisations migrating from existing authorization technologies to a centralized management platform.

Strengths

• A feature complete centralised administrative console that allows business leaders to describe their key outcomes, workflows and assets in a way that allows policies and rules to be designed

• An array of enforcement solutions from microservices, web applications, portals and APIs

• A complex set of capabilities in the B2B space for partners, supply chains and user communities requiring strong delegated administration

• Ability to add value to existing IAM / IDP ecosystems by consuming identity information and decoupling the authorization decision making capabilities

• Ability to leverage OPA as an emerging enforcement technology via their centralised management console

Methodology

The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship.  We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.

1 – OSINT

The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.

We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.  

This process takes between 2 and 4 weeks to complete and uses sources such as the following:

• Crunchbase / Glassdoor
• YouTube / Twitter / LinkedIn
• Vendor Website
• Vendor Webinars & Events
• Vendor Whitepapers & Datasheets
• Vendor Case Studies
• Patent Search
• Blogs
• Documentation & Release Notes
• APIs and SDKs
• Downloads and Trials

2 – Vendor Briefings

After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.

The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer.  This process typically results in some further more technical questions that can be easily answered via email and existing documentation.

At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.

This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages.  Existing public case studies will also be analysed.

3 – Vendor Fact Check

Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented.  The vendor typically responds within 14 days with any corrections and edits.

4 – Vendor Assessment Completion

After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.

At this stage, the document can be made available to buy side practitioners as a standalone artifact.  This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.

Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.

Methodology Benefits

The benefits to this approach are twofold:  firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates.  The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.

The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.

Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.  

The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.

Vendor Assessments are typically re-evaluated every 12 months.

About The Author

Simon Moffatt is Founder and Analyst at The Cyber Hut.  Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF.  He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.  

Education

B.Sc (hons) Economics (York, 2001)

M.Sc Information Security (Royal Holloway, University of London, 2022)

Professional Memberships

MBCS – Member of the British Computer Society

F.CIIS – Fellow of the Chartered Institute of Information Security

Professional Qualifications

CISSP (Certified Information Systems Security Professional) – 2007 to present

CCSP (Certified Cloud Security Professional) – 2020 to present

CEH (Certified Ethical Hacker) – 2018 to present

CISA (Certified Information Systems Auditor) – 2010 to 2014

Disclaimer

© 2021 TCH Research Ltd.  All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.

This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information. 

The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy. 

The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.