Vendor Assessment: Scaled Access
Next Generation Authorization – A Market Overview
| Last Updated | 10 January 2021 |
| Document Id | tch-vendor-assess-scaledaccess |
| Author | simonm@thecyberhut.com |
| Part of Research Product | Next Generation Authorization – A Market Overview |
Company Key Facts
 | Web – https://www.scaledaccess.com/ LinkedIn – https://www.linkedin.com/company/scaled-access/ Twitter – https://twitter.com/scaledaccess YouTube – https://www.youtube.com/channel/UCiGrTpZa_JWYlx_sq4B9XJQ |
| Founded Date | 2009 |
| Founders | Ward Duchamps |
| No. of Employees | ~ 20 |
| Total Funding | EUR 3 million |
| Locations | Belgium |
| In Their Own Words | “#1 platform for advanced access management – The only solution that lets you authorize users to gain and grant access securely” |
Funding
Scaled Access has had one publicly acknowledged funding round – a EUR 3 million round in January 2019, led by Capricorn and Pamica.
| Announced Date | Transaction Name | Number of Investors | Money Raised | Lead Investors |
| January 2, 2019 | First Capital Round | 2 | 3 Million EUR | Capricorn, Pamica |
Customer Case Studies
| Customer | Region / Sector | Details |
| Un-named | Media / EMEA | A large media provider had an existing consumer identity and access management platform inplace to manage subscriptions. They had issues with credential sharing – where customers shared login details with other family members and friends. Scaled Access was employed to provide a subscription based sharing mechanism on top of the Auth0 CIAM platform. The media provider wanted to create different subscription types that would need delegated administration and controlled sharing. Delegated Administration / Pre-Built Workflows / Fine Grained Authorization |
| Un-named | Health Tech / EMEA | A European health tech wearable organisation was looking to provide consent management capabilities for it’s end users. This included data ownership services and complex flows surrounding power of attorney scenarios. The health ecosystem consists of practitioners, the client and the intermediary devices and infrastructure. An explicit and informed consent workflow system was required to allow data sharing. Consent Management / Privacy Policy Management / Data Sharing |
| Un-named | Manufacturing / EMEA | The logistics and supply chain management team at a manufacturing organisation required relationship based permissioning for their complex supplier relations. A delegated administration model allowed a central team to provide authorization capabilities to segmented administration teams. An existing Okta deployment was leveraged with Scaled Access to provide this supply chain management platform Supply Chain Management / Okta Integration / Delegated Administration |
Technology Key Facts
| Go To Market Message | User Centric Relationship Based Access Management |
| Solutions | Digital Ecosystem Access / Consumer Access / Retail / Healthcare / Finance / Media / Energy |
| Products / Platform | Relationship Based Permissions / Externalized Authorization / Consent Lifecycle Management / REST Integration |
| Useful Links | Developer DocumentationPartner Network Directory |
Technology Review
Overview
Scaled Access provides a range of next generation authorization capabilities, with an emphasis on relationship management and externalized authorization.
They see a world where subject to object access should be handled by graph based relationships that provides scalability and the ability to deliver access control to a range of emerging technology areas such as consent management, IoT and multi-faceted delegated administration style ecosystems.
Digital Ecosystem Access
They describe the modern enterprise as having a multi-dimensional set of interactions with partners, supply chain organizations and staff that range from standard employees, through to contractors, freelancers and federated entities. These new interactions generate new requirements when it comes to access control, consent and authorization.
Many internal B2E backbone identity and access management systems, may well service the controlled user community well, but are not always accessible to users that are part of the critical supply chain, yet are not always controllable. In line with a zero trust style security architecture – where there is an implicit assumption that “internal” controlled resources and assets are accessible beyond the firewall on publicly available networks – we are starting to see the need to open up internal resources to users on a more request and delegated model.
Scaled Access argues that the difference between internal and external users is shrinking, requiring their management to be done on the same platform – via delegated communities acting as a segmentation boundary.
The delegation aspect allows administrators to invite users into an “ecosystem” providing empowerment and the ability to request access on a more granular “need to know” basis.
Consumer Access
Identity in the B2C (business to consumer) space is focused upon user acquisition, community development and business enablement. Scaled Access aims to provide a range of fine grained authorization capabilities that can assist organizations that deliver consumer focused subscription based management.
In the B2C world, the identity design model moves away from being system centric and moves towards being user centric. In this case, the user centric approach requires the ability for end users to share – sometimes temporarily – services, data and subscriptions – with peers, family or friends. This complex set of interactions requires new features built on delegated administration and fine grained access control.
Common examples include the need to create family profiles in the media space or group bookings in the hospitality industry.
How They Do It
Relationship Based Access Control
Scaled Access see Relationship Based Access Control (ReBAC) as a means to create fine grained authorization rules for a range of new use cases that can often extend existing IAM platforms in both the consumer and employee spaces.
They see many examples of current data sharing models that basically rely on the sharing of accounts and credentials in order to fulfill partner and supply chain integrations in the B2E world and account sharing in the B2C world – especially in the media sectors.
This ReBAC model allows user communities to “self manage” their own data and services so that they can be shared to trusted peers.
The Scaled Access ReBAC API essentially allows three things: configuration of the assets and users to be managed, the relationship between the asset and the user community and an authorization mechanism to request access control decisions.
The configuration aspect covers the creation of an actor, a resource and relationship types that may exist.
Externalised Access Control
Whilst relationships form the basis of how access control decisions can be made with Scaled Access, a more generic capability exists surrounding the externalisation of authorization data from applications.
Access control policies can be centralised that contain context such as the device, location, time, consent or user relationship attributes.
The aim is to apply business policy across a range of distributed application types. A common asset that would require enforcement services would be APIs and micro services.
The Externalise Authorization API provides two main capabilities: the ability to configure rules and policies and an authorization API that allows querying and decisioning.
Configuration of an authorization policy relies on a naming process which typically leverages a target and an action. For example a policy could be called “subscription:read” or “user:update”.
Policy conditions are specified using the Open Policy Agent (OPA) Rego language.
The authorization aspect of the API is where policy data can be leveraged to make access control decisions. The API expects to see a subject, action, resource and context to make a decision (which is based on the XACML standard).
The authorization response is essentially an outcome – which determines what the caller can do, along with a concept of an “obligation” – which is a secondary condition that must be satisfied before access is granted within the calling system.
Consent Life Cycle Management
Compliance for the likes of the CCPA or GDPR is driving many organisations to leverage commercial off the shelf software to handle consent life cycle management.
Scaled Access provides a range of capabilities here from managing the “accept terms and conditions” use case through to audit and monitoring.
The Scaled Access Consent Management API contains three main endpoints: configuration, consent and authorization.
The configuration of the consent object will contain the definition, version and an associated consent document. Each consent document has an “effectiveDate” attribute which essentially makes the object available for users to accept.
The consent endpoint of the API is where an end user’s affirmative consent can be captured. A request to this endpoint will require a user ID and consent object and a register event which contains timestamp information that is used to create an audit entry.
Identity Integration
The Scaled Access SaaS platform can leverage identity provider (IDP) data from a range of popular identity platforms such as Okta or Auth0 and many other systems that support OpenID Connect.
This separation of concern between the authentication event and the authorization event, allows scaling and specialism of capability.
A common use case Scaled Access promotes is that of token enrichment. A basic authentication token issued by an IDP can be augmented with relationship data held in the Scaled Access platform to allow for more informed access control decisions by the protected downstream systems.
The Cyber Hut Comment
The API first approach allows significant integration capabilities for existing identity provider technologies and native applications to receive authorization information in the form of delegated administration, consent management and token enrichment.
Their use cases and case studies cover a range of industries with a focus on identity overlay and fine grained specialist services for both consumers and partners.
The emerging need for technologies to support a user-centric approach to data and service sharing should see Scaled Access be considered for a range of next generation authorization projects.
As an overlay technology to existing identity infrastructure, there is a level of maturity often required for authorization to be successful which requires existing identity provider and authentication services and an understanding of business workflow and consent management use cases.
Strengths
- A strong focus on relationship based access control backed by graph database technology that can be used to represent new and emerging authorization patterns
- A standards based way (OpenID) of integrating with existing identity provider platforms in order to successfully externalise and decouple authorization functionality
- A strong REST based API that allows for the configuration of policy data, user to asset relationships, consent management and authorization decision making capabilities
- Detailed consent life cycle management understanding and support for a range of use cases including terms and conditions version changing and consent capture workflows
Methodology
The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship. We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.
1 – OSINT
The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.
We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.
This process takes between 2 and 4 weeks to complete and uses sources such as the following:
- Crunchbase / Glassdoor
- YouTube / Twitter / LinkedIn
- Vendor Website
- Vendor Webinars & Events
- Vendor Whitepapers & Datasheets
- Vendor Case Studies
- Patent Search
- Blogs
- Documentation & Release Notes
- APIs and SDKs
- Downloads and Trials
2 – Vendor Briefings
After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.
The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer. This process typically results in some further more technical questions that can be easily answered via email and existing documentation.
At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.
This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages. Existing public case studies will also be analysed.
3 – Vendor Fact Check
Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented. The vendor typically responds within 14 days with any corrections and edits.
4 – Vendor Assessment Completion
After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.
At this stage, the document can be made available to buy side practitioners as a standalone artifact. This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.
Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.
Methodology Benefits
The benefits to this approach are twofold: firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates. The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.
The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.
Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.
The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.
Vendor Assessments are typically re-evaluated every 12 months.
About The Author
Simon Moffatt is Founder and Analyst at The Cyber Hut. Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF. He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.
Education
B.Sc (hons) Economics (York, 2001)
M.Sc Information Security (Royal Holloway, University of London, 2022)
Professional Memberships
MBCS – Member of the British Computer Society
F.CIIS – Fellow of the Chartered Institute of Information Security
Professional Qualifications
CISSP (Certified Information Systems Security Professional) – 2007 to present
CCSP (Certified Cloud Security Professional) – 2020 to present
CEH (Certified Ethical Hacker) – 2018 to present
CISA (Certified Information Systems Auditor) – 2010 to 2014
Disclaimer
© 2021 TCH Research Ltd. All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.
This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information.
The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy.
The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.