Introducing: Orchestrated Authorization | Dynamically Speaking
Now that he’s had a few weeks to dig in at Axiomatics, we wanted to put Chief Product Officer Mark Cassetta back on the hot seat.
In this interview, Mark addresses his view on how the authorization market will mature, including a new way of thinking about authorization deployments, how to involve stakeholders throughout the organization, and what this means for risk analysis.
Kelly: Hi, and welcome to another episode of Dynamically Speaking! We’re pleased to welcome back Mark Cassetta, the Chief Product Officer for Axiomatics, and today we’re going to talk about authorization and Mark’s view around a new way to describe authorization from Axiomatics and that is Orchestrated Authorization.
So, welcome back, Mark, and thank you again for joining us!
Mark: Thanks, Kelly. Great to be back. This is twice in two weeks. Feels good!
Kelly: Excellent. Excellent. So I want to kind of harken back then to the first time we spoke, and you did bring up the idea of Orchestrated Authorization at a high level. Can you tell us a little bit more about what that is?
Mark: Sure. I guess the first thing I’ll say is not looking to define a whole other category for authorization. That is not that’s what it is not.
It’s really a way to express, frankly, how Axiomatics has been delivering authorization for its clients and it’s what’s going to influence what we’re focused on our product point of view as as we go forward, as we look to deliver the best dynamic, centralized authorization solution in the space.
For us, Orchestrated Authorization, and I gotta say, full disclosure, this was somewhat influenced by the SOAR (Security Orchestration, Automation, and Response) market. And when I looked at, you know, that space, and that space has been around for five or six years now. I think the problem that that looked to solve it was about taking it a lot of signals to make a decision about risk and provide the right level of analytics to folks around, you know, a response from, from a risk point of view through a bunch of different, I’ll say signals in in the organization.
And from an authorization perspective, that’s effectively what we’re trying to do as well, we’re trying to look at a bunch of different signals, and take all of those in to make a decision from a policy perspective about what the right response should be when someone is accessing an application, and not just the application, but components of the application all the way down to, in some cases, different databases.
And so orchestrated authorization is about taking any signals and the signals could be, it could be signals from the business or application owner point of view on what those policies need to be. Signals could be from the security organizations saying, say, we’ve got to build policy in this way to align to this. There’s Zero Trust or CMMC (Cybersecurity Maturity Model Certification), or whatever it might be signals could be from different attributes in your organization, different eyes, you know, all the way down to a tech stack layer, that different things that go into making a decision about around the policy.
A great example that we’re hearing constantly is, is a signal around risk, right and right, using that to derive what the right policy decision should be.
So, we think of all of these different components, it’s about orchestrating them, so that we can enable our our clients and ultimately the conductor of the authorization policy in the business to be to be successful with authorization.
And that’s, in a nutshell, I don’t know if that’s quite a nutshell, but it that’s, that’s in effect, what we’re trying to solve here with orchestrated authorization.
Kelly: That makes sense. And I think that’s a good good explanation of what it entails.
And so, this question is going to be probably a softball for you, then. You’ve there’s a bit of an alphabet soup, around authorization, we ABAC (Attribute-based access control, PBAC (Policy-based access control), RBAC (Role-based access control), any ‘bac’, you want to name.
So, just to clarify then, Mark, as you mentioned, orchestrated authorization is not a new category. Is it different from those other terminologies, or does it kind of supersede them? What’s your take there?
Mark: No, it’s not. It’s different in the sense that it’s the way in which Axiomatics is positioning the value we bring within the authorization space.
So you’re coming in join the Axiomatics team, it’s very clear to me there’s a lot of there can be a lot of confusion and chaos about what authorization is and what it isn’t. What we’re trying to express here is the position we’re taking with respect with respect to the value we bring in authorization and specifically in runtime authorization, which we talked a little bit about sort of that initial podcast.
And so it is something that as you know, as an organization we’re going to be talking more about and explaining sort of how you bring Orchestrated Authorization to life in your business.
I think it’s also a reflection of what we’re hearing from our customers in the fact that they’re looking for a means, to yes, we’ve got to build demanding policies, but we’re scaling up to hundreds of applications and millions of users, right? And so it’s that ongoing need to really orchestrate that and make it sing as nice as possible, if that makes sense. Sing? Orchestra’s not really singing, it’s more like…
Kelly: I think so…sometimes there’s a choir…
Mark: Sing Works? We don’t have to redo that…
Kelly: Okay, no, no, it’s all good. So, I think maybe further, and perhaps the theme of our conversation is really around clarity. There’s also a lot of talk as people continue to seek out the very best way to secure what’s most important to their organizations. So you have things like zero Trust, which is rapidly I would think becoming almost industry standard or table stakes even for most organizations, and identity first security. And, and, and…
So, how does orchestrated authorization help organizations that are looking to these other strategies to really secure their most important assets and data and processes?
Mark: Yeah, great question. I think the the first thing and I’ll go back to saying what it’s not. Orchestrated authorization is not your one stop shop, or Zero Trust, or your one-stop-shop for for NIST (National Institute of Standards and Technology), or identity first. It is a component of those reference architectures and strategy. So that’s the first thing to be clear on, and nor would we ever claim that we have solved all those those pieces.
What I think what orchestrated authorization, the role that that plays in those architectures, as it goes back to my point, I guess about signals, right. So when you think of, you know, any of those strategies, and what they’re trying to do there, they’re really trying to connect multiple components of, I’d say security solutions to one holistic decision about policy and enforcing that policy at the right time, whether it be at the app level, whether that be at the unstructured data levels, you know, documents and files can be at the database level.
And so our role in those architectures is to be able to (A), pull in any attributes that any of those other Zero Trust code solutions are serving, and make that you know, pull them into our decision service. Or (B), as we go to you, as people are using applications that Axiomatics serving with policy, we need to be able to make sure that those apps can receive our signals of logs and information to be better informed and ensure that you know, these privileged access is continuing to be maintained in the event there’s perhaps a change in a role.
You know, just that one, that one use case probably involves three or four different technologies, that all encompass kind of Zero Trust or NIST or CMMS, lead strategy.
So I guess to sum it up, orchestrated authorization is about pulling in as many signals as we can from those other solutions that round out a Zero Trust strategy, and then delivering as much as we can from an analytics point of view and logging point of view to ensure that there’s ongoing management of those least privilege policies that are inherent to those these privileged policies that are critical to identity-first, Zero Trust, or NIST, or whatever it might be.
Kelly: So Mark, I think I have one last question for you. You’ve given such a great overview of orchestrated authorization and what it means and what it means for the various other security strategies that are out there.
For folks listening to this discussion, what are the top two or three things you want them to walk away with, knowing more when it comes to orchestrated authorization?
Mark: Yeah. If I broke it down into three things, and I’ll use, I’ll play off this orchestra analogy a little bit.
The first is, like every orchestra, there are many different musicians involved, right. And all these different musicians have have have roles, and they’re going to obviously influence, you know, what the music’s going to sound like.
And so, same thing with authorization. We know that there’s multiple folks involved in defining policy. And it’s not just people, like I said early on, it could be attributes, it could be other technologies. And so that’s really the first thing and we feel strongly our job, obviously, is to connect all of those folks in a seamless way to enable the development of of fine grained policies for authorization.
The second is that, and I think this is a shift for the authorization space over the past number of years, there is naturally going to be a conductor in an organization who is who is now accountable for authorization. And if there isn’t sort of that centralized person, and typically we’re seeing that be the CISO, or identity team leader, sometimes it can be the same person, but they are, they are that conductor. They’re the ones who have visibility across their entire cyber strategy.
And so, as we think about Orchestrated Authorization, it’s equally important that we’re serving that individual with with capabilities that make sure that they can present back the impact that their authorization strategy is having as it looks to adhering to things like NIST, or regulations, or whatever it might be, or Zero Trust.
And so that’s, I think, is another kind of key takeaway, that that person is becoming more and more central to, I’d say, the requirements we have when it comes to building out our solutions.
And then third, is that, like any good orchestra, you’re, you’re not just playing one set or one song, all right, you’re going to, and certainly the first time, maybe you play together, might feel a little bit different than if you’ve been playing together for a couple of years, right? And the type of music you can play in the advancement of of those of that music might might be a little bit different.
I think the same thing goes for authorization that the first authorization policy that that you conduct in your organization, is probably going to look different than the the hundredth policy create, or application you serve.
And so recognizing that it’s a journey, that that you’re going to go through this process of, of crawling, walking and running, that’s going to be central to our orchestrated authorization strategy. It’s not just about serving more and more features and functionalities, but how do we apply that those that that capability across the different stages of authorization, deployments in an organization?
I would say those are the three things that I think of when it comes to understanding how orchestrated authorization is going to be positioned a little bit differently than perhaps the way we spoke about authorization in the past.
Kelly: Well, that’s all the time we have for today. But thank you very much, Mark, for the time and for the great discussion and for the insight around orchestrated authorization.
For anybody looking to learn more about this, please keep coming back and checking our site in the next couple of weeks. We’ll have some exciting news to share!
Mark: Thanks, Kelly. Thanks, everyone!