Q&A: Authorization in 20 years – what will change?
We recently spoke with our Chief Technology Officer, David Brossard, and founder and Head of Strategy, Babak Sadighi, about the past 20 years of authorization and access control.
Now, we discuss with them what the next 20 years of authorization and access control could look like.
What changes will we see around access control and authorization in the next 20 years?
David: I think we are going to have a whole lot more need for authorization in the next 20 years. There will be more users, more data, and more services: everything will be completely digital in the future.
Things will become more international as well.
While people do travel and live in different countries today, the scale of immigration will go up.
This means the need for cross-border services (such as telecommunications, banking, healthcare) will go up and with it the need to share data and enforce privacy controls.
Speaking of privacy, another change I think will happen in the future is that we will have more regulations and laws to comply with.
Until recently, privacy has been an afterthought.
Now, we are starting to see the changes in legislations such as General Data Protection Regulation (GDPR), frameworks such as Open Banking, and technology such as third party cookies that Apple, Google, and other companies are pushing forward.
Privacy is now front and center and that will impact how we enforce it.
That will create a bigger need for authorization.
Another topic that came up during IIW 37 in October was the ubiquity of authorization and how we need to onboard software development firms and SaaS onto the authorization journey.
This will drive the adoption of new authorization technologies.
Some of my peers even see a parallel between Security Assertion Markup Language (SAML) (established 2001, now very much mature) and authorization (AuthZEN established 2023 with 20 years of history to write).
Closer to today, we should also look into the evolution of authentication (for instance passwordless authentication, verified credentials, and distributed identities).
If we always know who a person or what a service is, then will we continuously check a person’s rights?
In the IIW AuthZEN meeting, one of my peers mentioned “zero standing privilege”. This is the idea that no one should be provisioned permissions or entitlements upfront.
Rather we should grant them access on a per-request basis, on-demand, realtime.
We could also look at A.I. and other technologies we don’t know will exist tomorrow, which are going to change the way that we interact with the digital world.
I cannot wait to see the new paradigm shifts and how we can adapt to address their security needs.
Babak: In the next 20 years, enterprises will realize that they have to bring in more elaborate and advanced authorization solutions to address their needs.
They need to do this to not only secure themselves from external attacks, but to keep better control on resources and services internally as well.
Due to this, enterprises will find that simple solutions won’t address their needs because the problems around authorization are becoming more complex.
We will see that enterprises need to both open up and at the same time keep better control.
Yes, this is contradictory, but if you close the door you can’t do business.
So you have to open up, but have a fine-grained control to manage who has access to what, when and under what conditions.
Thinking about the future: Is Zero Trust here to stay and grow or will it become something of the past?
David: I think that Zero Trust is going to grow big time in the future and become mainstream.
It goes with distributed identity and verifiable claims because we know that at every single instant what you represent will be able to say what you are allowed to do.
An example of this is in the onboarding process.
A new employee has to prove who they are and that they have the right to work, whether that is through a degree, passport, etc.
There has to be something that verifies who you are and that you can actually do something instead of someone just making it up.
In the future, we are going to live in a world where everything is verified for real instead of just taking a person’s word for it.
Zero Trust is definitely here to stay.
Babak: When we talked about the past 20 years of authorization, I mentioned that while the emergence of Zero Trust was good, its overuse as a marketing term and vendors promoting a “Zero Trust solution”, can be misleading.
In the future, I could see Zero Trust being called something else, but the concept or strategy will still be around.
This is because the concept is still needed, however the buzzword has not yet delivered for enterprises how they thought it would.
This has happened many times in the past with different topics, an example of this would be that XML-gateways are now API gateways.
We hear about the idea of an all-in-one IAM platform, do you see this happening in the future?
David: What I could see happening is that the building blocks of IAM could become commoditized to the point that databases have.
For example, there could be a vendor with a database feature and if you are developing an application you would need to go to the database team, so they could set you up with whatever you needed.
In this case, they have made the database a commodity and no one would ever think of going off to buy a database from a new vendor because the capability was already there.
However, in the realm of authorization, there are already two camps.
There is the workforce identity and the consumer or customer identity. These are very different realms, each essentially owned by different people.
Both of these are very different sides of the business and this is likely going to stay.
This can mean there is a disconnect from the operations point of view, but it doesn’t mean that they aren’t using the same building box.
This could be true for authorization as well.
That’s the kind of picture we are painting, is the authorization engine and framework have one team, provide the feature then have other teams run those products.
I think at least in the near term, it is such an uphill battle to make it a commodity as it is going to take time, but twenty years is a long time, it could be enough to see it.
Babak: I do not see that happening in the near future as we aren’t even close to that stage yet. At this point, I think the market is still too immature for one big product.
That is unless someone like Microsoft tries to do it and pours a bunch of money into it, however it is still in the early stages and to some extent they would need to innovate.
Innovation isn’t exactly what comes to mind of big companies and we are still in the stages where innovation is extremely important, so I believe it will be quite some time until we see this.
What should enterprises be looking for with authorization and access control to better prepare themselves for the future?
David: I think the flexibility of the framework is the main thing, meaning that it is capable of expressing future scenarios that you haven’t thought of yet.
However, it is hard to see if that is true because how do you know what the future scenarios are?
With a policy driven approach, like Axiomatics, it is generic enough that you can express pretty much any authorization scenario.
Also, legacy authorization frameworks that are hard-coded into an application or largely rely on roles are not flexible enough, but enterprises are starting to understand that, which is great.
Another thing that will help enterprises is standards because standards do a couple different things.
First, it future-proofs the product because there are a bunch of different people working on it, so it isn’t just going to die. If it did die there would be another vendor capable of picking up what the first company did as it is standardized.
Secondly, when there are standards it means that a group of people with various backgrounds got together to think about that standardization.
This normally means that there has been some form of due diligence and research that went into creating that standard, so it gives the bigger picture.
Babak: Enterprises need to start thinking about use cases.
More specifically, they need to start looking at more advanced solutions to use cases instead of simple tools, which were not built for complex use cases.
This is how enterprises future proof because they are looking for a solution that can solve more complex problems than what they have today because they don’t know what security problems they will face in the future.
It is better to go with a more powerful authorization solution now than to switch in the future.