The future of access management: Babak on the evolution of IAM
As I reflected on that conversation, I thought more about how our corporate journey has also reflected the maturation of the authorization market.
That brings us to today.
I believe we are at an exciting but potentially tenuous moment for authorization adoption.
There’s an opportunity for the coming decade to see exponential growth of mainstream adoption of attribute-based access control (ABAC) solutions, but I fear that as an industry we’re making some critical missteps.
The 2010s: IAM maturity and the rise of authentication
If you think about the last ten years or so, it’s really been about the maturation of the identity and access management (IAM) market.
Though IAM vendors existed long before this time, in the last ten years enterprises have truly embraced the need for IAM (and more specifically, federated identity management, identity governance administration (IGA), and privileged access management (PAM) solutions) and the adoption for IAM standards including SAML, OAuth, and Open ID Connect.
These standards became critical for IAM adoption as they created a strong customer understanding of the need to adopt these types of solutions and how they strengthened the overall enterprise security posture.
This market maturity also gave rise to the next iteration of an identity-first security stance – authentication. Authentication focuses on the ability to see “you are who you say you are” at the time of the access requests.
It has seen rapid growth in the last decade with continued adoption and a push for advancement around strategies including multi-factor authentication and passwordless authentication.
The maturation of IAM and the rise of authentication have set the stage for the next decade to be about authorization.
This is a fact my friend and former colleague, David Brossard, illustrates in great detail in a recent interview. Well worth a listen.
The 2020s: The era of authorization
I firmly believe the next ten years can be about authorization, which is the next evolution of IAM.
But to see this vision realized, authorization vendors need to change some of what is currently going on in the market, which is sowing seeds of confusion among customers.
In particular, as an industry, we need to do three things:
1. Dynamic authorization is ABAC
You may have noticed the way in which experts talk about dynamic authorization varies greatly. Some refer to it as ABAC, while others discuss fine-grained access control (FGAC), policy-based access control (PBAC), or even relationship-based access control (ReBAC – a new one for me).
It’s no wonder customers are struggling to understand the concept of dynamic authorization.
Creating a new term so that you can ‘own’ it as a vendor can be a savvy move, however, it doesn’t work when every vendor in your space has done the same thing. In fact, it causes massive confusion, which can lead to distrust.
After all, if the industry itself can’t agree as to what authorization is, how are we going to demonstrate its value to customers?
No matter what you call it, dynamic authorization is about the model, which is writing policies or rules based on different attributes on subjects, objects and the environment.
Axiomatics uses the term ABAC because it is broad, and is a type of umbrella under which you can discuss specifics.
It enables organizations to specify policies (without resorting to artificial abstractions) using different attributes which can represent attributes of a user, of a resource the user tries to access, relations between users and resources, or of the environment, which refers to the context in which that access is requested.
2. Unite behind one standard
As I mentioned earlier, one of the ways in which the IAM market achieved broad adoption in the last decade was because the industry adopted standards that clearly defined what customers should expect from their IAM deployment.
I strongly believe we in authorization must do the same.
The good news is we do have such a standard – eXtensible Access Control Markup Language (XACML).
It has existed for a long time, creating the backbone for authorization. The Axiomatics team has long been involved in shaping and updating XACML as a standard, with my colleague, Erik, acting as editor of version three.
And look, I know there’s been a lot of discussion as to whether XACML is the standard for this moment or whether authorization needs to coalesce around something new.
But let me be clear: XACML has existed for this long because it was designed specifically for authorization and is a perfect fit to address the complex authorization requirements of organizations today, and especially for large, highly-regulated industries.
There are few reasons supporting this assertion.
First, XACML includes hierarchical policies that easily map to enterprise-scale requirements.
Second, the language is extensible, enabling one to express the specific requirements associated with various use cases.
Third, with XACML there is a clear separation between policies/rules and attributes/values and the sources that must be consulted during execution.
Lastly, XACML is deterministic, using combining algorithms defining which policies overrides others in case of conflicting policies.
Most, if not all of these critical capabilities are sorely absent in most alternatives.
Is XACML perfect?
Perhaps not, but it does give our industry a time-tested basis from which to start.
It gives us the critical components necessary to iterate as we see fit, adding layers that address current and future challenges.
It has a set of functions and features that are well designed for dynamic authorization based on the ABAC model.
However, XML is no longer the syntax people want to use (for various valid reasons) and for that reason we have developed and brought ALFA (Abbreviated Language For Authorizations) to market, which is a more developer-friendly with less verbose syntax, authorization domain specific language that has all the useful features of XACML, while supporting modern DevOps processes.
3. It’s all about the outcome
What sometimes gets lost in the conversation around what we call authorization and how to implement an authorization solution is what should always matter most: the customer outcome.
After all, the driving force behind a purchase is the outcome a business wishes to achieve.
I fear our industry is making this overly complex, which doesn’t help as we sit in what is already a fairly complex part of security (IAM).
Think about it like car shopping.
When you want to purchase a car, you know what you need in the car – a reliable transportation device to get you where you want to go.
But every car model has a slightly different design, with some cars made for families, while others for those looking to drive at top speed.
What they all have in common, though, is that they achieve the same outcome for the buyer, providing a reliable way to get from “A” to “B”.
If while you were shopping at a car dealership the dealer started talking to you about specifics related to combustion engines or the mechanics behind a type of signal light, you’d be put off.
Similarly, when organizations purchase authorization solutions, they’re looking for technology that ensures the right user has the right access to the right resource/data.
That is the goal!
The way we describe how they get there, using FGAC, PBAC, etc., is beside the point and does nothing to enhance or validate the value and power of authorization solutions.
Focusing on the outcomes (rolling out a Zero Trust implementation, a customer identity and access management (CIAM) strategy, etc.) clarifies why authorization is essential and underscores the value it proves.
The table is set for this decade to be the one where authorization becomes mainstream, seeing adoption across a broad range of industries.
But if we continue to obfuscate its value and focus on feature differences as opposed to the outcomes we can achieve for our customers, we will lose the tenuous gains made from the decade past.