Entitlements, AuthZen, & authorization focus at industry events

Kelly & Dave dig into authorization discussion and workshops rising in popularity within the cybersecurity industry...and more!

Kelly O'Dwyer-Manuel & David Brossard
Wednesday, November 8th, 2023

Download mp3   ·   File size: 40 MB   ·   Duration: 21:26

Episode transcript

Kelly: Hey, and welcome back everyone. We are so excited to be back with this, which is, I think, the fourth episode of our podcast! And, per usual, we’ve got a ton to cover today!

I’m joined as always by the ever entertaining Mr. David Brossard. Hey, David, how are you?

David: Good morning. Good afternoon! Doing good, and you?

Kelly: I am hanging in there. So, we’ve got a bunch of stuff that that we can cover today.

But I know it’s been a really busy month, I think, for everybody universally, but I think for you in particular. You’ve had some travel on your schedule, so I wanted to ask you a little bit about that, because it sounds like you’ve had some pretty interesting conversations in your journeys over the last few weeks.

David: Correct. I try not to travel anymore as much as I used to. Partly because we have a newborn and traveling with a well leaving the newborn at home is a little hard on the partner, but I did manage to sneak away for a whole week to go to IIW, the Internet Identity Workshop that takes place twice a year in beautiful Sunnyvale, California, just south of San Francisco. And I had the opportunity to go there with Mark Burke, one of my colleagues, to essentially meet a bunch of identity nerds to, to put it plainly, and chat about everything historically, mainly identity over there.

But what was interesting this time, and we’ll get into it later, is how much room there was for authorization this year.

Kelly: That is interesting. And I think, David, that feels very much reflective of the the conferences we’ve certainly seen of late.

As we discussed in an earlier episode at Identiverse, authorization was definitely front and center at a few of the the industry analyst conferences as well. It’s moved from kind of a sidetrack or more technical track conversation to some of the main stage discussions.

So, that’s that’s really good. Was there anything in particular that stood out to you at the show? I know you got to talk ALFA a little bit, too, which is fantastic.

David: Yeah. So, lots of sessions on authorization from 0Auth-related authorization work. Like rich authorization requests or things like user Management Access, or UMA, for short, to newer things happening like the Cedar policy language like this whole idea that you can do access control lists at scale through Zanzibar and Zanzibar-like approaches like a couple of new vendors as well, that we’re hanging out over there.

But also, two initiatives really close to my heart. One is it is now official, the AuthZen working group at OpenID foundation, which will focus on everything authorization and and going that you know, beyond the traditional identity frontier.

And the other one is: A few of us got together to try and create what might be the next generation conference for authorization a little similar to what you have in the identity world with authenticate trying to emulate that and having an authorization dedicated conference. Some call it, you know, four, three call or access permitted to call something like that, but it it should be a fun. A group of people trying to put together material for for conference happening probably in 2024.

So these are the the two initiatives really close to my heart.

Kelly: That’s fantastic. And I think you know, the time is definitely right for an authorization specific conference. I feel like that’s going to be very, very well received. Based on, you know, a lot of the conversations that we’re hearing and having, certainly.

But I wanna dive in a little more to AuthZen. So, tell us a little bit more about that. What’s the goal here? What are the what are the next steps? Why is this exciting? And and for you? And why are you taking part?

David: so for sure it’s it’s an initiative that kind of timidly started summer of 2022 didn’t really go anywhere. It was revived at Identiverse and we had critical mass between Identiverse and essentially IW. There’s about a dozen participants coming from far and wide. A lot of vendors, some standard spokes, a couple of customers as well.

And also, you know, when I say vendors, vendors with radically different approaches, right? You’ve got the policy folks. You’ve got the access control folks. You’ve got the attribute folks. The graph folks. So a broad range of of approaches which makes it way more interesting.

And I think I mean the driver. For AuthZen is quite simple. Two-fold:

Number one, there are more and more cyber attacks today, right? And all of them, nearly all of them explored identities. So, identity and authentication alone clearly is not enough to secure the environment. We need something else to mitigate those attacks.

So that’s kind of one of the one of the things we’ve noticed, right? A lot of those attacks are successful because users are over permissioned over, provisioned over, entitled. I kinda Like a three-year-old over-entitled, as a matter of fact, and with the difference that the three-year-old wouldn’t maliciously tried to steal data from someone else. But maybe a cookie who knows? So that’s that’s one aspect.

The other aspect is that within the realm of standards. There had been Oasis XACML (eXtensible Access Control Markup Language). It ran its course. It’s very mature, very well established. It it still exists.

By the way, it’s it’s not shut down or anything. I don’t think there’s any talk of shutting it down. However, SAML (Security Assertion Markup Language), the working group, was shut down, I think, a month ago. Because it had, but it’s course, and it was done and mature. What we wanna do now is take the work that happened in in other places.

But like the Cedar folks, like ALFA (Abbreviated Language for Authorization), and move that to the next wave of standardization.

And in particular, one thing that standards kind of failed to do in the world of authorization specifically is get software developers and SaaS developers and cots companies on board.

So one of the main missions, if not the main mission for authentication, will be to get those folks involved earlier on. And that’s going to go through education that’s going to go through design patterns that’s going to go through interoperability to make those developers, those SaaS vendors, those cost vendors and adopt authorization.

And you know the the key word that we’ve been sort of saying in the in the in the office and working group is we want to have the 0Auth moment.Is this idea that you know, ten, fifteen years ago. Every single app did authentication it’s own way. It’s user management it’s own way. It was a black box, and there was a database somewhere in the back end of your app that would store usernames and passwords, and and that was pretty ugly.

And then suddenly, some will, at first more from a Federation single silent perspective. But then, later, 0Auth and OpenID Connect came along and said, “you know you shouldn’t be doing authentication on your own. You should really be delegating that.” How about you? Open up your app, connect to an IDP, a central IDP, and let the IDP, the identity provider, does is think the authentication piece.

We want to have that same moment right? OAuth was successful because it had to find clear patterns. Clear flows, clear interfaces to have that dialogue happen between the application and the identity provider. We need to do the exact same thing with authorization.

Kelly: I like that, David, and I think that’s that’s certainly, you know, we know that’s where we need to go. I think one of the and you spoke to education, which is what kind of made this.

This next question dawn on me was, we know, though there’s a there’s a there’s a gap. There’s a chasm almost between where you guys and the incredibly smart folks who are obviously living, breathing authorization, and talking in in this working group, and where enterprises are living right now in terms of their maturity and their ability to even progress through.

As you just mentioned authentication. So, what do we need to do to start closing that gap, to start getting people ready so that they’re at a place where they can start making these critical jumps to adopting authorization?

Because to your point, earlier, we know, has to happen. Identity is at the is the number one, threatened threatens part of security. We need to do better. How do we get to a place where enterprises are ready to do better and adopt authorization?

David: Yeah, it’s a good question. I might even say it’s the one million dollar question.

I think, first and foremost, it’s education and awareness. Awareness that there is a solution.

The the problem, maybe with authorization is that it’s a it’s a much more diffuse problem than authentication. Authentication, you know, everyone more or less understands that it. You present something that proves who you are. So what username password today? You know, a passkey tomorrow.

But we understand that authentication is just that one protocol, if you will. Where you say, “Hey, I’m David, I can prove I’m David and okay done and dusted. I can go ahead and and go do whatever it is I want to do with my app.”

An authorization is not as clear right? It mixes identity concepts with application concepts with service concepts. It mixes responsibilities, too, because you have the identity folks within an enterprise that have to work hand in hand with the application folks or the API folks. So it’s not as clear cut.

That said, I’ve got some really good news! A lot of companies unbeknownst to them and to us, they’ve actually been doing authorization.

I mean, oftentimes I’ll talk to you know, fortune 500 businesses, and they’ll go, “Oh, you know what we we have had this initiative forever. We’ve actually built our own. We’ve grown our own quote policy decision point before we even knew it was called a policy decision point.”

So we’ve tackled that challenge.

I think it’s a matter of helping companies realize that. They do have authorization challenges. I think they know that already that they might actually have solved those authorization challenges in a good way. And now they can make it evolve and actually start using reusable blocks start using, you know, either an open source framework or a vendor solution to to tech, to take the next step to mature their authorization, stack and then they can also share their experience and learn from others to make their authorization deployments better.

I think a lot of companies, even though they might not have bought a product or or adopted a framework, are already doing some kind of authorization. So it’s just a matter of making that more visible, more standardized, more streamlined, and more secure.

Kelly: That makes that makes sense. And I think, probably highlighting. Some of the companies that have made that that leap successfully, which is something I’m assuming in theory, we could do at a new at a new conference and at existing conferences, too, would likely help in terms of education, because it’s giving right those pragmatic steps, those pieces. Okay, here’s how we did this successfully. Here’s the barriers we face. Here’s how we work through them. Because we there’s there’s lots of education in terms of why you should implement authorization.

But it feels as though that’s that’s another missing piece, right of that of that overall education story is, hey? I did this correctly. Other companies. Here’s how you can learn from what we did which we don’t tend to see as much of, do we?

David:: No, no, there’s there’s right now. There’s relatively little publicly available sharing of authorization stories.

I think one of the more famous examples I can think of is Netflix presenting how they had tackled authorization at Netflix, you know, five, six years ago. Or Google sharing their experience with their own way of handling authorization for the entire family of Google Drive and YouTube and everything Google, right?

But apart from that, there are very few examples of companies having gone through the authorization journey and willing to share that experience. And so that’s what we aim to to to address.

And there’s other things, too, right, Kelly. You know, a first step of authorization might be: Let’s have something that decides for you an authorization engine, a policy decision point. But that’s kind of like the first step.

You know, there’s other aspects like governance of the authorization, configuration, or access reviews of that authorization. How do you do that? Is it is that gonna stay a secret sauce of a vendor? Or is there a way we could standardize that, maybe to make it easier on customers? What are the expectations from the compliance teams? How do we meet those those expectations?

We collectively, not we, specifically a vendor, that’s, you know, the next steps that you wanna take an authorization to make it better than just having an an authorization engine.

And I think there’s also, you know, from an education standpoint, there’s things that we want to help people understand. You know, there’s the notion of user-driven authorization, and there’s the notion of enterprise-driven authorization.

So at Axiomatics, we tend to live in the world of enterprise-driven where the enterprise or the application owner or the business analysts own the requirements for authorization, dictating things like only managers can view documents in a certain department.

But the user managed authorization that that I don’t tend to live and breathe every day. That’s what the the likes of Eve Maler with User Managed Access, has been trying to tackle. And it’s also a very fundamental part of authorization.

So bringing all of us under the umbrella of AuthZen is gonna help us enter the umbrella of the Authorization Conference is, gonna help us exchange notes, exchange approaches. See how we can combine our work together to deliver a more comprehensive authorization approach. So, that that’s something I’m really excited about!

Kelly: That is exciting. I think that’s gonna be a a big step in moving overall awareness forward, but also moving the the in our industry. Forward. So that that’s great. And I look forward, you know, to being able to pick your brain in future episodes on how things are coming along.

I think the other piece, David, that I wanted to touch on that that that came to mind through that was in in terms of where enterprises sit right now.

One thing that we know. And you talked about this a little bit earlier was we still deal with very common problems, like over provisioning and and stretching of approaches? I think that we’re well suited in the time they were created. But maybe aren’t more of a band aid now, when it comes to looking at access and looking at the the cyber landscape as it exists, and one of those I think I mean our back. Obviously we’ve talked about that before.

But the other pieces around entitlements, and I know this is a discussion we’ve had internally, and one we’ve had with with you. So, I wanted to to talk a little bit about what you’re seeing around entitlements, and where some of the confusion lies.

David: That’s a very, very good question. So, historically, a lot of authorization is driven through permissions and entitlements and entitlement is something that you give a user, you, the administrator.

So, a relatively manual process. It’s something that happens at what I call birth time. It’s a birthright or an update, maybe to your user persona within the enterprise. But it’s not something that happens when you’re trying to get access to something’s right.

So, if you want to open up a financial record, by the time you’re actually opening the record, we already know what entitlements you have. It’s a very static approach to authorization. It’s also an approach that leads to an explosion of entitlements, because due to its static nature, you need more and more entitlements to be to be able to express the breadth of the application landscape. The data landscape within an enterprise.

The good thing is they’re pretty easy to assign. That’s that’s actually relatively easy. It’s also a model that’s been very well understood over the years, because it’s what’s we’ve been doing since our back came along.

And even before, you know. So we go back to the nineties right? When we started on the authorization journey with Axiomatics. Back in 2006, you know we were very much enterprise-driven like, I said, policy-driven, attribute-driven to the point that we were saying, well, you know, you gotta get rid of your entitlements. We were not that extreme, but it was kind of the idea.

But lately, though we’ve been realizing that there’s there’s a good balance to achieve between entitlements and policy.

On the other hand, so entitlements, on the one hand, policy enterprise driven on the other. Because sometimes there is no policy that dictates authorization. I, David, may want to share a document with you, Kelly, and there is no logic to it. I just want to share it with you. Maybe it’s a picture of a cute little cat. Or maybe it’s actually a document for this podcast that I need to share with you.

But there’s no rule, right? There’s no policy. So, I do need to have a means to share that with you. That would probably happen through an entitlement or an access control list, maybe Google style.

And so what we’re realizing little by little is that there’s value in combining the two models together, both the enterprise driven and the user driven the discrete access control if you will. And combine those two models into the same framework would actually give open up more possibilities in terms of defining authorization.

What we do want people to realize, though, is, as we have been preaching for many, many years. Not everything is an entitlement, and there’s a good reason for that. If everything were, then then we go back to the whole role explosion, title, explosion.

But we also go back to challenges around audit challenges around access review challenges around governance because we no longer remember why a certain person give another person that entitlement. We don’t remember whether it’s still valid, whether it should be expired or deprovision.

So, if you can move as many of the arbitrary authorization to enterprise, driven policy, driven authorization all the better. But you will. You also need to leave room for the arbitrary sharing the the Kelly and David example with that with that podcast document that I was that was mentioning earlier. So there’s a bit of both.

Kelly: That makes good sense. And I think, David, I’m looking at the time here. I think that’s all the time we have for today, which works because you’ve told me two questions in a row that I had really good questions.

So, I’m gonna retire on a high on this episode. But thank you again! It’s been fascinating listening to some of what’s going on. It is absolutely wild! How quickly things are moving and how much we have to talk about each each episode.

So thank you for your time and thoughtful commentary. And, thanks to everybody for listening! We deeply, appreciate it!

David: My pleasure! Thank you, everyone! And if you want to jump on any of the bandwagon’s, either the OpenID one the the URL for the working group is OpenID slash net slash w g, as in working group, slash AuthZen, and that’s spelled a-u-t-h-z-e-n. Or, for Canadians, a-u-t-h-zed-e-n (https://openid.net/wg/authzen).

And with that Kelly, if anyone has any question, of course they’re always welcome to reach out to me! Thank you!

Kelly: Thanks all! And we will talk to you next time!

Podcast RSS   ·   YouTube

Media Contact

Samantha Berno
Corporate Communications Manager
Axiomatics
samantha.berno@axiomatics.com