Is it time for an authorization revolution?
Hear why now is the time for authorization to become a “must-have” for organizations looking to up level their access control strategy.
Kelly O'Dwyer-Manuel & David Brossard
Tuesday, August 1st, 2023
Download mp3 · File size: 30 MB · Duration: 21:52
In this episode:
- What will it take for authorization to go mainstream…NOW
- How authorization can be the catalyst for good policy development, management, and enforcement
- How to wade through the noise around standards languages and figure out what works
Kelly: We’re talking the evolution and revolution of the authorization market, policy, OpenID Foundation initiatives, all that and more. Coming up on a jam-packed episode!
Kelly: Hello, hello! And welcome to Dynamically Speaking! We are here with my esteemed co-host David Brassard, the Chief Technology Officer here at Axiomatics. And I, of course, am Kelly O’Dwyer-Manuel, the VP of Brand and Communications for Axiomatics.
Hey, David! How’s it going?
David: Good morning! Doing pretty good. It’s nice and sunny out here in Vancouver.
Kelly: That in and of itself is a shock. So, for anybody who hasn’t visited the west coast of Canada, Vancouver is typically known as the rainier part of our fair nation. But but I digress. Glad to hear that, David.
So, why don’t we start here. I know that one of the things that’s been on your mind among many, many other things is Identiverse2023.
Now, granted it, we’ve had a little bit of time to digest all things that happened at the show.
But I know that in talking to you and passing there were a couple of things that really stood out to you. Specifically, as they related to the, I guess you could say reenergized excitement and almost evolution and revolution of authorization.
So, do you wanna tell me a little bit about that and what you took out of this year’s show?
David: Sure. Definitely. When we got to Identiverse back in June, 2023 in Vegas, we quickly realized there were three main buzzwords. The first one of course was A.I. (Artificial Intelligence). Everyone is talking about A.I. That was a given.
The second one in the realm of authentication was passwordless authentication, which is going to become a really, really huge thing, making authentication so much easier for everyone.
And then, the last and definitely not least for me, is authorization.
And I think, Kelly, partly it’s because authentication as a whole has become a whole lot more mature and companies are turning that page. This is not to say there’s nothing else to be done in ways of identity management or authentication. There’s, of course, things like strong auth that you have to handle, MFA (multi-factor authentication), so on so forth.
But finally, companies are finding time to dedicate to authorization. And that’s kind of the next wave, the next stage of your IAM maturity.
Kelly: I love that. And I know that there’s been lots of chatter around passwordless authentication and, and that’s certainly becoming, more mature.
But tell me a little bit about what we need to do to break through with authorization. Because we’ve heard this a lot.That authorization, the time is now it’s gonna be very exciting. This isn’t the first time we’ve heard that, but it feels a bit different this time. Why is that?
David: It’s probably a combination of things.
So firstly, the, the fact that companies have more time to dedicate to authorization and to tackle that challenge. But of course, also the fact that they do see it as a massive pain point. And that’s because there’s ever so much more data, so many more services, so many more endpoints, so many more users that want to get access to information, get access to services.
So, everything being digital, of course. And I don’t want to throw in a a buzzword but it’s quote digital transformation.
If you do transform your business to be a digital business and you are sharing sensitive data with your constituents, with your customers, with your users, your partners, your employees.
Well, what data are you going to share? And how, and under what circumstances? If you’re a medical company and you want to share medical records online, who gets access to them?
Is it just the patient? Is it also the insurance company? Is it also a partner hospital? Is it a a doctor requesting access because they need to treat the patient?
So, all these relate to authorization.
And so you need to have a good framework in place to be able to dictate who can access and who cannot access that information.
Kelly: That makes total sense. And now it also sounds like a lot of steps.
We know that in the past, one of the things that’s really been a challenge for organizations looking to implement authorization has been that they viewed it as very complex. What do we mean by authorization vendors, and, and there’s quite a few of us now, in fact.
What do we need to, to do to really break down those barriers and really move it from something that organizations know they need to do to something organizations feel confident that they can do.
David: That’s a really good question, Kelly. And there’s a few things.
First of all, the perceived complexity in my mind, I think comes from the fact that if you compare authentication and identity management, strictly speaking with authorization, identity management is a one-sided equation.
You deal with identities, you deal with identity attributes, you deal with authentication. It’s all about the who you are, and pretty much just that. There are a few bridges in authentication that will sort of stick a hand out to the authorization side of the world.
Now, authorization, on the other hand is a two sided equation where not only do you deal with the identity of the individual or the service, but also the identity of whatever it is is being accessed. The data, the service, the resource. And not just those identities, but also the the metadata or the attributes that revolve around those resources. So, suddenly you have to tie those two things together.
And what happens is in an identity world, you have an IAM team that is in charge of all identities.
So you, you might have an enterprise, an IAM team for enterprise identities and you might have a SIAM team for consumer identities. But they’re pretty much in the hands of these two teams, right?
With authorization, the other side of the equation is in the hands of application owners, business analysts, business owners. And so it makes the problem a little more diffused because you don’t have one single team in charge of authorization. But rather you have a, a whole host of, of teams that will want to implement authorization.
And if customers expect authorization to be as simple as simple as implementing authentication, no disrespect to authentication and its challenges, that’s perhaps why they perceive complexity. When in fact, if they’ve put a good framework and good processes into place of rolling out authorization, defining authorization requirements, on boarding applications, it doesn’t become any more complicated than getting your identity strategy and your identity framework.
Kelly: That makes good sense. So, something that we’ve heard a couple of times would be, if the last ten years were really about maturing authentication, the next ten years will be about maturing authorization. Does that ring true with you?
David: I think so. I hope so, definitely. And, and we do see, you know, Kelly, you were asking and I didn’t fully answer your first question. You were asking, you know, what vendors need to do.
If I look at the number of vendors that work in authorization and how that number has evolved over time at Identiverse, at Gartner conferences, in other places, that number has gone up, not only has it gone up. But also if you go ten years back, all the vendors kind of skin the cat the same way and rest assured listeners, we haven’t heard any cats in this podcast. At least not that I know of.
Now we get different companies with different approaches.
So, you know, at Axiomatics, we’re, we’re hard on to things like attribute-based access control, policy-driven authorization, standards based authorization, but there’s other companies, other startups that are looking at how graph can solve the authorization challenge. Or, maybe Google’s approach called Zanzibar, which is more around access control lists.
So there are different models that can actually complement themselves and just seeing that richness, that much richer ecosystem that we’re dealing with in authorization than what it used to be ten years ago.
That, to me, is a great indication that the next ten years are gonna be about maturing the processes, the models that we want to use for authorization where it’s applicable and, and not just, you know, models on the technical layer, but also models on a on a management layer.
If you will on the, in the case of Axiomatics the policy lifecycle, how you go all the way from simple plain old English requirements to implementing technical artifacts in your architecture and and rolling them out to your decision services or your policy decision points.
So there’s a lot of work that’s happening both in the standards communities but also in the vendor space. That to me is a, a great indication, a very healthy indication that authorization is headed for for pretty much the same place that authentication was headed ten years ago.
Kelly: That’s really exciting because we know, and, and I think, you know, David to your point, we saw ten, even five years ago, certainly the ballooning of the authentication market. There were lots of new vendors that were part puppy up startups, all of whom had a different way to kind of slice and dice, how you do authentication.
And you can see here that I have an eighteen year-old cat, so I can’t use the the skinning the cat version or you know, she’ll be, she’ll be really angry at me and you know, we don’t want that.
So it makes sense that we would see the authorization market mature the same way and, and that’s pretty exciting. And, and moreover, we also have, as you mentioned, some of the larger industry players coming in.
But what I wanted to, to pick your brain about a little bit is, you know, in, in when we talk about authorization models, when we talk about methods and standards, the the word that always comes up is policy.
And I know policy is never maybe the most exciting thing to talk about, but it is such a fundamental building block.
So I wondered if you had, if you could shed some light around how authorization can further mature an enterprise’s stance around policy development and, and maybe policy authoring and enforcement, and all of that kind of thing.
David: Absolutely. So, first of all, policy is not a new thing, right? It’s been around both outside of authorization forever.
The whole idea that you could write a policy that would dictate behavior of different tools you have in your IT infrastructure, be it, you know, authentication0related, be it, you know, firewall related be it, of course, in our case, authorization related.
If we look at the the formal standards, NIST (National Institute of Standards and Technology) formalized ABAC (attribute-based access control) back in 2013, if memory serves correctly. And in ABAC, they define a few things they define an architecture which of course predates NIST’s definition. So, you have the notion of PIP enforcement point, PDP decision point, administration point, so on and so forth. They define also a way to implement it through the use of a graph.
NIST recommends and next-generation access control. But they also nod to things like XACML (eXtensible Access Control Markup Language) will the oasis standard that, that dates all the way back to 2001, right? XACML and SAML (Security Assertion Markup Language) being siblings in a way. And XACML was very much a policy driven, a policy based standard.
And at Axiomatics, we took that a little further. In 2012 or 2013, we announced ALFA (Abbreviated Language For Authorization) which is a simplified version, a way, way simplified version, developer-friendly version of XACML.
And if you accelerate all the way to 2023, you have AWS (Amazon Web Services) coming up with Cedar which is another policy language. And in between I skipped of course Regal the policy language that open policy agent came up with. But also Polar Bios, which is another policy language.
So it’s great to see these different standards bodies like Oasis. And then these different vendors like an open policy agent or AWS with Cedar coming up with these new languages.
And what is really cool what I really, really like about policy and authorization but on not only is that you can map it pretty closely to the original plain old English requirements. Which makes it easier to implement your authorization to edit your authorization, to audit your authorization, to run access reviews, to do tests, to do the whole nine yards of authorization life cycle, if you will.
As an as an example, if I had a plain, old English policy that stated, say a GDPR-related policy that states customers have the right to delete their data, their personal data that a service has about them.
Well, implementing that in a technical artifact, be it ALFA or Cedar, is very easy because we can very quickly because we can do the mapping between the plain old English and the technical artifact ALFA or cedar.
That was a very long winded answer Kelly.
Kelly: Oh, it was good though. And as somebody that’s worked granted on the comms side of of identity for a long time and, and just for the authorization side for a couple of years, it’s been really interesting to see the emergence of all of these new standards.
I think where I was was wondering, you know, how do customers make sense though David of what and by customers? I mean, you know, broadly enterprises but also small organizations. How do they make sense of what is best for them because there are a lot of choices out there and, and granted NIST is pretty clear in terms of how attribute-based access control and policy are really laid out and that’s a good blueprint.
But how do you pick what to use? Is there? Do you pick one? Do you pick many? How do you navigate that? Because it, it seems like it’s really, it’s almost crowded now.
David: Yeah, it is. But I think each policy language or each approach has its benefits. I’m biased towards ALFA.
What I really like about ALFA is that it’s a constrained model that it won’t let you do everything and anything under the sun, but it’s powerful enough for you to implement all the authorization needs.
Cedar, the AWS language, they kind of took the same approach. I don’t like the syntax as much, personally, but I think it’s a matter of getting used to.
Open Policy Agent and Rigo, on the other hand, they decided to have a full-blown programming language that’s way more powerful at the expense of making it easy to understand, making it easy to edit, making it easy to roll out.
So it kind of depends on your audience if you will.
If you’re heavy, let let’s take the easy one. If you’re heavy on infrastructure related developers, DevOps and if you use say KTIS, then it might make sense to use Rigo an Open Policy Agent in those environments.
But if you’re developing say services, or APIs, or web applications, or even single page applications, and you’re dealing with more traditional developers, maybe a technical product owner, then it might make more sense to go down the path of ALFA because it’s an easier language to understand. It’s more constrained as well. If you are using AWS, then you might actually want to look at AWS’s native features.
All this being said though, Kelly, there is a trend that I’m starting to see in speaking to colleagues in speaking to competitors and speaking to analysts, which is that never mind the underlying language you use as long as you have the right processes in place, right?
The fact that you use Cedar or ALFA or Rigo, sure, whatever, it’s kind of like whether you speak Spanish or English or Canadian. You’ll still get your point across what really matters.
However is how you manage those artifacts, how you gather the requirements, how you trace them back to the policy that was implemented, how you keep track of how authorization was consumed as well.
One thing is writing the policy, the other is actually deciding based on the policy and then enforcing those decisions and keeping track of those decisions because that’s what matters at the end. Knowing what did happen or knowing what could have happened, that was prevented from happening because of policy.
So I do think, and that’s a theme actually that that popped up at Identiverse. Alex Simons from Microsoft was saying that you never mind the language.
Maybe what we need is a, a translator between languages to then have a common control plane, a common management pain where you can actually manage your policies as as if they were one single language. Yet, you would translate to target different environments to target different places where you want the policies to run.
Kelly: Wow, that that certainly would be, would be really powerful.
So I know, you know, we’re, we’re starting to get short on time here, but we have, we’re running quickly through, gosh, the, the halfway point in, in 2023.
What would you say for, for our subscribers and listeners, what would you say are the things that we should be on the lookout for in terms of big authorization movements and moments through the end of this year. What would you like to see, is maybe is a better question?
David: So, two things I would want to tell our customers number one, don’t overthink it. It’s actually really simple.
If you’ve been used to doing things like role engineering and role-based access control (RBAC)-related technical things, forget those. I mean, RBAC is important. You still need RBAC.
I’m not saying to get rid of our back no far from it. But with a back with policies you can think in, in pretty much plain old English.
So a manager can view a document if this or that, right. It’s very simple. Keep it simple, right?
And then we’ll, we’ll help you translate that into the actual policy that you want to use.
It’s very, very easy. Don’t overthink it.
The second thing that you can look forward to is all the work that collectively we are doing.
And when I say collectively, I mean, the different vendors, the Axiomaticses, but also identity vendors like Ping Identity, not necessarily authorization vendors, but also customers getting together under the umbrella of the OpenID Foundation under more specific, typically, the umbrella of the policy charter, which is a new group that started about a year ago and that’s picked up steam a couple of months ago because we’re working on standardized interfaces for request and response.
So how to send an authorization request, how to get a response back.
We’re working on a standardized way to achieve policy management and policy distribution. And we’re looking at other aspects that we wanna wanna work on together collectively.
The point being that we want – we would love – authorization to go down the path of OAuth, the path of SAML.
And what I mean by that is when you look at applications out there, so homegrown apps or app frameworks or Cots or Sass, every single one of those today supports SAML supports, Oauth, supports OpenID connect. If you’re gonna go buy a SASS and if the a vendor tells you sorry, no, cannot externalize authentication. You would immediately move on to the next vendor.
David: Well, we want the same thing with authorization and that’s only gonna happen if we’ve actually cleanly clearly standardized those interfaces.
So, essentially in my mind, at least, and I, I’d have to go and talk with my colleagues in that group, but it’s taken what the best of what XACML won gave us in terms of interfaces and the best of what Open Policy Agent gave us in terms of interfaces and the best of what maybe some other vendors did in their own little corner and merging those, standardizing on one format, and taking that forward and helping non-authorization vendors adopt those standards, adopt those interfaces, to make it easier on everyone.
Kelly: Interesting. Excellent. Well, I think I’ve learned a ton from this, this particular episode and I hope everybody listening and subscribing has too!
Thank you again, David for always insightful and thoughtful conversation. Deeply appreciate that. And here’s hoping it remains sunny in Vancouver until the next time we’re we’re able to chat.
David: We do need a bit of rain though. Not wanting to be negative, but we do need a bit of rain.
Kelly: Yeah, as somebody who has a, a lawn that’s various shades of green and yellow, that tracks with me.
So thanks again, David. Thank you to all of you who took the time to listen. Deeply, appreciate it!
If you haven’t yet, please do remember to subscribe to our YouTube channel and subscribe to this podcast. And if you’re so inclined, roll on over to LinkedIn and give Axiomatics a follow. We’ll always be, be posting the latest and greatest information around authorization there.
So, thank you again and we’ll see you next time!
David: Thank you, everyone!
SUBSCRIBE AND NEVER MISS AN EPISODE: Join the converrsation on LinkedIn
Corporate Communications Manager