Styra, the team behind "Cloud Native Authorization" recently announced a few feature called "Styra Run". Their launch blog back in July described Run as being "a new holistic approach" to authorization. But that is trying to solve? Styra are behind the popular Open Policy Agent - a policy driven decision engine for authorization in cloud native environments. Whilst likely OPA is focused on the protection of infrastructure (think containerized ecosytems) it is also used for protecting APIs and custom applications. The developer-first angle sees a dedicated rule language and the storage of policy data in files. The OPA project on github has over 7000 stars.
In the last 3 years or so, we have seen huge interest in the need to improve authentication techniques, that deliver a passwordless MFA experience. What is stopping adoption?
Security starts when authentication ends. It's a line I have used a few times over the years as it is one I actually quite believe in. In an era where firewalls are derided as being pretty toothless in the fight against omnipresent complex cyber attacks - and the concept of trusted networks quite rightly become obsolete in the world of "zero trust" - it always seemed odd to me, to put such a large emphasis on stringent authentication services. Clearly authentication is hugely important don't misunderstand, but my point really was that authentication (even with a strong MFA component) becomes less relevant if a) it is not continuous and b) not part of a more holistic approach focused on the access control of services, data and APIs.
Trust within the identity world is a huge priority. Trust regarding the on-boarding and registration of external users via proofing (think assurance levels using identity validation and verification techniques) right through to creating trust labels for employees in order to monitor for malicious activity - that is either driven by external threat actors, insider threat or just unintentional bad user behaviour.

When on briefings and inquiry workshops there are often emerging themes that start to spring up repeatedly. Perhaps every few months, perhaps under different projects, using different terms and stories and perhaps from unexpected people or teams.

There has been one theme over the past 12 months or so that is difficult to ignore: not only how identity based security has left-shifted into the thinking of information leaders to being a first-class citizen in the technology arsenal, but how identity is moving into a new territory. The territory of autonomy.

A long read post investigating the evolution of decoupled authorization platforms - including use case and capability analysis and brief vendor review including Axiomatics, PlainID, Styra and Scaled Access.
To access this post, you must purchase Member Content.
This week saw the London edition of Infosec Europe - essentially a smaller version of the RSA Conference a few week ago in San Francisco. There were about 15,000 attendees and 300+ solution providers from a range of cyber and information security areas. Of course my primary interest was to get briefings and understand the viewpoint from an identity and access management perspective and see how far the tentacles of identity were now spreading into other orthogonal areas of security. It didn't disappoint and I had some thought provoking conversations...
An introduction to authorization startup Aserto.
What is driving the demand for new authorization models, software vendors and emerging authorization design patterns? This discusses previous failures of RBAC and XACML as well as modern architecture patterns such as identity centricity and the business mesh.

I recently ran another of my highly scientific industry polls - via LinkedIn to get a feel for this years spending patterns as they pertain to some emerging identity and access management technology areas. I have been tracking four emerging areas over the past 8 months or so, including Passwordless Authentication (where The Cyber Hut released a 61 page buyer guide last year), Cloud Identity/Infrastructure Entitlements Management, Decoupled Authorization and Identity Threat Detection and Response.

All four areas have had significant venture capitalist funding over the past 36 months and the use cases and capabilities of each have started to stabilise to a point where buy side procurement and integration is becoming consistent and vendors are identifying their competitive go to market narratives.

So my poll was essentially asking, which of these areas would a buy-side practitioner look to invest in during 2022?