Security starts when authentication ends. It is a line I have used many times over the years (in many bars) as it is one I actually quite believe in. In an era where firewalls are derided as being pretty toothless in the fight against omnipresent complex cyber attacks – and the concept of trusted networks quite rightly became obsolete in the world of “zero trust” – it always seemed odd to me, to put such a large emphasis on stringent authentication services. Clearly authentication is hugely important don’t misunderstand, but my point really was that authentication (even with a strong MFA component) becomes less relevant if a) it is not continuous and b) not part of a more holistic approach focused on the access control of services, data and APIs.
Alas, this is an article focused on authorization, not authentication. Authorization – the what an identity can do, to something, where and when – is becoming “cool” again. Was it ever not-cool? Well perhaps it was more cool (and less popular) 10+ years ago, but authorization is certainly more mainstream that it was.
I did a brief article back in February 2022, taking a look at the venture capital floating into the authorization space between 2019-2022. That saw vendors such as Authomize, PlainID and Styra dominate, taking about $150 million between them, with a second wave of newer startups such as Aserto, AuthZed, Cerbos and osohq taking up to $10 million each.
So Why Now?
I think there are several reasons that are creating the “perfect storm” with respect to the demand and interest in authorization technology. Firstly, not all “authorization” vendors are the same and not all are competitive. Authorization is a broad space, covering access request management, permission management and storage, externalised policy platforms as well as an array of enforcement tools and declarative languages. The world of IGA (identity governance and administration) is heading to a cloud-first world and in that world, policy and permissions management is having an overhaul too. Cloud identity and entitlements management (CIEM, pronounced “kim”) is also taking a look at permissioning systems so a lot of going on. And I haven’t included pure play data security, privacy platforms or device access control in this either.
We are seeing innovation in many areas of the authorization life-cycle – I think driven by a few meta-trends:
- Authentication is “done” – I don’t mean actually, and many organisations are still wrangling with getting a consistent MFA deployment completed, let alone starting the journey to passwordless, but I mean conceptually it is well understood within the industry and the benefits are well documented. So that happens next in the security architecture? Access control! Once the “who” has been completed, the next question pops up: who should access to what (where and when…).
- Homegrown solutions limit growth – Many larger enterprises have tackled access control directly, either via homegrown solutions, or solutions that are heavily embedded within protected resources, with hard-coded users, groups and permissions, making extensibility and change very difficult and costly. In the era of data sharing, the Open API economy and collaboration, antiquated access control is limiting business growth. CISOs and CIOs are now having to tackle authorization as a response to top down business requirements. Basically the CEO wants it be. Albeit they might not know it’s authorization that is making it be…
- PII management is a competitive advantage – In the consumer, customer and citizen facing world of identity, getting privacy wrong is not an option. Just ask the beauty chain Sephora. Not only are compliance initiatives such as the GDPR in Europe, CCPA in California and the CDR in Australia all promoting customer-first data control, getting PII protection right, might actually be a huge competitive advantage. And getting it right, needs concepts such as consent, storage and strong and flexible access control. Enter stage left authorization.
In addition, there are also a fair few minor trends:
- Hybrid cloud – how to manage access to a range of distributed resources and applications?
- Infrastructure automation – how to manage access to infrastructure components such as container management platforms?
- Rapid app delivery – how to deliver mobile apps, micro-services and APIs with reusable access control components?
- Collaboration – data and working together make the world go round – how can that be handled in a safe and secure way?
Home grown solutions and indeed many silo’d first generation access management platforms are unlikely to be able to support new and emerging demands for modern access control
So what is happening now and next? Well the investment in authorization by both the enterprise buy-side and the venture capitalist community will continue. The VC folks like to distribute investment as part of a broad campaign and even those who are specifically identity or cyber security focused, would like complimentary technology that fits nicely against authentication, threat detection and network security players.
The enterprise requirements are clearly evolving but there are some clear capabilities that are needed for the modern authorization panacea. We should think about the need to externalise authorization from the protected systems, have a centralised way of creating policy, have a need to store and distribute permission data, allow application and business owners into the policy creation and permission management process, provide a range of options to protect APIs, data and web systems and somehow do all that in a cloud native way that is easily integrate-able against the backdrop of other identity and cyber data systems.
Sounds simple right?!
It is an area we are tracking in detail as it all emerges. Take a look at our other content in the authorization space.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He has a Post Graduate Diploma in Information Security, is a Fellow of the Chartered Institute of Information Security and is a CISSP, CCSP, CEH and CISA. His 2022 research diary focuses upon “Next Generation Authorization Technology” and “Identity for The Hybrid Cloud”.