Authorization – the old chestnut often associated with role based access control – is seemingly making a cool-kid comeback. Well, RBAC is like SAML and passwords – seemingly dead, yet still going strong at the same time. Very smart. I was lucky (?) enough to have been in the RBAC space the first time ’round in 2007 when I worked at Vaau – which was later acquired by Sun Microsystems and became known as Sun Role Manager. RBAC was (and is) tough. Creating roles via mining, versioning and certifying and managing periodic access reviews and all the associated provisioning. Tough stuff.
In addition, we also had access management systems that leveraged RBAC and provisioning material into access control (or authorization) policies. These policies helped to externalise access control from systems and applications into a centralised control plane (albeit these old dog access management systems didn’t use that cool term) where they would be called upon to decide who could do what and when. We then had things like policy agents (or PEPs) and APIs that could be called to work out whether access should be given to a calling operation – aka working out whether the subject, object and action combo’s where OK. Or perhaps working out what objects and actions a subject could access.
So, Where Is Authorization in 2021?
Well there are some interesting moves, to make a Next Generation Authorization Buyer’s Guide worthwhile (ETA January 2022). Firstly there are a few example meta-patterns that seem to be occuring:
- Cloud and Hybrid Cloud infrastructure is driving a need for interoperable permissions management
- High scale micro-services and IoT environments are driving a need for distributed enforcement
- Digital transformation powered by consumer identity is driving a need for vast permissions databases
- Media and eCommerce systems are driving a need for huge throughput of access control decisions
- The connectivity of previously isolated systems (ICS, embedded, automotive, aviation, energy, military) is driving a need for declarative and lightweight access control languages
Secondly we have seen a fair few rounds of venture capitalist funding over the last three years or so for those trying to tackle some authorization and associated use cases:
|Announcement Date||Amount (Crunchbase Link)||Vendor|
|October 2021||$1.8 million||Opal|
|June 2021||$5.1 million||Aserto|
|May 2021||$40 million||Styra|
|May 2021||$16 million||Authomize|
|April 2021||$3.9 million||AuthZed|
|March 2021||$8.2 million||Oso|
|Dec 2020||$8 million||PlainId|
|August 2020||$13 million||Cloudentity|
So What Is Next?
Certainly authorization is a lot harder than authentication. Authentication is certainly the pinch point for application and service access. You can register once, but then login in thousands of times – which has driven a huge need for secure yet usable authentication sub-systems, either based on biometrics or some other passwordless method – see The Cyber Hut Buyer’s Guide for Passwordless Authentication for more information on that topic.
However, authentication, even if decoupled from the downstream systems, can be quite modular and abstract in how it is implemented.
Authorization has a three-fold integration – one for enforcement (be it programmatic or externalised), secondly for business logic and thirdly for permissions management and governance. All three are complex sub-systems with quite differing business requirements and success metrics.
The market for authorization is likely considerably smaller than authentication, however trends such as zero trust, continuous security, high–scale event processing (think micro–services and IoT) may well drive that demand up considerably.
The Cyber Hut are going to be analysing this area further in 2021, in the form of vendor assessments and a buyer’s guide. Contact us for further information or if you wish to provide a vendor briefing.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. He is also a part-time postgraduate on the GCHQ certified MSc. Information Security at Royal Holloway University, UK. His 2021 research diary focuses upon “How To Kill The Password”, “Next Generation Authorization Technology” and “How IAM Countermeasures Can Defend Against Cyberwar”. For further information see here.