Zero Trust, Cloud Adoption Drive Demand for AuthorizationCracking the Complexity of Authorization; Use Cases and Road Map
With zero trust, cloud and hybrid cloud infrastructures at the top of security practitioners' road maps for 2022 and beyond, there has been rapid growth in interest around authorization-related initiatives.
For a long time now, identity security has not been utilized well - at least on the authorization side, says Jeremy Grant, managing director at Washington-based law firm Venable. "There has been an assumption that once you are inside the wall, you can basically go and see anything. There has been no fine-grained authorization. This is a foundational piece one needs to get in place to build on some other controls."
Experts tell ISMG about the problems with authorization, how it is being approached now, and the market growth in this space.
The Problems with Authorization
The lack of maturity in the authorization space has long been seen as a problem, says Grant.
"The industry has seen a lot of progress made in the space of authentication, but authorization somehow has missed the bus. The primary reason is that it is a complex problem to solve and traditionally vendors have not looked into this space with great enthusiasm," he says.
Authorization is currently at the stage where authentication was 10 years ago, other experts say - it has high complexity in management and control but no consistent standard for usage.
The main challenge in authorization is enforcement, as it is highly dependent on the technology stack, says Gal Helemski, CTO at Israel's PlainID, an identity platform. "The way AWS manages and enforces authorization is very much different from your typical Java app. Also, a lot depends on the microservices infrastructure you choose to use," Helemski says. "Unlike authentication, where there are well-defined standards, there are none for authorization. There are open-source solutions that are starting to address this issue to some degree."
For authorization to work properly, it needs to be centralized, says Steve Hutchinson, vice president of modern infrastructure and security architecture at Japanese financial services company MUFG.
"Centralization will ensure that a business's governing policies are being implemented and enforced uniformly. This will also allow developers to focus on delivering business functionality without the burden of having to understand and build their own authorization structure within their systems," he adds.
But in reality, a centralized system is tough to implement in an enterprise. Hutchinson says he faces challenges in finding the right level of abstraction where policy is enforced and in designing services that can be easily consumed by development teams.
"While a fine-grained authorization model becomes more specific and valuable for detailed functions, it becomes harder to maintain as the rule set expands to cover an ever-growing collection of diverse functions," Hutchinson says.
"Conversely, a high-level authorization model simplifies the platform as it maintains a smaller collection of coarse-grained functions. But that platform also provides only minimal benefit to the organization as developers must continue to embed code in their systems to handle specific authorization requests, which perpetuates the problem of inconsistent enforcement. The difficult art is to find the middle ground."
The Cloud Problem
These challenges are magnified in a cloud environment.
"In the cloud, the granularity, volume and ephemeral nature of the workload may exceed what traditional authorization systems can handle," says Homan Farahmand, vice president and analyst at research firm Gartner. "The gap in traditional authorization practices and capabilities further widens as the pace of digitalization and migration to the cloud computing model accelerates."
Hutchinson advises enterprises to leverage a model that combines traditional coarse-grained role-based access rules, or RBAC, with a collection of finer-grained attributes-based access rules, or ABAC, that can describe not only the consumer of a service but also the data, system, environment and function.
"While traditional RBAC models are easier for developers and auditors to understand, they usually result in role explosion as the system struggles to provide finer-grained authorization. ABAC addresses that fine-grained need but sacrifices both management and understanding as the vast array of elements necessary for such a system makes organizing the data extremely complex," says Hutchinson.
He adds: "A complex policy rule might say: 'A customer's transactional data can only be viewed via a secure device at a bank branch by an accredited teller who is from the same country of origin as the customer.' Instead of creating a plethora of new roles to cover all of the different possible combinations, I can use the teller role while also checking attributes that will provide device profile, location, accreditation status and country of origin.
"You can see how this allows organizations to create policy rules that more closely align to regulatory and audit standards while also simplifying their consumption by development teams."
Future access control requirements need to be considered as an enterprise must know how its own application landscape will change or how it will engage with users from inside and outside its network, says Simon Moffatt, industry analyst at The Cyber Hut, an advisory firm.
Authorization tools are made of many interdependent components that query policy data and make an algorithmic authorization decision. "That is why it is important to define multiple authorization architecture patterns to simplify the design process and ongoing management of authorization components and metadata, Farahmand says.
He also suggests that companies architect modern runtime authorization controls. Runtime authorization is a key cyber defense control that enables zero trust access. Companies can architect the controls by "identifying and remediating policy management and policy enforcement control gaps by using the runtime authorization functional framework and access patterns," Farahmand says.
The Driving Factors
A recently released report by PlainID shows that authorization is a rising priority in identity and access management.
While 2021's IAM-related cybersecurity priority was strong authentication, 2022's focus has shifted to authorization-related initiatives, such as runtime access, API access control and policy-based access control. The research was conducted across IT and security professionals throughout North America and the U.K.
In the past couple of years, there has been tremendous growth in the sector, especially since the National Institute of Standards and Technology published SP 800-207, which discusses zero trust architecture. This growth is expected to continue as more companies struggle to modernize their authorization systems to adopt new models such as zero trust.
"While the definition of zero trust varies widely across the industry, most agree that every device, user and network flow is authenticated and authorized, and policies must be dynamic and calculated from as many sources of data as possible," Hutchinson says. "Neither of those goals are possible without the implementation of a robust authorization platform that leverages the attributes in the creation of its governing policies."
Other driving factors include:
- Modernization of the technology stack: Organizations now understand that they need to have better solutions to manage and control authorization, and the issue must not be left to developers. Authorization should be a ready-to-use service, just like authentication.
- Advanced data access controls: Accomplishing data collaboration, while still maintaining a high level of security, can be achieved with dynamic and fine-grained authorization control.
Growth in Authorization
With the move to the cloud and increasing modernization, organizations are looking to adopt ready-to-use authorization solutions, says Gerry Gebel, head of standards at Strata Identity, a U.S. identity orchestration firm. Gebel tells ISMG: "We can see numerous open-source projects, startups and mature companies entering the space, all with authorization objectives in mind."
Over the past 36 months, companies in the authorization space - including cloud-based access request and relationship management, decoupled authorization platforms, and declarative control and distributed enforcement - have raised funding worth nearly $200 million, as Crunchbase shows. Although U.S. cybersecurity advisory company Momentum Cyber does not track the authorization space specifically, it nonetheless offers a glimpse into the identity and access management financing rounds: There were 89 deals in 2020, 110 in 2021, and 22 in the first quarter of 2022.
Mergers and acquisitions in the sector have also been significant. A separate Momentum Cyber report shows there were 18 identity and access management M&A deals in 2020, 21 in 2021, and nine so far in the first quarter of 2022. "Within the privileged access management space, there have been eight M&A deals since 2020, including one already in 2022," says John Gould, research associate at Momentum Cyber.
Traditional access governance players, such as SailPoint, Saviynt and Omada, as well as identity platforms, such as Microsoft Azure, Okta and Ping Identity, have incorporated dynamic authorization engines and contextual authentication functions into their flagship products. This provides an opportunity for practitioners to begin development without the need to purchase and learn new systems.
Other important acquisitions in this space since 2020 include:
- Centrify's acquisition of Thycotic for $1.4 billion;
- TPG's acquisition of Centrify for $900 million;
- Microsoft's acquisition of CloudKnox for $200 million;
- Imprivata's acquisitions of SecureLink and XTON for an undisclosed amount.