| Last Updated | 01 July 2022 |
| Document Tag | tch-research-next-gen-authz |
| Author | simonm@thecyberhut.com |
| Part of Research Product | Next Generation Authorization Technology |
Summary
This paper will take a look at the emerging pattern of decoupled authorization – where authorization capabilities become both externalized from the asset being protected, centralized from a control plane perspective, yet potentially distributed from an enforcement and data plane perspective.
Authorization is now infiltrating many areas of the modern enterprise, from B2E, B2C, B2B2X as well as attempting to satisfy demand from transformational drivers such as identity first security, zero trust network design and data protection.
Authorization as Part of Access Management
Many access management (AM) systems often had a set of basic authorization capabilities as part of their arsenal. Vendors such as CA, IBM, ForgeRock and Ping Identity would provide policy management functions alongside authentication, single sign on (SSO), federation and session management. These early AM systems were heavily focused on workforce management – that is the control of employees, contractors and some partners.
This control boundary is important because it meant the organizational access management system could be more tightly coupled to the assets under protection – which typically tended to be internal web systems, portals and applications.
These assets were accessed by the workforce personnel, on networks controlled by organization, from desktops controlled by the organization at a time and under the constraints the organization decided by policy too.
Asset protection was often accelerated through both agents, gateways and more latterly by native REST APIs and SDKs. Agents – small software intercept and enforcement points – where often deployed via automation, that was owned by infrastructure operations teams and managed via scripting and home grown tools. Agents were typically platform and build version specific and required rollout, configuration and update functions to be performed against them.
An evolution of the agent model, was the use of gateways – reverse proxies – typically in software but sometimes in appliance form, that intercepted network traffic and integrated with the access management component for some coarse grained access control decisioning. This decision making process was linked to session validity, identity and persistent claims as well as some context – perhaps network source and destination address analysis. More recent gateway approaches also included ingress and egress token and data translation.
By having a closely coupled and controlled environment the policy management aspect was relatively coarse grained, was focused on protecting assets of a known schema and complexity and required effort from an onboarding and ongoing operational maintenance perspective.
Some more complex assets were often never on-boarded onto the access management system for these reasons.
Authorization as a Homegrown Solution
Authorization also existed – and still does – outside of a centralized access management system. This occurred for several reasons. Firstly, not all organizations would have a centralized access management system in place. Even if they did, the capabilities of that system may not have been sufficient to allow the externalization of the authorization control and enforcement logic into a centralized solution for the most complex of assets. Assets with customized authorization logic, permissions, actions and decision making processes.
Homegrown authorization tends to be tied closely within a single application or set of applications that help support a particular set of business processes and functions. The complexity involved is likely to be associated with the types of actions being enforced and how those actions are performed by the end user. The application is likely to need a combination of inbuilt rules and logic alongside external data in order to come to conclusions regarding subject access requests. This external data is likely to contain sometime runtime authentication and session management information – likely a cookie or token and the associated validation processes associated with it. In addition more static permissions processing will also be needed – for example communicating with external repositories that contain user profile data, groups and permissions.
The management of those repositories will be handled away from the application and perhaps be tightly integrated with the identity management and provisioning systems.
A cascading effect can also start to take place with homegrown or custom authorization. The complexity involved often makes it difficult to migrate to a centralized commercial product. This results in a homegrown solution continuing to exist beyond the realms of its initial design, which in turn makes it even more difficult and costly to migrate – whilst also being difficult to extend, adapt to new threats or fulfill future business requirements.
Evolution to Decoupled Platforms
The limitations of existing access management systems, the increase in demand for authorizations services from a range of existing and new assets and a more distributed and challenging business environment has seen authorization now become a first-class principle in the security landscape. The decoupling of identity and access management in general has opened up new technology segments and allowed others to develop beyond their traditional platform or suite origins.
Authorization as a specialized set of components for both control via policy design and enforcement for distributed assets is now common. The assets being protected are now more varied, including APIs, microservices, raw data objects, on-premises services and third party cloud applications. The enforcement options are also now more broad, autonomous and self-regulating. They can include inline interceptors, SDKs, microservices sidecars and gateways.
As the modern enterprise evolves into a complex set of integrated supply chains, federated services, third party SaaS applications and extended user communities, authorization enforcement needs to cater to a varied set of assets. Not only are those assets going to be from different asset classes, but the assets themselves are likely to be deployed, operationally owned and managed by different parts of the business, third parties and even external parties.
The policy management aspect which enforcement tooling will need to integrate with in order to provide access request decision support, will need to cater not only for a rich and diverse set of policy design capabilities, but will also need to cater to a broader community of users who will contribute information into the policy design process. This user community will include line of business managers, application owners and those who intricately understand the related business tasks and workflows under protection.
Decoupled Platforms Capabilities
Policy Management
| Capability | The Cyber Hut Comment |
| Ability to develop access control logic via policies that empasses subject, object and actions logic. | Policy based access control allows the combination of subject to object access in reusable and manageable packages. |
| Ability for policies to be labeled, version controlled and reviewed for coverage and effectiveness. | Extended governance features may well be handled by specialist identity governance and administration tools. |
| Leverage DevOps capabilities and more programmatic ways to create, read, update and delete components within the policy ecosystem. | Policy-as-code and policy-as-data concepts may be applied here. |
Policy Design
| Capability | The Cyber Hut Comment |
| Ability to develop policy using wizards and user interface components in a no-code fashion. | The use of non-technical experts here is likely. |
| Ability for policy design to involve non-technical authorities, such as line of business and application owners. | This may be handled by separate user interfaces or via guided consultations. |
| Policies should be able to leverage both RBAC (role based access control) and ABAC (attribute based access control) as a means of expressing subject to object relations. | It is likely a mixture of the two will be common. |
Integrations
| Capability | The Cyber Hut Comment |
| Integrate with identity providers for the processing of runtime authentication and session data. | This could be via the consumption of assertions (SAML, OAuth2, OIDC) or via session querying capabilities. |
| Ability to integrate with other persistent data sources – policy information points – via standards based ways. | SQL, LDAP and SCIM based services are likely. |
| Ability to consume runtime context that can be used during access request evaluation. | Context is not tightly defined, but should likely include non-identity data such as device characteristics, network location, transaction, history and threat intelligence data. |
Enforcement
| Capability | The Cyber Hut Comment |
| Provide an ability to protect a range of information assets. | Including but not limited to APIs, microservices, web applications and data objects. |
| Provide an SDK to accelerate enforcement and policy decision processes. | |
| Provide a service that can be queried at run time in order to receive policy decision queries. | This may well leverage existing tooling such as Open Policy Agent. |
| Provide an inline function that can intercept user access request traffic and provide enforcement. | Inline processing may also involve transformation of tokens and egress responses. |
| Provide a REST/JSON API that can be used to centrally query policy logic. | Two standard queries would include “what can this user do?” and “which users have access to this object?” |
Use Cases
Decoupled authorization is growing in demand due to a range of technical and business drivers. Some of the sample use cases for specifically deploying a decoupled model are detailed below:
B2E / Workforce Enablement
| Use Case | The Cyber Hut Comment |
| Externalization of access control from underlying applications | Either greenfield or via brownfield migrations using custom tools, playbooks and repeatable techniques |
| Protection of APIs via sidecars and microservices distributed away from a central decision point | Ability for decision service to act independently is becoming more likely |
| Policy driven protection of assets such as SQL/NoSQL structure and unstructured data sources | Having an enforcement filter / inline to read and process data requests and manipulate the response is common |
| B2B2X integrations for complex supply chains, partner ecosystems and hybrid working arrangements | Eg gig-economy and federated partnerships where data sharing is a competitive advantage |
B2C / Consumer Engagement
| Use Case | The Cyber Hut Comment |
| Protection of personal identifiable information for compliance and regulation reasons | Privacy also being seen as a competitive advantage |
| Capture, storage and revocation of consumer consent decisions as they pertain to data capture and sharing | The capture and storage of consent needs to be done in a tamper resistant way – with transparent auditing |
| Ability to protect more runtime/streaming and aggregated data from IoT and other constrained device sources | The integration of the generating device may not be relevant |
| Templating of policy controls against external standards such as PCI-DSS, GDPR, CCPA and others for security and privacy optimization | Accelerating the speed for application deployment |
Cloud Native Infrastructure
| Use Case | The Cyber Hut Comment |
| Storage of policy definitions in a standards based format to allow for ease of management | File based – JSON or YAML common |
| Storage of policy definitions in a way that can allow version control and programmatic update and deployment | Eg policy-as-code and policy-as-data paradigms stored in git or svn and updatable via automation |
| Protection of cloud infrastructure components and their configuration as first class assets | Eg Kubernetes ecosystem management |
| Ability to leverage a cloud deployment control pane with distributed enforcement components |
Sample Vendors
Axiomatics
Key Facts
 | Web – https://www.axiomatics.com/ LinkedIn – https://www.linkedin.com/company/axiomatics/ Twitter – https://twitter.com/axiomatics YouTube – https://www.youtube.com/user/axiomaticsab |
| Founded Date | 2006 |
| Founders | Babak Sadighi, Erik Rissanen |
| No. of Employees | ~60 |
| Total Funding | $6.5 million |
| Locations | Chicago US, Stockholm Sweden |
| In Their Own Words | “Orchestrated Authorization is the future of authorization”“It’s time for a modern approach to attribute-based access control (ABAC) that is at the center of a successful Zero Trust strategy, solving even the most complex access challenges.” |
Strengths
- Mature and long standing contribution to the authorization space, through support for XACML and ALFA
- Flexibility in the policy modeling and design components
- Ability to handle complex policy sets with both contextual and static data sources
- Cloud native approach to decision services
- Ability to leverage OPA as an emerging enforcement technology via their centralized management console
- Ability to deliver decision and interception services for SQL data
- Strong set of customer case studies across a range of different sectors
The Cyber Hut full vendor assessment for Axiomatics is available here.
PlainID
Key Facts
 | Web – https://www.plainid.com/ LinkedIn – https://www.linkedin.com/company/plainid/ Twitter – https://twitter.com/plainID_authZ YouTube – ttps://www.youtube.com/channel/UCj-HHmt6HiDOGDcy-voyR_w BrightTALK – https://www.brighttalk.com/channel/18611/ |
| Founded Date | 2015 |
| Founders | Gal Helemski, Oren Ohayon Harel |
| No. of Employees | ~70 |
| Total Funding | $21 million |
| Locations | Tel Aviv – Israel, New York – USA |
| In Their Own Words | “Authorization Management Plain and Simple” |
Strengths
- A centralized administrative console that allows business leaders to describe their key outcomes
- An array of enforcement solutions from microservices, web applications, portals and APIs
- A complex set of capabilities in the B2B space for partners, supply chains and user communities requiring strong delegated administration
- Ability to add value to existing IAM / IDP ecosystems by consuming identity information and decoupling the authorization decision making capabilities
- Ability to leverage OPA as an emerging enforcement technology via their centralized management console
The Cyber Hut full vendor assessment for PlainID is available here.
Scaled Access (now part of OneWelcome)
Key Facts
 | Web – https://www.scaledaccess.com/ LinkedIn – https://www.linkedin.com/company/scaled-access/ Twitter – https://twitter.com/scaledaccess YouTube – https://www.youtube.com/channel/UCiGrTpZa_JWYlx_sq4B9XJQ |
| Founded Date | 2009 |
| Founders | Ward Duchamps |
| No. of Employees | ~ 20 |
| Total Funding | EUR 3 million |
| Locations | Belgium |
| In Their Own Words | “#1 platform for advanced access management – The only solution that lets you authorize users to gain and grant access securely” |
Strengths
- A strong focus on relationship based access control backed by graph database technology that can be used to represent new and emerging authorization patterns
- A standards based way (OpenID) of integrating with existing identity provider platforms in order to successfully externalise and decouple authorization functionality
- A strong REST based API that allows for the configuration of policy data, user to asset relationships, consent management and authorization decision making capabilities
- Detailed consent life cycle management understanding and support for a range of use cases including terms and conditions version changing and consent capture workflows
The Cyber Hut full vendor assessment for Scaled Access is available here.
Styra
Key Facts
 | Web – https://www.styra.com/ LinkedIn – https://www.linkedin.com/company/styra/ Twitter – https://twitter.com/styrainc YouTube – https://www.youtube.com/channel/UC7qrGkXBjl1U3iVVFJWwEPg |
| Founded Date | 2015 |
| Founders | Pierre Ettori, Teemu Koponen, Tim Hinrichs |
| No. of Employees | ~80 |
| Total Funding | $54 million |
| Locations | HQ – San Francisco bay area. |
| In Their Own Words | “Reinventing Policy and Authorization for Cloud-Native – Today’s cloud app infrastructure has evolved. Access, security, and compliance must also evolve. It’s time for a new paradigm.It’s time for authorization-as-code.” |
Strengths
- Strong developer focus, with documentation, training academy and adoption resources
- Simple pricing model
- DAS signup process is rapid for quick testing
- Policy Packs will accelerate compliance initiatives across different parts of the enterprise
- Strong features for cloud-native and microservices based environments
- Cloud Entitlements service is innovative and tackles an emerging problem associated with hybrid cloud
The Cyber Hut full vendor assessment for Styra available here.