(This post was previously published on Heather’s blog, and has been updated based on the conversations it inspired.)
I have awesome friends
I have awesome friends who are willing to educate me when I ask questions like, “why is authorization such a big deal right now?” Because it is, you know, a big deal. The pandemic took the slow-but-steady growth of the importance of identity systems and catapulted it into the hearts and minds of governments and corporate board rooms everywhere. And making sure people can work and play remotely means being able to both let them authenticate AND make sure that, when they authenticate, they only have access to those services or actions they are supposed to – that’s what authorization is all about.
The Authentication vs. Authorization Pet Peeve
Let me start by saying that people who assume authentication and authorization are the same thing drive me crazy. Crazier. Whatever. In some cases, sure, considering these things as the same may be functionally true. If someone can jump through all the hoops to log into a system, then by default, they can access All The Things. This is a fairly common pattern in either extremely low-value transactions (what they are accessing doesn’t need particularly rigorous security) or, oddly enough, in extremely high-value transactions where the barrier to authentication is complicated. (I am definitely not saying that the latter one is a good idea, just that it’s unfortunately common.)
But in *all* cases, logically, they are two separate actions. Can the person authenticate; yes or no? If yes, do they have permission to do or see things; yes, no, or maybe? Yes, “maybe” is an option, but more on that in a bit.
Why is Authorization the Next Big Thing?
Authorization is not a new concept. It’s like the enforcement of the age-old adage of “just because you can do something, doesn’t mean you should.” So, let’s make sure to remove that little temptation and make sure you can’t. But what makes it such a big deal now? What makes it come up as a call to action at conferences like Identiverse? Why are analysts like Martin Kuppinger writing about it? What makes so many vendors in the identity space shout to the rooftops about their way of supporting authorization?
Great question. I wish I knew the answer. Some people tell me it’s because authentication is now a solved problem thanks to the existence of WebAuthn. Other people tell me it’s because vendors need a “next big thing” to sell their products. Maybe it’s the growth of Zero Trust Architecture, which takes the whole concept of authorization and makes EVERYTHING an authorization decision.
Beyond the gossip, I see organizations in every sector, from finance to education to commerce and more trying to figure out how to balance existing in an Internet-driven world with protecting everything from personal data to intellectual property. As it turns out, that balance is very hard to get right. The use case of government services offered online is very, very different from the use case of enterprises managing remote access for their employees.
Looking for the One True Way of Authorization
Alas, with every use case requiring its own balance of costs and risks, there is no One True Way to handle authorization. There’s a great article, “Introduction to Access Control,” in the IDPro Body of Knowledge by André Koot that introduces several of the popular forms of authorization models, including Access Control Lists (ACLs), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and more. But determining which of those models is right for you and your organization is tricky!
There are a few questions that always apply when you start thinking about what’s right for your organization:
- Are you in a regulated environment, and/or are you maintaining (or looking to gain) a certification with an IT component? This will provide you with some clear requirements to get you started.
- How many systems need to collect their authorization from a central service? This will give you a sense of complexity and scale.
- Do you have a data governance process that ensures the data used in authorization decisions is correct? What about a policy governance process that regularly checks the rules that will be applied to authorization decisions? This will give you an understanding of how successful ongoing support for your authorization framework is going to be.
But Wait, There’s More!
Right now, authorization tends to happen in silos–different systems don’t know how to talk to each other, and different sectors have different requirements. Industry leaders (and vendors trying to sell things) are very much hoping for convergence in the space to make this less complicated, but we’re not there yet. Authorization in practice seems to largely mean “let’s make some cool graph API calls so we can query lots of systems at once!”
So, for people trying to figure out what’s “right,” I’m sorry. There are no answers for you. For people trying to figure out where to focus to keep up with all the conversations, I hope you’re committed to some work. You’re going to have to do a lot of reading on LinkedIn, follow several analysts, look at press releases from a few of the major vendors, and attend some of the identity industry conferences.
Good luck! I’ll be reading along with you as this space evolves!
Author
Heather Flanagan, Principal at Spherical Cow Consulting and Founder of The Writer’s Comfort Zone, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organizations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards or discussions around the future of digital identity, she is interested in engaging in that work. You can learn more about her on LinkedIn or reach out to her on the IDPro Slack channel.
