The Road to Zero Trust Goes Through Authorization

By Mark Cassetta, Chief Product Officer, Axiomatics

At the recent Gartner Identity & Access Management Summit, the analysts presented the top trends for the identity and access management (IAM) market in the year ahead. One of these trends was a significant increase in the adoption of runtime authorization. The next step in IAM maturity, after authentication, runtime authorization involves a decision made in real-time to permit or deny access to a particular asset or dataset. By leveraging real-time context from signals or attributes, which might include geography, role, level of risk, and more, the permit/deny decision is continuous as well as contextual, which is central to a Zero Trust strategy that the authorization engine derives via attributes.

Though this all sounds quite promising, as was pointed out at the Summit, the market itself is a bit of a mess, with an ever-growing number of vendors trying to differentiate themselves with proprietary software often focused on a small subset of the enterprise; either developers, IAM teams or business users. Moreover, historically enterprises chose to forego an external solution thinking they could build their own solution in-house. All these elements contribute to a market that can hinder rather than help enterprises looking to leverage authorization as part of their Zero Trust security strategy.

Though this might seem bleak, there are core principles enterprises can look to in an effort to identify and implement effective attribute-based access control at runtime and jump-start their Zero Trust initiatives.

Authorization is an enterprise-wide concern

While this may sound like common sense, the reality is authorization is more often than not isolated in many enterprises. Development teams, looking to implement policy-as-code, might prefer a developer-centric approach, while business or application teams might seek a more straightforward experience delivered via an easy-to-use GUI. IAM teams, who own the overall access control strategy, need administrative capabilities to ensure authorization efforts align to enterprise-wide policies.

Because of the disparate nature of these requirements, most enterprises have seen a variety of bespoke, ad-hoc approaches arise. While these solutions may well address specific, current concerns for a particular part of the enterprise, they often do not scale and lead to conflict (among both resources and policies) when examined under an enterprise-wide lens.

This isolated nature of authorization has existed for years and has become the default for a variety of reasons, not the least of which is a perceived cost saving. However, with a Zero Trust strategy becoming imperative for many enterprises, this approach is no longer sustainable. To be successful with Zero Trust, a comprehensive and consistent approach to authorization, whereby every request for access is evaluated to determine whether it is appropriate, must be implemented. Isolated authorization simply cannot ensure consistency across the enterprise, which will hamper its ability to achieve a successful Zero Trust implementation.

Standards-based authorization is the way forward

As enterprises understand that an orchestrated, enterprise-wide approach to authorization is critical, many then wonder how best to ensure consistency and scalability of their authorization project. This is where the authorization market becomes convoluted, as there are a variety of options, including proprietary solutions, purpose-built solutions, cloud-native solutions, and more.

Adopting a standards-based approach to authorization is the preferred choice for a few reasons. First, as this market continues to emerge and evolve, authorization solutions based on tried-and-true standards, including XACML, ALFA, and OPA, offer reliability as well as a level of future-proofing. These standards, many in use for several years, have well-defined use cases and, regardless of a vendor’s specific solution, offer the ability to adapt and evolve as needed.

Though this might sound like common sense, the reality of the current authorization vendor market is that it is populated by quite a few vendors offering proprietary solutions which might address an enterprise’s current needs (or a subset of those needs), but also make it difficult to scale or adjust if the vendor no longer provides support (or is no longer in business).

Authorization requires integration

Enterprises looking to modernize their access control strategy and adopt an orchestrated approach to authorization must ensure their solution works not only with their other critical IAM investments (which could include an identity governance and administration or IGA solution, an access management solution, etc.) but also with broader cybersecurity investments, if possible. This again ensures the organization optimizes its ability to find success with its Zero Trust initiatives.

More enterprises understand the road to an access control strategy that better reflects the realities of a modern enterprise – distributed workforce, adherence to global regulations, etc., – requires a Zero Trust security approach. In the last two years, Zero Trust has gone from an aspirational goal to a budgeted corporate priority, with many enterprises well on their way to implementing at least the initial elements of a Zero Trust project. A consistent, orchestrated approach to runtime authorization is the critical component to achieving demonstrable success with any Zero Trust initiative.

Mark Cassetta is the chief product officer at Axiomatics. A cybersecurity veteran with more than a decade of experience, Mark Cassetta leads Axiomatics’ product strategy, driving the creation of solutions that offer enterprises around the world a way to address current and future authorization and access management challenges. Mark’s background includes various leadership positions for both software vendors and global systems integrators, including Titus and Accenture.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.