Authorization - year in review

Dec 6th, 2023

Omri Gazitt avatar

Omri Gazitt

Authorization

Authorization year in review 2023

2023 has been a big year for the nascent but fast-evolving world of modern authorization. We’ve seen significantly more awareness around dynamic authorization as a design pattern; the growth of open source decision engines; a new standardization effort for externalized authorization systems; and a broader community emerging around AuthZ.

Why now?

Why is modern authorization garnering more attention? We’ve seen three main drivers:

  1. Access control-related vulnerabilities continue to be the most vexing aspect of application security, affecting an astonishing 94% of applications tested by the OWASP. As organizations have largely shed the illusion of perimeter-based security approaches, they have a massive amount of security debt on their hands.
  2. Organizations are struggling to manage the complex web of permissions across their employees and applications with the current strategies. When 20% of each application’s surface area is made up of “authorization spaghetti code,” and as they struggle with role explosion across the set of applications they manage, they are looking to lower the cost of managing entitlements and compliance, and increase the agility of their application teams.
  3. With consumer-grade applications making it easy to share resources across users, and limit permissions associated with these shared resources, business applications are following suit. Users are demanding fine-grained access control, and the organizations that deliver these apps must enable it in a way that preserves the principle of least privilege.

These three factors are creating the “perfect storm” for authorization to become a major area of investment in 2024, for B2B SaaS companies and enterprises alike.

What is modern authorization?

What is modern authorization?

Before we get too far ahead of ourselves, it’s worth defining what exactly we mean by “modern authorization.” We think there are three key characteristics:

  • Fine-grained: rather than providing access checks at the level of “can a user perform this action?” which can be implemented by assigning a static role, fine-grained systems allow assigning and verifying permissions at the resource level: “can a user perform this action on this resource?.
  • Policy-based: rather than embedding access control logic as a set of if and switch statements in application code, policy-based systems externalize authorization into a separate architectural tier, and allow expressing this logic in a uniform, domain-specific language.
  • Real-time: rather than relying on static entitlements that are manually provisioned by administrators and then embedded into access tokens as part of the authentication ceremony, real-time systems evaluate permissions dynamically, right before allowing or denying access to a protected resource.

Taken together, these attributes define a new generation of authorization systems, which provide significant advantages over the previous generation. And this is the area where we’ve seen so much innovation happening.

Open Source innovation

Innovation in a developer ecosystem often manifests itself in open source projects, and the communities that emerge around them.

In the cloud-native world, the Open Policy Agent (OPA) continues to gain momentum and extend its reach from infrastructure scenarios (e.g. Kubernetes admission control via OPA Gatekeeper), making  further inroads into application authorization. In addition, the Kyverno project is giving OPA a run for its money when it comes to core infrastructure scenarios, and is now capable of enforcing policy over arbitrary JSON or YAML files, much like OPA Conftest.

In an exciting development, AWS open-sourced its Cedar decision engine, which provides an attribute-based access control (ABAC)-style authorization capability that powers AWS Verified Permissions and other AWS services. We now have three open source ABAC-style engines - OPA, Cedar, and Cerbos.

In the relationship-based access control (ReBAC) / Zanzibar world, SpiceDB and OpenFGA continue to evolve their capabilities, with OpenFGA becoming a CNCF Sandbox project.

Last but not least, Topaz, Aserto’s own authorization engine, celebrated its 1-year anniversary. It is unique as the only decision engine that combines the policy-based / ABAC approach of OPA with the ReBAC capabilities of Zanzibar-like systems, serving the widest breadth of authorization models and scenarios. Topaz 0.30 launched at Kubecon North America 2023 with an exciting set of new capabilities, including a built-in graphical console

Authorization standards

It’s been 20 years since the introduction of XACML 1.0, the first XML Web Services-based interoperability protocol for attribute-based access control. And yet, when compared to single sign-on standards such as SAML and OpenID Connect (OIDC), its adoption has been very limited.

With externalized authorization becoming a major concern for organizations, it’s time to take another bite at that apple. In October, a group of authorization practitioners and vendors, including Aserto, submitted a charter proposal to the OpenID Foundation for the establishment of the AuthZEN working group. The charter was accepted shortly after IIW 37 on October 17, and the group is now working on its first two deliverables - a use-case/authorization patterns document, and a draft of a common PEP-PDP protocol. These efforts will unify a set of disparate ecosystems into a larger authorization community, which will create a rising tide for the industry at large.

Bringing communities together

AuthZEN is not the only effort around pulling together a broader authorization community. We’re now seeing authorization practitioners coming together at identity-centric events like Identiverse and Internet Identity Workshop (IIW) to discuss authorization as a common concern. Out of these gatherings, we now have a grassroots-effort around the authz substack, a weekly newsletter with authorization news clippings. This group is also in the process of organizing an authorization-centric conference for developers - the first of its kind!

2024 will be the “Year of Modern Authorization”

Building on all the momentum in 2023, we believe 2024 will be an inflection point for modern authorization. There is a critical mass of customers, practitioners, and vendors that want to see significant progress on the vision of fine-grained, policy-based, real-time access control.

Open source continues to be the innovation engine that channels this energy into concrete implementations. Standards and interoperability efforts will reduce the barriers to adoption, increase reusability, and mitigate risk for organizations that want to take advantage of this innovation. And community-building efforts, including existing IAM channels and new authorization-specific blogs, podcasts, and events, will help greatly increase awareness beyond what any single vendor can do on their own.

Stay in the loop!

This is a fast-moving space - here are some of the best resources for tracking progress:

Omri Gazitt avatar

Omri Gazitt

CEO, Aserto