Following my recent blog post on trending topics at EIC 2022, where I discussed the integration of decentralized and centralized identities, there are other topics I’d like to highlight. My #2 on the list of outstanding topics at EIC 2022, is the return of policy-based IAM.
More than a decade ago, XACML (eXtensible Access Control Markup Language) was a trending topic, as a standard that allows applications to send a request to an authorization server at run-time. The server then checked this request and either granted or revoked access (or granted access with restrictions). Externalizing authorization and basing it on centrally defined, explicit policies is a great idea. Unfortunately, XACML failed to deliver on the promise of widespread adoption.
To read more, read this Market Compass report on Policy Based Access Management and have a look at this technology report entitled: XACML – Extensible Access Control Markup Language.
New era with OPA and Rego
In the past year, however, things have started to change, and policy-based authorizations and access control have been back as a prominent topic at EIC. They never disappeared, really, but with the emergence of OPA (Open Policy Agent) and Rego as a policy-language, widespread adoption of policy-based authorization by developers has begun. When building digital services from scratch, it is straightforward to rely on an external policy engine. This reduces the burden on developers, increases security, and speeds up time-to-value. To find out more about OPA and this topic in general, have a look at this webinar: Policy Based Access Control for Cloud-Native Applications.
OPA and Rego are just part of a bigger trend, where policy-based access controls are returning to the center of attention. JIT (Just-in-Time) access for privileged and standard users is another important topic, and we observe the growing interest of customers in strategically moving towards policy-based approaches in IAM. Technology is maturing. Standards are evolving. Time to put this topic on the top of the IAM agenda again, for efficiency, security, and time-to-value. It is also time to finally solve the authorization challenge, which is one of the underserved areas in IAM.
Here are some links to presentations and panel discussions at EIC 2022 that focused on OPA: