1 Introduction
Over the past decade, IT environments have become increasingly complex as organizations grapple with accelerating technology advances. Organizations are increasingly seeking solutions that permit line-of-business applications to access corporate data while ensuring access is appropriate, authorized, and adhering to applicable regulation is expected.
Authorization is the act of verifying a user’s entitlements that grant them access to a specific controlled resource. This is often performed within a computer via an internal store of user accounts and entitlements to specific functionality, but such an approach makes it difficult to employ enterprise-wide access control policy management and enforcement. A properly deployed dynamic authorization service takes access control to the next level. It enables enterprises with sensitive data to more finely control access to protected resources, across a variety of use cases.
Dynamic contextual authorization meets many of the demands seen by IT organizations today, such as the need to provide fine-grained access controls over data resources or authorization of data for GDPR compliance purposes, as examples. With more organizations exposing digital services over APIs, there is a growing need to externalize dynamic contextual authorization to APIs across multiple platforms and manage it in a centralized way to ensure compliance. Consider PSD2 and Open Banking use cases that are driven by privacy and demand for API services. Banks will have to provide secure APIs for Third Party Providers (TPPs) and other banks to use. Banks will need to compete more efficiently and protect themselves from a much greater risk of fraud, which dynamic contextual authorization will help mitigate.
The organization's IT Security will also need to address the evolving authorization requirements for use cases such as mobile apps, IoT, M2M communication, and edge gateways. Another trend seen in organizations IT today is a shift towards a more modern software architecture using microservices. This software architectural style is quickly gaining momentum in IT organizations. Each microservice is characteristically small, autonomous, and fine-grained, using lightweight protocols and utilizing APIs extensively. Most microservices application architectures use containers, like Docker, to implement their solution. And although one of the benefits of using microservice architectures is that each development team can work on its microservice using different technology stacks, it can also lead to inconsistencies regarding how each development team treats authorization through the various interpretations of how token scope values are defined, for example.
Modern authorization solutions should provide advanced capabilities. Support for automation is needed as organizations seek efficiencies. Artificial Intelligence is needed to provide value through data and facilitate decision making through analytics when it comes to identifying risks or identifying suspicious application events within the IT infrastructure. Also, authorization solutions should move away from hard to configure and understand policies to more intuitive and easy to use policy authoring environments.
Inevitably, IT Security's landscape will continue to change, and the authorization products will need to keep up with the changes to remain effective. Forward-thinking organizations should seek modern and advanced authorization products that can keep up with the changes.