Modern Authorization: The Next IAM Frontier

Identity and access have always been joined at the hip. In the age of LDAP, authenticated users were granted permissions based on group membership. But this mechanism hasn’t transferred into the federated identity landscape.

Instead, modern identity systems try to generalize permissions into scopes that are embedded into access tokens. But this doesn’t facilitate fine-grained authorization - a “read:document” scope doesn’t typically mean the user can access every document!

While identity has moved to the cloud, we still don’t have fine-grained, scalable mechanisms for generalizing authorization. So every application builds its own, and IT ends up administering every application differently.

Fixing this is arguably the most pressing challenge for the IAM industry. In this talk, we propose a set of principles, inspired by zero-trust and the latest work in cloud-native authorization, that should underlie the solutions we build:

1. Support for fine-grained authorization (both ABAC and ReBAC), delivering on the principle of least privilege. Google’s Zanzibar provides an important blueprint.
2. Managing authorization policy-as-code, enabling separation of duties and policy-based access management. Open Policy Agent is a good building block.
3. Performing real-time access checks for continuous verification. This function should be downstream from authentication.
4. Collecting fine-grained decision logs, providing the underpinning for comprehensive offline auditing and access analysis.

Event Recording

Modern Authorization: The Next IAM Frontier

Click here to watch the recording of this session. Please note that this video is only available to event participants and subscribers. You'll need to log in to watch it.

Presentation deck

Modern Authorization: The Next IAM Frontier

Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.