Historically, organizations looked at authorization as a requirement for a specific application as opposed to an integral part of the overall application development strategy. That is to say, it was considered more of a ‘box to check’ when creating a specific application. But as is the case with any technology, authorization has matured, moving from something a development team would check off as a line item to a strategy to ensure applications (and the data contained therein) are properly secured and only accessed by the right people, at the right time, and in the right way.
If we were to consider this on the technology adoption curve, authorization (particularly on the runtime side) has been through the innovators and early adopters and has now crossed the chasm into the early majority of the market. So, in many ways, policy-based access control is on the cusp of significant adoption, even though the concept isn’t new. Instead of asking, “Why do I need this?," enterprises are asking, "When do I adopt this?" or "How do I tie it to my broader IAM and cybersecurity strategies?" Instead of existing for one application or being managed by one team, organizations are considering how to deploy PBAC solutions at scale across thousands of applications accessed by millions of users with a millisecond response time. And while PBAC was on this trajectory for some time, it matured rapidly in 2020.
Covid, Zero Trust, and the move to broader adoption
With the sudden and complete move to a remote workforce in March 2020, access control quickly went to the top of enterprise cybersecurity agendas. Once the dust settled and it became evident a significant amount of the workforce would always work remotely, enterprises started exploring how access could be more secure. This meant considering more than a person's role and looking at their location, how they're accessing a particular application (from a phone, from a laptop, via public WiFi, etc.) and how much access they truly need to do their job. As this context becomes clearer and organizations acquire a better understanding of the 5 Ws (who, what, when, where, why), stronger, more accurate, and ultimately, more successful security (and access) policies can be developed.
Alongside the rise of remote work came the broad adoption of Zero Trust security principles. As organizations looked to move from a network-centric approach to a risk-based approach to security, authorization became front and center. In fact, in the National Institute of Standards and Technology (NIST) document on Zero Trust architecture (widely consulted by organizations looking to implement a Zero Trust security stance), NIST writes, "To lessen uncertainties (as they cannot be eliminated), the focus is on authentication, authorization and shrinking implicit trust zones while maintaining availability and minimizing temporal delays in authentication mechanisms. Access rules are made as granular as possible to enforce the least privileges needed to perform the action in the request." Put simply, organizations need more context to determine the right level of access.
What’s next: addressing maturity and complexity
While some of the world’s most complex enterprises are broadly adopting a PBAC strategy, the majority are just getting started. There are a couple of reasons for that. First, PBAC is typically deployed by organizations with a more mature approach to IAM, which includes a somewhat mature authentication strategy. Until remote work forced them to invest, most organizations would admit their authentication strategy was not very mature. This is changing, but there is still room to grow.
Second, though authorization has been around for a long time, we're facing a more complex threat landscape than ever before. Ransomware, deep fakes, social engineering, and more all continue to evolve at breakneck speed, making it incredibly difficult for enterprise IAM teams to keep up. This means that IAM has to change the tires while the car is still moving, and this sophistication can create complex deployment scenarios for teams already stretched thin.
All of this makes context more critical than ever when it comes to access control and will contribute to the continued rise in the adoption of PBAC solutions. While there is no one 'silver bullet solution' to access control, PBAC solutions provide the context critical to organizations looking to secure their information and mitigate risk.
Mark Cassetta is chief product officer at Axiomatics.