An analysis of Dynamic Authorization’s inclusion in the 2021 Gartner® Hype Cycle™️ for Application Security, 2021

Sam Adler
August 8, 2021

For over 5 years, we here at PlainID have been highlighting the importance of Authorization in any Identity Management strategy. It has been our prediction that just like Authentication, which companies struggled to build a decade ago, Authorization would develop its own market of solutions, freeing companies of the burden of building their own Authorization solution.  One of our investors rightly said to me a few years ago, “PlainID is to Authorization like Okta is for Authentication.”  

In July 2021 our conviction received one of its strongest validations yet.

The move from IAM to Application Security

Externalized Authorization Management aka “Dynamic Authorization” has been in past Gartner Hype Cycles for Identity & Access Management Technologies, but this is the first year that the category is included in the broader Hype Cycle for Application Security.  We believe this is another proof point that Authorization is a topic that is getting higher priority, and more companies are looking to make sure they have a sufficient Authorization solution.  We've been talking about this for a while, for example, see this past blog from industry insider Tom Malta.  Authorization is an important consideration for securing your applications, and the topic of Application Security isn’t primarily at the network level anymore.

Get a Demo of PlainID's PBAC solution

Policy here, Policy there, Policy everywhere

If you’ve been following PlainID, you know that we talk A LOT about PBAC, or Policy-Based Access Control.  It’s the key ‘ingredient’ in our Authorization platform, and is what allows companies to have dynamic, flexible rules that enable the most efficient authorization strategy possible, and is also the core of Zero Trust architecture as described in NIST 800-207.  The PlainID Policy Manager also allows for regular, non-coders, to manage who can access what.  This latest Hype Cycle now mentions ‘Policy as Code’ (PaC).

Policy as Code, and then…

PlainID supports Policy as Code and OPA, and encourages its continued development. However, enterprises need a management layer for building their own Policy as Code (PaC)or if they are using OPA as their best practice mechanism within their code.  We’ve seen mostly large companies doing this, but as it becomes more standardized, we believe smaller companies will adopt PaC. They too, will need a management layer.  

Get a Demo of PlainID's PBAC solution

A Management Layer for Policies

Developers know how to use and manage code, but the Developers need to keep the Authorization Lifecycle managed.  The folks on the business side need a usable management layer to create and manage these policies.  The ability to manage, govern, have approval cycles, etc. is all in the management layer.  In summary, beyond code, Enterprises still need a user-friendly interface for the business, as well as the ability to monitor, govern, audit, adhere to compliance needs, and all of this goes well beyond building Policy as Code. To implement  something that would handle the full lifecycle of Authorization, you need a full-fledged Policy Management platform (e.g.  PlainID Policy Manager (or attempt to build all of that yourself, but why?)).   

The Drivers: Compliance and OPA

Gartner’s report refers to two drivers that have led to moving EAM/Dynamic Authorization out of being niche: Compliance needs (CCPR, GDPR, etc.) and the traction that OPA has seen.  We believe there is an additional focus on handling Authorization for Microservices, that has been a driver for the urgency of implementing Externalized Authorization Management solutions. 

The User Recommendations:

We invite you to download the document, compliments of PlainID for a limited time, which includes a list of user recommendations on this topic, and features and evaluations you should keep in mind when evaluating an Authorization strategy.  For example, retrofitting existing applications with EAM, decision and enforcement, integrations, etc.

Get the HypeCycle Report


Most popular posts