20 December 2021
For over 5 years, we here at PlainID have been highlighting the importance of Authorization in any Identity Management strategy. It has been our prediction that just like Authentication, which companies struggled to build a decade ago, Authorization would develop its own market of solutions, freeing companies of the burden of building their own Authorization solution. One of our investors rightly said to me a few years ago, “PlainID is to Authorization like Okta is for Authentication.”
In July 2021 our conviction received one of its strongest validations yet.
The move from IAM to Application Security
Externalized Authorization Management aka “Dynamic Authorization” has been in past Gartner Hype Cycles for Identity & Access Management Technologies, but this is the first year that the category is included in the broader Hype Cycle for Application Security. We believe this is another proof point that Authorization is a topic that is getting higher priority, and more companies are looking to make sure they have a sufficient Authorization solution. We've been talking about this for a while, for example, see this past blog from industry insider Tom Malta. Authorization is an important consideration for securing your applications, and the topic of Application Security isn’t primarily at the network level anymore.
Policy here, Policy there, Policy everywhere
If you’ve been following PlainID, you know that we talk A LOT about PBAC, or Policy-Based Access Control. It’s the key ‘ingredient’ in our Authorization platform, and is what allows companies to have dynamic, flexible rules that enable the most efficient authorization strategy possible, and is also the core of Zero Trust architecture as described in NIST 800-207. The PlainID Policy Manager also allows for regular, non-coders, to manage who can access what. This latest Hype Cycle now mentions ‘Policy as Code’ (PaC).
Policy as Code, and then…
PlainID supports Policy as Code and OPA, and encourages its continued development. However, enterprises need a management layer for building their own Policy as Code (PaC)or if they are using OPA as their best practice mechanism within their code. We’ve seen mostly large companies doing this, but as it becomes more standardized, we believe smaller companies will adopt PaC. They too, will need a management layer.
A Management Layer for Policies
Developers know how to use and manage code, but the Developers need to keep the Authorization Lifecycle managed. The folks on the business side need a usable management layer to create and manage these policies. The ability to manage, govern, have approval cycles, etc. is all in the management layer. In summary, beyond code, Enterprises still need a user-friendly interface for the business, as well as the ability to monitor, govern, audit, adhere to compliance needs, and all of this goes well beyond building Policy as Code. To implement something that would handle the full lifecycle of Authorization, you need a full-fledged Policy Management platform (e.g. PlainID Policy Manager (or attempt to build all of that yourself, but why?)).
The Drivers: Compliance and OPA
Gartner’s report refers to two drivers that have led to moving EAM/Dynamic Authorization out of being niche: Compliance needs (CCPR, GDPR, etc.) and the traction that OPA has seen. We believe there is an additional focus on handling Authorization for Microservices, that has been a driver for the urgency of implementing Externalized Authorization Management solutions.
The User Recommendations:
We invite you to download the document, compliments of PlainID for a limited time, which includes a list of user recommendations on this topic, and features and evaluations you should keep in mind when evaluating an Authorization strategy. For example, retrofitting existing applications with EAM, decision and enforcement, integrations, etc.