Episode 073: 12‐12‐2024: The Future of AuthZ, from A to Z - GluuFederation/identerati-office-hours GitHub Wiki
Title: The Future of AuthZ, from A to Z
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Rohit Khare, Product Manager & Software Architect • Simplifying Security
- Co-Host: Alex Olivier, Co-founder & CPO @ Cerbos
Description
It only took a decade or two, but Authentication (AuthN) standards have finally replaced “roll-your-own” username & password login systems with Single-Sign-On (SSO) services.
After logging in, though, there's no way to know who's an admin, whether you can buy or sell widgets, or upload a new thumbnail. This is the Authorization (AuthZ) opportunity: speed-run the standards processes to replace custom business logic with interoperable policy languages?
Summarizing lessons learned from a year of editing the free weekly AuthZ.substack.com newsletter, and my personal thoughts on the future of DecentIAM.com, this talk tackles:
• Why will we need AuthZ? • What problems will it solve? • How soon will it be adopted?
Homework
- Subscribe to AuthZ.substack.com
- Chuckle at DecentIAM.com
- Reflect on https://d1.awsstatic.com/Security/pdfs/One_Click_Formal_Methods.pdf
Takeaways
⚡ Authz is now possible at scale because authn is standardized.
⚡ Most PDP vendors focus on low latency results for "Can User access Resource X?" But domains need governance tools to answer many of the inverse questions, like: "Which Users can modify Resource X?", "Which Resources can User X modify?" and why.
⚡ The use of formal reasoning empowers authz solutions to move beyond ad hoc checks to systematic, provable answers. Domains can verify consistency--that policies do not conflict with each other. Automated reasoning tools can evaluate large policy sets and complex conditions far more quickly than manual review.
⚡ AI is already colliding with authorization models--Alex from Cerbos reports that they are using authorization to insure that LLM responses filter input based on what your authorized to see. But a new wave of agents are being developed to act on our behalf. How will we delegate permissions to AI agents? Maybe I want an AI agent to book an airline flight if the cost drops below $250. Can I also delegate access to my email inbox to view only airline reservation emails? If we don't get control of this, we're going to end up oversharing priviledged access.