Welcome to the āAuthorizeā clipping service, a precursor to an upcoming āAuthorizeā conference. This service is provided by volunteer authorization nerds who want more people to know about all the cool stuff thatās going on in the authorization world! Hereās all the news you need to know.
Now, you might wonder why weāre starting off with birthday wishes to the outrageously funny Canadian. Well, he definitely was one heck of a mall cop in the 2009 comedy, Observe and Report. And as far as movies go, this one was definitely loaded with authorization challenges and tricky enforcement situations. My little finger tells me there may be a sequel in the works called āZero Trustā. Oh and a new instalment of the Back to the Future series: āABAC to the Futureā.
Enough with the movies and on with the latest in AuthZ land.
Conferences & Eventsš
Join a merry band of identity nerds at the Internet Identity Workshop starting today. Tickets here šļø.
Prior to the event, my peer Omri Gazitt of Aserto will be giving an update on the work achieved in the OpenID AuthZEN Working Group. Slides available here.
Weāre a month or so away from Identiverse 2024. If youāre not sure what presentation to attend, check out my curated list for inspiration. There are 20+ talks, enough to keep you busy all week.
RSA Conference is even closer and the authorization family will be proudly represented by our co-curator, Sarah.
Data Centric Authorization
Fine-grained authorization is red-hot. But with it come additional challenges... If you're authorizing at the item level, you also need to know what items the user has access to. In How ReBAC solves data filtering, Omri shows how your authorization system can help you get two for the price of one.
Being able to tackle ātransactional authorizationā and data filtering at the same time is indeed one of the greater challenges for authorization. Standards like XACML and OPA were originally built for transactional authorization. Little by little both added features known as partial evaluation, reverse query, or in the terms of OpenID AuthZEN, search.
Real World Use Cases
In the Modern application authorization: insights from the trenches webinar, Sebastian Rohr from Umbrella.associates and Omri discuss building a fine-grained authorization system for Siemens, and how Topaz could help.
You can now watch a replay of the livestream with Braden Groom - Staff Engineer at Reddit: you will learn how Reddit scaled its authorization layer and achieved p99 <10ms per decision. The chat includes insights around scaling, balancing performance, and user experience.
Admin-time, Runtime, Event-time?
Last week, a friend of mine told me the antagonism between admin-time (think RBAC, groups, and entitlements) and runtime (think policy, graph, ABACā¦) wasnāt quite the whole picture. You also need to think about event-time (reactive) authorization. This is definitely where the work from the OpenID Shared Signals WG applies or where OAuthās transactions tokens come in.
The US Department of Defense is onto this trend too as they just released their DevSecOps Continuous Authorization Implementation Guide. Quoting them:
Continuous Authorization to Operate (cATO) is the state achieved when the organization that develops, secures, and operates a system has demonstrated sufficient maturity in their ability to maintain a resilient cybersecurity posture that traditional risk assessments and authorizations become redundant. This organization must have implemented robust information security continuous monitoring capabilities, active cyber defense, and secure software supply chain requirements to enable continuous delivery of capabilities without adversely impacting the systemās cyber posture
Read the full guide here.
Thatās all folks!
Thanks for tuning in and reading all the way. Be on the lookout for a readout of IIW next week. Six months ago, Eve Maler and peers debated the RS/AS vs. P*P architectural model (see page 131 of the proceedings). Iām looking forward to this seasonās debates. And rest assured that our security is in good handsā¦
If youāre an authorization nerd and an IDPro member, join our discussions in the IDPro Slack #authorization channel! Want to help write this newsletter and organize the conference? Find Sarah Cecchetti on LinkedIn and ask for an invite.