Happy New Year

Will new resolutions solve our authorization challenge?

Jan 14, 2025

We’re back after a long holiday🎅hiatus. The writers behind this newsletter were lucky enough to take some time off and enjoy the holidays with friends and family. Some of us even had time to catch up on some classic movies. I still do not know whether Die Hard is a Christmas movie but it sure has a lot of things to do with access control. Or a lack of it, I should say.

There is a reason Hollywood hasn’t handed the studio keys to our merry band of authorization nerds: our movies would be as riveting as the films in the Invention of Lying.

Enough gobbledygook, let’s get to work. Without further ado, here’s a summary of the flurry of activity from the past six weeks.

Gartner IAM Grapevine 2024

The last major event of the year saw authorization step up to the plate at Gartner’s Identity & Access Management summit in surprisingly overcast and grey Grapevine.

The Summit focused on authorization and brought several key insights:

Emerging Standards: OpenID AuthZEN was highlighted as the next step in authorization standards.
Externalized Authorization Architectures: Techniques like Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC) were discussed.
API Access Control: The importance of fine-grained authorization for APIs was emphasized.
Authorization for GenAI / RAG: The intersection of Generative AI and IAM, including access control for Retrieval-Augmented Generation (RAG), was explored.

For more insights, check out Omri Gazitt’s fantastic summary of the event. And be sure to check out Gartner IAM London in March 2025. There’s a slim chance the weather might be better (who knew?).

And here’s my take on Gartner a week prior to the event.

Lastly, this paragraph would be incomplete without our deepest thanks to Eve Maler of Venn Factory for hosting a fantastic ABACBQ. Read more here.

Venn Factory: The Workshop

Goings-On at the Factory

As Venn Factory wraps up its very first year and gears up for exciting things in 2025, I thought it would be a great time to share some of what we’ve been up to in the last few months…

6 months ago · 1 like · Eve Maler

We are failing already

The Department of Health & Human Services (HHS) maintains a website where all breaches of a certain size must be disclosed. Sadly, there are already 4 breaches reported, all within the first five days of the year. And this is only for the healthcare sector in the US.

On the other side of the pond, Telefonica, the Spanish telco, confirmed a data breach involving its internal Jira ticketing system, with stolen data leaked online. Hackers used compromised employee credentials to access and scrape 2.3 GB of internal data. [Read more].

To be fair, this isn’t about authorization per se: stolen credentials mean users can be impersonated (think Catch me if you can). But, hopefully, we’ll be able to put in authorization systems that will limit the blast radius and proactively report on unusual behavior (like downloading 2.3GB of data).

OpenID is the place to be

With regards to authorization, there are 2 key working groups at OpenID.

OpenID AuthZEN

My co-chairs, Gerry Gebel of Strata, Omri, and I put together a roadmap for 2025 and we need your help to make it a reality. This is a call to arms. If you are a software developer or architect, a product owner, a SaaS vendor or a COTS, now’s the time to externalize authorization. If you are a consumer, an enterprise buying software, demand your providers adopt AuthZEN much like they adopted SSO, SAML, and OAuth a decade ago.

Check out the roadmap on HackMD. All comments are welcome.

Omri and I presented the latest AuthZEN results during one of the later sessions of Gartner. You can check the slides out here.

Shared Signals Framework

Shared Signals: Gartner IAM London was host to a 6-session interop event led by our peer,

Atul Tulshibagwale

. He was joined on stage by

Felix Gaehtgens

and Erik Wahlström of Gartner to explain the benefits of CAEP and RISC. Read more here.

Resolutions & Predictions

Here are some of the industry’s predictions (both past and future).

SGNL: Our IAM predictions: how did they hold up in 2024?
Aserto: Authorization in 2024: Year in Review
Digicert: DigiCert Unveils 2025 Security Predictions
KuppingerCole’s 2024 Highlights: Milestones, Innovations, and Future Focus

Conclusion

2025 is going to be a busy year. Most of the Authorization gang will be at Gartner IAM (London and Texas) as well as Identiverse and the European Identity Conference (the CfP is open until the end of the month). Come see us, ask questions, join our merry band, and secure the world one step at a time.

See you soon.

Authorization Clipping Service

Discussion about this post