We’re back after a long holiday🎅hiatus. The writers behind this newsletter were lucky enough to take some time off and enjoy the holidays with friends and family. Some of us even had time to catch up on some classic movies. I still do not know whether Die Hard is a Christmas movie but it sure has a lot of things to do with access control. Or a lack of it, I should say.
There is a reason Hollywood hasn’t handed the studio keys to our merry band of authorization nerds: our movies would be as riveting as the films in the Invention of Lying.
Enough gobbledygook, let’s get to work. Without further ado, here’s a summary of the flurry of activity from the past six weeks.
Gartner IAM Grapevine 2024
The last major event of the year saw authorization step up to the plate at Gartner’s Identity & Access Management summit in surprisingly overcast and grey Grapevine.
The Summit focused on authorization and brought several key insights:
Emerging Standards: OpenID AuthZEN was highlighted as the next step in authorization standards.
Externalized Authorization Architectures: Techniques like Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC) were discussed.
API Access Control: The importance of fine-grained authorization for APIs was emphasized.
Authorization for GenAI / RAG: The intersection of Generative AI and IAM, including access control for Retrieval-Augmented Generation (RAG), was explored.
For more insights, check out Omri Gazitt’s fantastic summary of the event. And be sure to check out Gartner IAM London in March 2025. There’s a slim chance the weather might be better (who knew?).
And here’s my take on Gartner a week prior to the event.
Lastly, this paragraph would be incomplete without our deepest thanks to Eve Maler of Venn Factory for hosting a fantastic ABACBQ. Read more here.
We are failing already
The Department of Health & Human Services (HHS) maintains a website where all breaches of a certain size must be disclosed. Sadly, there are already 4 breaches reported, all within the first five days of the year. And this is only for the healthcare sector in the US.
On the other side of the pond, Telefonica, the Spanish telco, confirmed a data breach involving its internal Jira ticketing system, with stolen data leaked online. Hackers used compromised employee credentials to access and scrape 2.3 GB of internal data. [Read more].
To be fair, this isn’t about authorization per se: stolen credentials mean users can be impersonated (think Catch me if you can). But, hopefully, we’ll be able to put in authorization systems that will limit the blast radius and proactively report on unusual behavior (like downloading 2.3GB of data).
OpenID is the place to be
With regards to authorization, there are 2 key working groups at OpenID.
OpenID AuthZEN
My co-chairs, Gerry Gebel of Strata, Omri, and I put together a roadmap for 2025 and we need your help to make it a reality. This is a call to arms. If you are a software developer or architect, a product owner, a SaaS vendor or a COTS, now’s the time to externalize authorization. If you are a consumer, an enterprise buying software, demand your providers adopt AuthZEN much like they adopted SSO, SAML, and OAuth a decade ago.
Check out the roadmap on HackMD. All comments are welcome.
Omri and I presented the latest AuthZEN results during one of the later sessions of Gartner. You can check the slides out here.
Shared Signals Framework
Shared Signals: Gartner IAM London was host to a 6-session interop event led by our peer,
. He was joined on stage by and Erik Wahlström of Gartner to explain the benefits of CAEP and RISC. Read more here.Resolutions & Predictions
Here are some of the industry’s predictions (both past and future).
KuppingerCole’s 2024 Highlights: Milestones, Innovations, and Future Focus
Conclusion
2025 is going to be a busy year. Most of the Authorization gang will be at Gartner IAM (London and Texas) as well as Identiverse and the European Identity Conference (the CfP is open until the end of the month). Come see us, ask questions, join our merry band, and secure the world one step at a time.
See you soon.