Even while some expert’s in the industry understand authorization management still as sort of “rocket science”, the year 2008 has shown significant evolution in that field. New vendors like Rohati have entered the market, others like Bitkoo appeared a little earlier, and some of the big vendors like Oracle and CA are as well actively pushing their technologies.

There are others like the Italian Engiweb which have even today a strong customer base in that field. And not to forget Microsoft, who’s “Geneva” framework addresses authorization aspects as well. Besides this, IRM (Information Rights Management) became more visible, with joint announcements of RSA and Microsoft or the increased flexibility beyond Windows infrastructures that Microsoft’s own RMS (Rights Management Services) will experience with “Geneva”.

There are three interesting observations to make:

  1. Today’s authorization approaches are too limited to fulfill today’s requirements from a GRC as well as a administrative perspective. The best example is Microsoft SharePoint, with now dozens of solutions which try to manage SharePoint security.
  2. There are many new (or at least relatively new and right now more visible) approaches for authorization than ever before.
  3. Software developers and architects more and more understand the requirement for externalizing authentication and authorization decisions from their applications.

Simplified: The world of authorization is changing.

Thus, organizations have to define new authorization strategies. That is especially important because every single investment in a point solution for authorization, at which level ever, is a risk. Without a valid, long-term authorization strategies these investments might appear to be non-strategic.

The target of an authorization strategy
The basic idea of an authorization strategy is to minimize and standardize the layers for authorization, e.g. avoiding to many different, uncoordinated approaches for authorization. Today, authorization is done at many different levels and usually on a per-system basis – the latter is not necessarily wrong but might become complicated, like probably everyone knows from the management of ACLs (Access Control Lists) in a Windows Server environment.

An authorization strategy should lead to a clearly defined approach for authorization which is, in effect, as well the interface for policies. It is virtually impossible to implement a consistent policy-based approach for managing without a limited and well-structured number of authorization systems to control. In a heterogeneous, unstructured environment, centralized policy-based approaches for authorization management are likely to fail.

The benefits of an authorization strategy are, amongst others, reliable access controls (relevant for fulfilling GRC requirements), reduced administrative costs, reduced investments (compared with the investment into multiple technologies for authorization management without a clear guideline), and a higher level of security.

The elements of an authorization strategy
Such an authorization strategy has to cover the entire IT environment, e.g. as well specific applications as the infrastructure systems themselves. There might be several building blocks to support different types of systems and applications – but there should be one strategy. The approach is to optimize the number of authorization layers without creating security holes – but done right, the strategy will instead close such holes.

Thus, such a strategy has to define

  • the requirements for authorization for different classes of systems and applications
  • the interfaces and standards for policies to control authorization (even while there might be some aspects left open due to the lack of well established and mature standards)
  • the responsibilities for authorization management
  • the integration to other elements of the overall Security/IAM/GRC strategy and management

The strategy isn’t about deciding which systems and applications shall be covered or not – any application and system has to be covered, for example by local management or security mechanisms at the network level.

Options for authorization
Over the course of the last 12 to 18 months, several new approaches for authorization managed appeared, adding to the pretty large number of existing technologies. A first segmentation of these different approaches should be whether they are fully integrated at the level of the target systems or whether they are an additional layer in front of them.

Both types of authorizations have advantages and disadvantages. Integrated approaches usually provide more granularities but are more difficult to manage in a heterogeneous environment.

Integrated approaches are

  • System-level access controls of any type
  • Externalized authorization frameworks with full application integration, e.g. applications being aware and actively using the external framework. There are as well platform-specific approaches like IBM RACF or Microsoft’s Authorization Manager as solutions which work for different types of environments (Bitkoo, Engiweb, and several others).

Non-integrated approaches are

  • Web Access Management (despite some options for integrating)
  • Network-level authorization management (like the approaches provided by Cisco/Securent or Rohati)
  • Network access control solutions, firewalls and other technologies which aren’t necessarily identity-aware

Somewhere in between we have Information Rights Management (IRM), e.g. the approach to directly attach access controls to the information.

Besides this, there is an increasing number of solutions for the authorization management of either one platform (Microsoft SharePoint) or multiple platforms. These systems try to build a management layer on top of existing system-level access control approaches.

Another approach can be found in the field of DLP solutions (Data Leakage Prevention), with securing information at the device level and allowing access to specific information only for defined users.

Identity Federation and authorization standards like XACML are relevant as well, but they can be used in different ways. Federation separates authentication and authorization but there is still the question about how to manage these authorizations. Thus, with federation we will still need an authorization management, where XACML might play a vital role – but that can be done in several different ways.

Overall, we find an impressive number of options for managing authorizations. The threat is to use not too many different approaches but to standardize.

Authorization strategy – part of a bigger story
An authorization strategy is part of a bigger story. The story is about controlling access and enforcing information protection.

Beyond the technical level of how to manage authorizations in an efficient and effective manner there is the obvious relationship to the field of GRC. Authorization management is part of GRC as well, with focus on how to use business rules and business roles for the management of authorizations or entitlements.

The rules (and policies, if combined) defined at that level have to control the authorization management. Beyond the selection of technical approaches for authorization management, the strategy has to cover the interaction between the business control layer of GRC authorization management and the technologies used. The target is to use a consistent, policy-based approach across different systems in a heterogeneous environment.

An authorization strategy is also tied to any overall security strategy. That becomes obvious with the relationship to DLP or firewalls.

Even more, any move towards the “cloud”, e.g. SaaS (Software as a Service) and related approaches, has to be considered in an authorization strategy. It isn’t easy to protect information within the enterprise and the internal IT systems. But when moving beyond that domain, it becomes even harder.

An authorization strategy has to reflect that there isn’t a valid distinction between the internal network and the rest of the world any more. It has to work in any type of environment. And it has to be flexible enough to support changes like an increased mobility, new types of devices and the interaction with cloud services.

Defining an authorization strategy is a key initiative for 2009. The strategy will provide the guidelines for selecting technologies, optimizing the investments in a small range of technologies and improving the level of information protection an organization can achieve.