Authorization seems to still be one of the dirty secrets of IT. There is a lot of work around managing identities and accessing them. There are standards for that, like LDAP, SPML or SCIM. There is a lot of work done around managing authentication, with far too many standards like OAuth, OpenID, Kerberos, and all the others. Vendors are heavily investing, startups are popping up, and end user organizations are jumping on that topic.
However, when it comes to authorization, there are only few vendors engaged. There is a standard - XACML is the common language for authorization. There are some additional standards like RBAC NIST which are limited both in what they cover and how good they are to use in practice. But if you look at end user organizations, there are still few really jumping on that train.
On the other hand, there are three major drivers for putting more emphasis on solving the authorization problem:
1) IT has to support more users, especially end users. But they are all accessing the same systems and information. Thus, authorization has to be far more granular and flexible. A key to agile business is the ability to manage this better than today.
2) Regulatory Compliance is about managing access. It is about authorization. Better authorization helps meeting the requirements in that space.
3) Applications are increasingly distributed and we need an efficient approach to manage authorization for all applications. Just using SCIM or SAML with a SaaS application like salesforce.com isn't sufficient when we still have to manage all the authorization rules using the proprietary management interfaces or APIs of the SaaS provider. We need to provide rules.
Thus, authorization has to change. It has to get cloud-ready (and not only that), to support all the users from the Cloud, all the apps in the Cloud, and all the new regulatory requirements which will pop up due to the inherent risks of the Cloud.
This is a challenge for both Cloud Service Providers and End User Organizations. They have to adopt the way they are doing authorization.
This session will talk about what you have to do for a Cloud Ready Authorization Architecture and how that could look like.
