You’re On a Roll, Don’t Stop At App-Level Authorization

Session Details

Benefiting from standards such as the FIDO U2F, CTAP and WebAuthn, strong authentication now looks within reach. If your team has begun, or even completed, this next stage of your identity program maturation – congratulations!

But does authentication by itself deliver the security outcome which we desire? What a user can do once they are authenticated governs a lot of the risk. A strongly authenticated user’s session may be hijacked. Or they may be physically threatened or socially engineered to give up their credentials, or merely a disgruntled or malicious insider. Not having good control on what a user can access after they are authenticated can cause enormous damage in any of these scenarios.

Access control is currently likely to be enforced at a coarse-grained or app-level, often based on centrally defined roles that are used in local decisions within apps. These local decisions typically are not based on a complete view of the user, access need and other applicable business context. This typically leads an organization to have an overly permissive environment, exposing the organization to enormous potential harm due to unwarranted access. Dynamic, fine-grained authorization can thus drive greater security.

In this session, we will review how authorization is a natural next step for authentication teams. We will survey existing authorization models such as RBAC and ABAC and discuss externalized authorization and existing standards such as XACML, OPA, Rego and OSO. We will then talk about best practices to achieve fine-grained authorization at enterprise scale.