The Next Wave of Implementing Zero Trust: Moving from Authentication to Authorization

As organizations seek to continue down the zero trust journey by establishing effective, secure management of resources in the cloud and on-prem, authentication (i.e., who are you) and authorization (i.e., what can you do) are both mission-critical. To maximize workforce productivity, organizations need to provide streamlined, frictionless, user-friendly access to enterprise applications, data stores, and other resources. And to deliver secure, seamless digital experiences to customers —while protecting their privacy—companies need to provide a consistent access experience that makes sure customer data stays in the right hands. But productivity and efficiency need to be balanced with security, so enterprises can protect sensitive data and meet compliance and privacy requirements. Carefully managing authentication and authorization empowers you to securely accelerate value from your data, for any team in the organization.

On the authentication front, we’ve come a long way: modern cloud identity systems with federated single sign-on and multi-factor authentication are now commonplace. But authorization—the ability to manage who can and should take what action on what data—continues to be a challenge. Specifically, many organizations don’t yet have the tools they need to manage fine-grained data access permissions, and risky practices like upon-request over-provisioning (e.g., to streamline a “trusted user’s” access into applications and data stores when the need arises) effectively increases a company’s attack surface, increasing the risk of fraudulent behavior like the exfiltration of sensitive data or a ransomware attack. Ultimately, authorization is the real source of truth in understanding who has access to what.

In this post, we discuss the progress to date of authentication and authorization, with a focus on how authorization has become a critical priority for establishing true end-to-end security.

Phase I: Authentication

Authentication definitively identifies a user – a necessary first step toward allowing them access to a requested resource. Technologies to mitigate this sometimes cumbersome process are in widespread use, including single sign-on (to make authentication into multiple resources both more secure and efficient) and multi-factor authentication (to make it safer). But a growing challenge for managing authentication is the rapid proliferation of identity types. Today, the typical hybrid workforce can include accounts and people who don’t exist in your identity system, like contingent workers, consultants, suppliers, and partners, as well as non-human identities like service accounts, bots, and devices. The complexity is growing.

A longstanding challenge for authentication was overcoming the use of weak or easily-guessed passwords, and organizations today often implement multi-factor authentication to provide another layer of validation that a user requesting access is who they claim to be. Early stages of MFA typically involved the use of a One Time Passcode (OTP), delivered through SMS or hard tokens, followed by the use of authenticator apps that support push notifications, and has more recently evolved into passwordless authentication to eliminate password altogether through biometrics and advanced authentication solutions like FIDO 2.0 (powered by public-key cryptography). However, compatibility with older systems often prevent wholesale migration to these new authentication techniques. The sad reality is that passwords, at least for some applications, will be with us for a very long time.

Increasingly, organizations are deploying solutions that leverage many of these authentication approaches, enforcing step-up/adaptive authentication in support of a zero trust strategy. A smart assessment of the risk factors associated with any access request (e.g. the geographic location of the user, the source IP address, time of day, etc.) can be combined with the sensitivity of the target data to trigger re-authentication of the requesting user/identity or require an additional authentication factor to increase the certainty the request is valid. This allows security teams to implement flexible policies that can be tuned to the right balance of security and “being invisible to the user” for a given application.

Phase 2: Authorization

Once a user has been securely authenticated, that user needs access to resources, along with what they can do with that access; this is where authorization takes over. For organizations, authorization is defined by enterprise policies that govern exactly what data and capabilities each user and/or role should have access to, and what actions authorized persons can take on that data or using those capabilities. As a best security practice, these authorization policies should be as restrictive as possible for that person or service, limiting each user’s access to only the specific applications/data resources and associated actions required by their job responsibilities: no more, no less. This is commonly known as the “least privilege” principle, and it’s a critical guideline in keeping enterprise data safe.

Defining and maintaining least privilegefor the entire workforce, across each user’s lifecycle from the day they arrive until the day they leave, is a huge challenge. Workforces are dynamic by their nature: employees are promoted, change departments or roles, get new project assignments, and become ex-employees or contractors. Mangers get granted “temporary” access to all an employee’s data when that employee leaves, but fear of breaking an unknown business process often prevents consistent clean-up of these permissions. For an enterprise to maintain least privilege, these “change events” should automatically trigger a real-time revision of access entitlements, to ensure that each user is always provisioned with the access they need. In reality, that seldom happens at a typical enterprise. Birthright entitlements are often automated, but changes are much more often missed—but it’s critically important to get this right for scaling security with a growing organization.

Another challenge: access entitlement governance requires authoritative, automatic sources for status. Available Identity Governance and Administration (IGA) solutions, for example, can use an actively updated Human Resources application as the source of truth for employee status. More often than not, Active Directory is the source of truth for system access, and the connection to HR systems is a manual process. But automated access entitlement changes are only as accurate as the status updates that feed them, and these human-provided updates can often be incomplete or missing, particularly for nontraditional elements of your workforce that your HR app or identity system may not cover, like contingent workers, partners, and non-human identities (like service accounts).

Multiple approaches have evolved over the years to simplify the complexities of fine-grained access management at scale by logically aggregating common access entitlements. With role-based access control (RBAC), for example, groups of necessary access entitlements were gathered into defined roles, and those roles were assigned to users, typically by functional area. This is the most common approach in the real-world, but it missing the critical flexibility of being able to accomdate project-based permissions. Users with the same title and functional role often need vastly differfent permissions depending on what they are working on, and this changes much more rapidly than roles, and requires much deeper knowledge to appropriate scope..

Attribute Based Access Control (ABAC) and Policy Based Access Control (PBAC) solutions have emerged to replace RBAC and support more dynamic access granting. These approaches leverage authoritative identity data called attributes to make informed, real-time decisions regarding access to a requested resource. As the attributes associated with any identity change, that user’s access dynamically changes, in accordance with applicable policies. Organizations find these frameworks challgenging for different reasons- mostly because they are difficult to understand how all the different potential conditions can interact in different situations. Each attribute-based rule can make sense in isolation, but it is very hard to see what the sum total effect of ALL the rules can be.

Overall, reliable, secure, automated authorization is a complex business, particularly at scale. Some common limitations include:

• Lack of visibility. Very few organizations have a complete understanding of everything they have authorized access to. Understanding is typically limited to the systems relating to supporting automated access provisioning and deprovisioning or AD group membership—and that’s not enough. How can you manage something without even knowing what it is?

• Limited understanding of what permissions mean in plain language. Even when accurate information can be assembled about what permissions exist, they often are expressed in deeply technical, system-specific jargon and terminology. How many of us as managers have had the experience of doing user access reviews and just clicking “Approve” because it’s the path of least resistance, even though we don’t really know what we just approved?

• Identities Outside Employees. Authoritative sources for identity and status may not exist for some nonemployee identities, like contingency workers , partners, service accounts, bots, and devices, making it difficult for admins to easily see and manage permissions.

• Granularity of Permissions Visibility to the Data Level. Even when permissions are visible, they often stop short of being useful. It’s usually to the level of a role or group name. But what data is potentially exposed if someone is a member of that group or role? Do these groups and roles allow a member to see, edit, or delete source code or customer data? It’s usually not clear, and everyone hopes that the roles and groups were scoped properly and means what everyone thinks it means…but what if it’s not?

All these challenges beg the question of why these gaps still exist. Authorization is not a new concept, after all. But, I believe that the increased maturity of modern authentication technology and deployments have opened the door for a similar renaissance in authorization. However, solving authorization is much more complex and challenging, but the value to organizations is much greater as well. In addition, to date the tools to effectively see and manage authorization frankly haven’t existed, except in a few forwarding thinking organizations that have built their own tools with their own developers to solve this problem. Security companies across multiple areas (like IGA, PAM, and IAM to name a few) have built pieces of the solution for authorization, but all have stopped short. Until now.

Mastering authentication was step one. Time to modernize your authorization—and truly secure your enterprise data—with Veza.

At Veza, our mission is to help organizations trust confidently, so they can unlock the value of their data. Our data security platform built on the power of authorization enables companies to efficiently secure their cloud data systems through comprehensive visibility and management over data access permissions across all identities, human and non-human. We provide organizations the ability to streamline the management of key data security initiatives across privileged access, data lake governance, entitlement management, and more.

To learn more about incorporating Veza into your data security initiatives, visit us at