Authorization Landscape

Methods, models, frameworks, and standards used to manage access control

The authorization landscape refers to models, languages, and technologies used to enforce security policies, restrict access to data, and ensure that only authorized individuals or systems can perform specific actions on resources.

Let's start with the main models:

  • Discretionary Access Control (DAC): In DAC, the owner of a resource (e.g., a file or folder) has the authority to grant or revoke access to other users. Access Control List (ACL) are often used as a means to implement DAC.

  • Mandatory Access Control (MAC): In MAC, access is determined by system-enforced policies based on security labels (such as classifications) and is not controlled by resource owners.

  • Role-Based Access Control (RBAC): One of the most widely used models, RBAC grants access to resources based on the roles a user has within an organization. Each role is associated with a set of permissions.

  • Attribute-Based Access Control (ABAC): In ABAC, access decisions are made based on attributes of users, resources, actions, and environmental conditions. ABAC offers fine-grained control but is often more complex to manage than RBAC.

  • Relationship-Based Access Control (ReBAC): This model bases access control decisions on the relationships between entities (such as users, objects, or data). This is especially useful in systems like social networks or collaboration platforms where access depends on user-to-user or user-to-resource relationships.

Authorization Languages:

  • XACML (eXtensible Access Control Markup Language): An open standard for defining fine-grained access control policies.

  • REGO (Open Policy Agent): The policy language used in the Open Policy Agent (OPA).

  • Zanzibar: Google's authorization system that implements a Relationship-Based Access Control (ReBAC) model, used to manage access at a large scale. Zanzibar inspired several systems focused on fine-grained authorization.

  • CEDAR: A newer, open-source language introduced by AWS for defining authorization policies.

  • OAuth 2.0 Rich Authorization Requests which is more of a protocol than a language is also in the field of fine-grained authorization

  1. Zero Trust Architecture: Modern security models, such as Zero Trust, assume that no actor, system, or service should be automatically trusted. The Zero Trust model is driving innovations in how authorization is handled dynamically and contextually.

  2. Fine-Grained and Context-Aware Authorization: Increasingly, organizations are moving towards models like ABAC and ReBAC, which offer more granular and context-specific authorization rules. This allows organizations to define policies that take into account not just who is accessing a resource, but also attributes like location, device type, and time of day.

  3. Authorization as a Service: There is a growing trend towards "Authorization as a Service," where organizations use external services to handle authorization logic rather than building custom solutions.

  4. Interoperability and Standards: The authorization landscape is moving towards greater standardization and interoperability, much like the authentication landscape did a decade ago.

Last updated