Authorization: What’s Missing from Cybersecurity Awareness Month
We just wrapped up Cybersecurity Awareness Month. As usual, it offered a great opportunity to bring much-needed visibility and, ideally, action to cybersecurity. Cybersecurity Awareness Month has been held annually in October since 2004. It is a joint initiative of the Department of Homeland Security and the National Cybersecurity Alliance.
See Yourself in Cyber
This year the theme for Cybersecurity Month was “See yourself in cyber,” which acknowledges how complex and esoteric cybersecurity can seem. That perceived complexity can lead people to eschew anything cybersecurity-related, because they think it’s only for cybersecurity professionals or that it’s too difficult to understand, let alone act on.
We’re thrilled to have seen cybersecurity humanized last month. That’s an important step in generating buy in and participation at all levels of business. (After all, if you use any kind of device on any kind of network, you’re part of the cybersecurity landscape.) Still, as the month wrapped up, we noticed that most of the conversation revolved around authentication but left out a very important element: authorization.
Authorization vs. Authentication
Authorization (AuthZ) and authentication are often conflated, and understandably so. But they’re different in critical ways. Authentication is primarily about identity verification. Are you who you say you are? Ten years ago, authentication was all about usernames and passwords. In the last few years, widespread authentication standards have elevated authentication to the point where the dreaded password is seeing its usage diminish.
Once identity is verified, you’ve been authenticated. But what happens next? That’s where authorization comes in. Instead of verifying who you claim to be, authorization is about what you can access. This can apply to people, networks, devices, services — anything seeking to access a data, device, network, application or resource.
Authorization is an essential component of the cybersecurity landscape, but it hasn’t received nearly the attention it deserves. Last month, the powers behind Cybersecurity Awareness Month posted four key behaviors that individuals can leverage to better protect their data. They’re nearly entirely focused on authentication:
- Enabling multifactor authentication
- Using strong passwords
- Updating software
- Recognizing and reporting phishing
These are all extremely important, but it’s not the whole story; it’s just half the story. Now another Cybersecurity Awareness Month has come and gone without sufficient discussion of authorization. This blog is meant to change that.
Why Authorization Is Important Now
Without authorization, authentication merely provides point-in-time verification of who you are. It’s a simple allow/deny action. But as anyone who uses devices knows, a lot can happen after you’ve logged in.
Say I’m on a company device and have successfully made it through authentication using MFA. Great! I am who I say I am. But now I’m clicking on a malicious link and my status has changed. If there’s nothing to prevent authorization of my access to wherever that link will take me, I’m in trouble — and I might be compromising my company in addition to my own device.
Perhaps I switched networks, left the corporate firewall or were otherwise compromised. It doesn’t matter that my identity was correct when I last logged in. Things change, context changes and this information needs to be used to adequately make informed authorization decisions.
Now, more than before, people are working, learning and connecting virtually. With ransomware having spiking during the pandemic and still gathering strength by the day, we’re at an inflection point: Either embrace authorization or accept that the breaches are going to keep getting worse.
Authorization continually answers the question: Can User X perform Operation Y on Resource R, given the current context of known information?
If not, User X is blocked from the action. When implemented correctly, authorization doesn’t care if the action is intentional or is the cybersecurity equivalent of a butt dial. It doesn’t care if you’ve been hacked or simply went off course. It doesn’t care that you were who you said you were when you initially logged in. It asks, Can you do what you’re trying to do right now?
Every business, in every industry, can benefit from authorization standards if they have any cloud/digital presence or functionality.
How Can We Solve for Authorization?
The authentication challenge is already solved. The next great challenge is providing a standardized mechanism to define authorization so we can access some of the same benefits that authentication received from SAML, OpenID, OpenID Connect, etc.
We already have a solution to address the need for a common policy language that can be used across cloud native/self-hosted environments that are attempting to provide AuthZ decisions for applications, microservices (such as gateways or meshes) and infrastructure controls, for instance, around Kubernetes tools like Terraform and CI/CD pipelines.
That solution: Open Policy Agent (OPA), a Cloud Native Computing Foundation-graduated project originally created by Styra. The wave is coming as more organizations recognize the need to provide protection beyond initial allow/deny access.
What Should Have Been Covered in This Year’s Cybersecurity Awareness Month?
Here’s hoping that next year’s Cybersecurity Awareness Month is focused on authorization. And yet, even if it is, that’s a whole year away. The world can’t afford to punt on authorization until then. Here’s what we wish had been covered this year:
- How to define policy that is understandable, testable and deployable.
- The ability to perform decision impact analysis on potential changes to an organization’s policies.
- Enabling non-developers to establish policy for an organization that can be verified and certified by an organization’s compliance or auditing teams.
How Can Organizations Start Moving the Needle on Authorization Now?
There are three main ways organizations can implement or enhance authorization right now:
- Implement course-grained management at the authentication level (let the right people in the door).
- Delegate authorization decision within an application to that application, so the application itself has the authority to decide what a user can and cannot do.
- Implement fine-grained management at the microservices or API/mesh layer to allow common policies to be applied to all of an organization’s north/south or east/west traffic.
Cybersecurity Awareness Month may be over, but the push to ramp up authorization is gaining steam. And with the current global cybersecurity landscape, it’s not a moment too soon.