I have been working on security-related topics for over 20 years and one of my biggest concerns is that any company that has the goal of raising their security bar as high as possible needs to build a bespoke security solution that is specifically tailor-made for their business. While this approach works, it requires treating security as an engineering problem and requires a company with a strong software engineering talent pool. Unfortunately, this approach does not scale to all companies.
There is a set of problems that lend themselves to abstractions and common solutions. Duo Security demonstrated that in the authentication space by creating easy to deploy and secure authentication solutions. Veza has the opportunity to become the common platform for solving the data authorization problem. Another core security area that would benefit from a common and scalable solution.
Cloud platforms have enabled more entrepreneurs to start businesses solving solutions in the technology space. They have become incredibly powerful and have significantly lowered the barrier to entry. One consequence of the rise of digital businesses is that more and more sensitive data is being stored in the cloud and each of these businesses has a strong obligation to their respective customers to protect that data as a careful custodian of their customers’ trust.
What is authorization, why does it matter?
Ultimately, the trust that customers have in your company is all based on whether you can keep their data safe and consequently deserve their trust in you. Who is allowed to access specific data and under what circumstances is at the heart of this. The process of determining when access to data is allowed is called authorization. This is unlike authentication which only establishes a clear identity that can be used as part of an authorization decision.
Let’s put that into perspective with a real world example - let's say you’re a healthcare institution that maintains the health information of tens of thousands of people. You need to make sure that information doesn’t get into the wrong hands and for any given access attempt you need to validate whether the access is legitimate or not. Authorization is the process in which your system determines who can view, delete, and create new health records, and based on what policies your employees have permissions to do so. Authentication establishes the identity of the person attempting to access data. It is incredibly important to get right but is ultimately only one input that needs to be considered as a part of a larger authorization decision which ultimately aims to establish whether there is a valid business justification for granting access..
Authorization is complicated
When you think about all the enterprise systems that an organization manages - identity providers, apps, cloud permissions systems (aka cloud IAM), infrastructure, and data systems, it becomes difficult and quite challenging to understand the complex web of relationships across all of these when you don’t have a single control plane. This becomes even more complicated the larger and more disparate the set of entities that might need access. Beyond managing employees, you may have contractors, temp workers, customers and partners; and, on top of that, you may need to think about service accounts, APIs and external webhooks.
Permission structures across these different systems aren't standardized - for example, the permissions structure in AWS IAM is completely different compared to Snowflake, which is completely different from Sharepoint Online. As a result, your teams are left with manually mapping all these permission structures which can be tedious and time consuming, not to mention error prone.
How does Veza solve the challenge of authorization?
Veza gives you a comprehensive solution that integrates with your identity systems, cloud permission systems, data systems and apps and more significantly presents to you all identity-to-data relationships in a single control surface. Veza has figured out how to normalize the complexity of authorization structures across all these resources, so that you don’t have to do the work.This goes beyond just visualization and comprehension, Veza provides you with tools that enable you to identify and remediate inconsistencies in your authorization policies by solving challenges across least privilege access, entitlement reviews, access certifications, compliance/audit needs, and more.
Personally, I am very excited to see what is ahead for Veza as they already have solid uptake across global organizations. If data security is an important consideration for your security stance, be sure to check out Veza.
5 Actionable Strategies to Improve Security Posture
We did a deep dive into cyber security, identity security, and evolving digital threats. Implement…
A field guide to bad permissions part 2: expired permissions
Why expired permissions go unnoticed The main reason expired permissions go unnoticed is that it’s…