Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecurityCybersecurity News

CISOs to developers: Changing the way organizations look at authorization policy

By Torin Sandall
cloud-computing-freepik
September 23, 2021

In today’s cloud-native, app-first and remote-first world, it has become a considerably more complicated task to verify a user or a service’s identity and determine policies that say what they are and aren’t allowed to do.


Yet, the first half of that problem is authentication. For the most part, it has already been solved because of standards like Security Assertion Markup Language (SAML), OAuth and Secure Production Identity Framework for Everyone (SPIFFE). These standards help organizations verify that a user or machine is whom they say they are. But the second part of the problem, authorization — deciding what users or machines can or can’t do within the system after they’re authenticated — is a different story. 


Unlike authentication, authorization hasn’t yet been well standardized. This means that authorization policies, tooling, implementation, and even the programming languages used are still completely unique and custom-designed for each individual organization and application. This puts the burden on developers to create potentially thousands of bespoke authorization policies across multiple applications for protection, leading to development churn and repetitive tasks across applications. Not only is this hard work, but it also requires reinvention and lots of operational overhead. It also introduces risk.


Enterprises have been doing custom authorization for decades now. As such, Dev teams may not realize a better way can be found, leaving CISOs and security teams to try to fill in the gaps with compensating controls in other places, like bolted-on privilege management or overburdened authentication solutions. But these silos of policy add more complexity, not less, and can only do so much to truly govern access.


Wasted time and heightened risks  

Imagine if you’re a large financial institution with thousands of applications accessed by tens (or hundreds) of thousands of employees, contractors and other users. The authorization policies that govern access to these applications are varied and complex, and they are mandated by both internal and external regulations.


For decades, these policies have been enforced manually or through hard-coded logic inside of application code. The former provides no guarantee that policies are adhered to and requires costly and time-consuming manual audits. The latter results in a tangled mess of code that few can understand or modify. As business requirements evolve, the rollout of necessary changes is slow and error-prone with both approaches, and the firm’s competitive advantage is impacted.


At the same time, as every organization slowly becomes a software company, developers have more say in technical decision-making and increasingly opt to use the best language, framework, database or execution environment for their use case. This Cambrian explosion of technological choice is great from the developer’s point of view as they get to use the best tool for the job. At the same time, security practitioners are faced with an increasingly difficult technological landscape that must be secured to meet new stringent requirements.


Combining these factors calls for a new approach to solving policy and authorization at scale in large organizations — the old ways of solving “who can do what” no longer apply.


Empowering developers through open source  

Authorization can no longer be maintained through tribal knowledge or custom hard-coded application code. Continuing down this path will only leave developers with more siloed authorization policies to fix and your organization unprotected in the cloud. Like authentication, new standards must be set by the enterprise through open source. And CISOs are helping lead that change by adopting and advocating for these standards.  


The open-source and developer community has adopted Open Policy Agent (OPA) as the de facto standard for authorization. OPA is an open-source technology engine that provides a toolset and framework to unify policy across your cloud-native tech stack. With OPA, you can specify policy-as-code, which offloads policy decision-making from your applications, removing the need for custom hard-coded authorization policies. 


There are three critical ways OPA can help organizations solve for authorization:

 

  1. OPA breaks down policy silos. OPA can act as a decision-making engine for all applications in your tech stack, thereby unifying the authorization policy. OPA uses Rego, a simple declarative language purpose-built for expressing the logic that decides “who can do what” in modern systems.
  2. OPA ensures compliance. Make it easier for your developers to modify authorization policies based on compliance regulations. By leveraging policy as code, developers don’t need to make individual policy updates across multiple applications. Instead, developers can make authorization code changes to their OPA policies required for regulatory compliance on certain applications and keep your environment secure.  
  3. OPA saves time for developers. OPA acts as a building block that developers can plug into any part of your cloud-native system to enforce authorization policies, making it easy to use. This ability to apply sweeping authorization policy changes across the tech stack ultimately frees up time for developers and, as a result, lowers costs.


Set the standard for authorization 

The current process for authorization will only create unnecessary work for developers to complete.

 

By setting the authorization standard with OPA, organizations can unify policy, better meet compliance requirements and give time back to developers. With these authorization advantages, developers can focus on what matters most: building innovative applications and driving growth in the cloud. 

KEYWORDS: cloud security cyber security information security open source security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Torin Sandall is VP of Open Source at Styra.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Padlock on keyboard

    Locking out ransomware: A new way to look at security strategy

    See More
  • 5 m with Shneider

    5 minutes with Tehila Shneider - Authorization policy management in the enterprise

    See More
  • cloud-cyber

    Authentication vs. authorization | Why we need authorization standards and what it means for enterprise cybersecurity

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing