Authorization is the new Authentication

1
 Authorization is the new Authentication

• The days are past when a single authorization
  point was sufficient for serious website
  security. Modern man-in-the-middle attacks target
  the browser. Once in the browser, hackers can use
  the cookies present to start a new browser
  instance in the background, already logged into
  whatever sites the person is using. Identity
  provider saml is like the castle portcullis. You
  want a strong gate, but its hard to prevent
  spies from slipping through.
•  

2
To limit the damage done by hackers, domains need
to use a mulit-layered security approach. So we
lock the castle gates at night, but we still lock
the armory. Post-authentication authorization
policies can be handy when a person transacts a
high value transaction, like transferring money,
or changing a password. In these situations, some
websites today ensure that a man-in-the-middle is
not underway by sending an out-of-band
verification, for example, an SMS message to the
persons phone. But its not a great user
experience.   Maybe the answer is big data?
Companies like Prelert and Guardian Analytics can
put big data techniques to work to detect
anomalies behind the scenes, and perhaps trigger
an out-of-band authentication or automatic
account locking. Its easier said than
donesometimes hackers look like real people.
However fancy the solution to detect the
intruder, one thing is clear more locks are
needednot just outside the castle, but
inside.   Web Access Management, and policy
management is all well and good if youre a big
company. You have lots of money to secure your
important applications. But what were seeing now
is the consumerization of access management. If
my home is a bee hive of smart devices, each with
their own APIs, each device made by a different
vendor, some of the devices even hacked together
from standard parts how am I going to control
all that? What about my cloud resources like
Twitter or Netflix? So theres a lot of work in
front of us to secure both cloud and home
resources. We need to start putting more locks on
things, and paying more attention to that has the
keys.
3
Today, Internet security is a patchwork of
solutions, where each Internet domain or host has
a different convention for authentication and
authorization. Internet security is an
infrastructure challenge that cant be solved by
any one vendor or network provider. Gluu has
recently joined the Open Interconnect Consortium,
which is an industry group that is trying to pool
their resources to solve a common challenge with
open standards and free open source
software.   There is a lot to be learned from Web
standardization efforts for authentication. To
continue with the castle analogy, the development
of open Web standards for Shibboleth idp OpenID
Connect, provided important developer feedback
about what kind of doors are preferred. It may be
a strange way to phrase it, but its now clear
that the doors should be JSON-REST! The only
JSON-REST doors for authorization are made out of
UMA the User Managed Access Protocol. UMA is a
profile of OAuth2 that defines a policy
enforcement point and policy decision point
architecture that enables a person or
organization to centrally control access to their
stuff.   Article resource-https//www.smore.com/j
2cq8-authorization-is-the-new