Authorization is the new Authentication

1. Authorization is the new Authentication The days are past when a single authorization point was sufficient for serious website security. Modern man-in-the-middle attacks target the browser. Once in the browser, hackers can use the cookies present to start a new browser instance in the background, already logged into whatever sites the person is using. Identity provider saml is like the castle portcullis. You want a strong gate, but it’s hard to prevent spies from slipping through.

2. To limit the damage done by hackers, domains need to use a mulit-layered security approach. So we lock the castle gates at night, but we still lock the armory. Post-authentication authorization policies can be handy when a person transacts a high value transaction, like transferring money, or changing a password. In these situations, some websites today ensure that a man-in-the-middle is not underway by sending an “out-of-band” verification, for example, an SMS message to the person’s phone. But it’s not a great user experience. Maybe the answer is big data? Companies like Prelert and Guardian Analytics can put big data techniques to work to detect anomalies behind the scenes, and perhaps trigger an out-of-band authentication or automatic account locking. It’s easier said than done–sometimes hackers look like real people. However fancy the solution to detect the intruder, one thing is clear: more locks are needed–not just outside the castle, but inside. Web Access Management, and policy management is all “well and good” if you’re a big company. You have lots of money to secure your important applications. But what we’re seeing now is the consumerization of access management. If my home is a bee hive of smart devices, each with their own API’s, each device made by a different vendor, some of the devices even hacked together from standard parts… how am I going to control all that? What about my cloud resources like Twitter or Netflix? So there’s a lot of work in front of us to secure both cloud and home resources. We need to start putting more locks on things, and paying more attention to that has the keys.

3. Today, Internet security is a patchwork of solutions, where each Internet domain or host has a different convention for authentication and authorization. Internet security is an infrastructure challenge that can’t be solved by any one vendor or network provider. Gluu has recently joined the Open Interconnect Consortium, which is an industry group that is trying to pool their resources to solve a common challenge with open standards and free open source software. There is a lot to be learned from Web standardization efforts for authentication. To continue with the castle analogy, the development of open Web standards for Shibboleth idp OpenID Connect, provided important developer feedback about what kind of doors are preferred. It may be a strange way to phrase it, but it’s now clear that the doors should be JSON-REST! The only JSON-REST doors for authorization are made out of “UMA” the User Managed Access Protocol. UMA is a profile of OAuth2 that defines a policy enforcement point and policy decision point architecture that enables a person or organization to centrally control access to their stuff. Article resource:-https://www.smore.com/j2cq8-authorization-is-the-new