Managing privilege can be difficult. 

While there have been many recent innovations in this area — cloud-native based authentication techniques, secure web proxy architectures, network segmentation techniques, multifactor authentication (MFA) — these methods have typically sought to secure the perimeter. 

“Increasingly, CISOs realize that there is no perimeter,” said Tarun Thakur, cofounder and CEO of authorization platform Veza. “With the cloud, data can live anywhere.”

Thus, the focus should be on securing data wherever it lives. And, securing data at its fundamental level means having the ability to visualize, manage and control authorization metadata, such as roles, groups, policies and permissions, said Thakur. 

“Until this path is guarded and secured, organizations will always be exposed to risk from ransomware, data breaches and more, jeopardizing customer trust and brand,” he said. “Authorization is the key to a zero-trust strategy.”

To help drive this concept as a unified front, Veza today announced that its Open Authorization API is now public on GitHub. 

With this, said Thakur, “we’re helping the community band together to improve their collective security against breaches and ransomware.”

Authorization management prevents threats, inside and out

Increasingly, threat actors are using credentials and authorizations — either stolen or improperly granted to malicious insiders within an organization — to access and steal sensitive data. Also, employees unintentionally leak or misuse their authorizations. 

In 2022, 82% of breaches involved the human element, including errors and misuse. Recent attacks on Okta and Twilio indicate that organizations are allowing overly-broad access to data through constructs of groups, roles, policies and system-specific permissions. 

In the face of such highly-publicized breaches — and the consideration that the average cost of a data breach now stands at $4.35 million — organizations are increasingly implementing zero trust (or the less ominous “least privilege”) principle. As evidence of this, the identity and access management (IAM) market is projected to grow from roughly $13.5 billion in 2021 to nearly $35 billion in 2028. 

“Over time, companies struggle with the cumulative nature of authorization,” said Thakur. “Once employees get access to sensitive data, that access is typically never completely rescinded and becomes dormant.”

The zero trust/least privilege security structure and framework grants the least possible access required for employees to do their jobs. Through authorization protocols, organizations can quickly determine who can see what data (and just how they can access it), and who can change or delete that data. They can then adjust access to only grant what is most necessary. 

“The rush to a multicloud, multi-app environment has exploded the complexity and layers of interconnection for which access must be understood, monitored and constantly remediated to achieve and maintain least privilege,” said Thakur. 

Leveraging open-source as a security tool

Veza provides security teams with a single control plane over all organizational data, Thakur explained. 

“Increasingly, that data lives in hundreds of disparate systems: cloud providers, SaaS apps, data lakes, custom apps and others,” he said. 

By determining who can see what, organizations can then grant and adjust only the most appropriate permissions, then use automated remediation to detect and prevent future unauthorized use. 

As Thakur explained, Veza customers want to connect the platform to as many systems as possible to ensure maximum coverage. And, while Veza has many native connectors to popular systems, it created its Open Authorization API to allow customers to create their own. 

As an open-source project on GitHub, customers and partners can learn from, and build upon, each other’s work, said Thakur. 

With connectors available to the GitHub community, users can ingest authorization metadata previously isolated in internal systems and applications. Users can explore identity-to-data relationships through an authorization graph, monitor for least privilege misconfigurations and violations, and conduct comprehensive entitlement reviews for all of their sensitive data, said Thakur. 

He pointed out that the platform’s community has already created integrations for critical SaaS apps including GitLab, Bitbucket, Jira, Zendesk, Slack, Coupa, PagerDuty and Looker. 

A holistic approach to authorization management

Ultimately, organizations must take a comprehensive approach to authorization to protect themselves, said Thakur. 

Beyond implementing platforms, they should empower security teams to consider context when granting new permissions. 

For example: Do other users with a similar role already have access? And if so, how often do they use it? 

More often than not, users ask for broader permission than needed, he said, and “there is always pressure on IT folks to ‘just approve it.'”

Also, when employees change jobs or leave the company, organizations should pay special attention to the full chain of authorization. It is not enough to simply deactivate a user in an identity system, said Thakur. 

Similarly, organizations should pay careful attention to service accounts (that is, non-human identities) and the access these are granted to critical and sensitive datasets. As Thakur explained, service accounts are not managed via classical Active Directory user or group methods, making them even more vulnerable to abuse.

Just as importantly, organizations can increase the frequency of audit reviews, especially for sensitive data such as personally identifiable information (PII), financials and IP. 

“Prescribed frequencies, like quarterly ones, seem quaint in the face of daily cyberthreats,” said Thakur. “So, companies should aim to achieve continuous compliance.”