Many of today’s security models spend a lot of time focusing upon network segmentation and authentication. Both of these concepts are critical in building out a baseline defensive security posture. However, there is a major area that is often overlooked, or at least simplified to a level of limited use. That of authorization. Working out what, a user, service, or thing, should be able to do within another service. The permissions. Entitlements. The access control entries. I don’t want to give an introduction into the many, sometimes academic acronyms and ideas around authorization (see RBAC, MAC, DAC, ABAC, PDP/PEP amongst others). I want to spend a page delving into the some of the current and future requirements surrounding distributed authorization.
New Authorization Requirements
ML – Defining Normal