Authorization as a Service (AzaaS)

The other day, I stumbled upon a ZDNet blog post from 2006 - called "Identity Management as a Service".  Back then, and even now, we all had the "as a Service" bug - turning everything we can into a web service of some sort and tacking an "aaS" at the end.  The idea of IdMaaS is being thoughfully pursued, with folks such as our own Kim Cameron getting involved in the discussion.

The author of the aforementioned blog, Eric Norin, asserts that may be a potential IdMaaS provider. Back in 2006, this would have made sense - identity was very much trust-driven model and organizations only wanted to deal with trusted entities.  While there is a great need for trusted identities, I think a lot of folks have realized that untrusted identities are still valuable, up to a certain extent. Rather than seeing come to the table as a trusted identity provider, we've seen providers like Facebook and Twitter crop up and offer "less trusted" identities. "Social Identity Providers" have become the norm, and people just inherently understand and accept the fact that there's a chance the person sitting behind the keyboard is not who they claim to be.

To overcome this, the consumers of these identities (the Service Providers) have to put their own identity proofing mechanisms in place.  You can log into a web site with your Facebook account and the Service Provider doesn't really care if your identity has been proofed. However, when it comes time to pay for something, then the SP cares a lot because their business model is dependent on valid, legal transactions. The higher value the transaction, the more important the proofing. With initiatives like NSTIC calling for safe and private identity usage online, it's vitally important that we solve this high assurance identity problem. By the way, did you notice that Microsoft is involved in one of the NSTIC pilots? :)

So while social identity providers are great for providing identities with a low level of assurance, I don't think we'll see truly effective IdMaaS until providers adopt strong proofing mechanisms and we have a well-adopted, trusted exchange for "high assurance" identities.

However, hidden among all of this is an even greater need.  I've felt for quite some time that we all spend too much time talking about "Identity" Management and not enough time talking about "Access" Management.  After all, identity is a 4-legged stool (Administration, Authentication, Authorization, and Auditing), and we focus a lot on the first two legs (Administration and Authentication). We can have the most thoughtful and well-adopted IdMaaS service in place, but unless we get to a universally accepted authorization model, we're missing a large part of the identity puzzle. So I'm going to join in on the "aaS" fad and suggest that we start thinking about "Authorization as a Service" now before we get to the point where we wish we had thought about it sooner.