Need to evolve your authorization strategy? Five questions to ask

Today, every company is a software company, and innovation is a top priority for everyone. In addition to their core business functionality, modern software applications must include features that everyone has come to expect as table stakes — like collaboration, sharing, and teams.

However, when development resources are tight, the last thing you want is to inundate your team with new authorization requirements to support the exploding needs of everything standard your application must provide, including security, governance, and compliance. As SaaS applications get increasingly sophisticated, collaborative, and feature-rich, authorization can become a real headache, tying up developer time to repeatedly build multiple layers of permissions into application code.

What’s the issue?

Often, authorization approaches can’t meet the complex requirements of today’s highly collaborative SaaS solutions. Giving your users access to application assets used to be fairly straightforward.

Permissions were often granted based on predefined roles — if an employee is on the human resources team, they gain access to onboarding capabilities. However, as SaaS solutions add more collaborative features and include a wider range of users — from employees and partners to customers and contractors — role-based access control (RBAC) is no longer enough.

Decentralized authorization = Compliance, auditing, and security gaps

RBAC and other traditional methods of securing and managing access to documents, files, and other types of assets typically rely on in-application coding or legacy point solutions. However, spreading authorization logic across multiple applications can quickly increase compliance, audit, and security vulnerabilities.

More points of access result in more risk, from a security, auditing, and compliance standpoint. But the risks increase in heavily regulated industries like financial services and healthcare.

Fine-grained authorization is more secure, precise, and scalable 

In a modern SaaS environment, organizations might need to grant access to projects, assets, and capabilities according to a more granular range of parameters,  and to internal and external users of an organization. Think, for example, of a medical chart app that needs to be accessed by both healthcare workers and patients, with varying levels of information visibility permitted.

Fine-grained authorization (FGA) offers more options for granting precisely defined permissions to projects, records, files, and more. When you centralize this approach (rather than embedding it in the application code), it can make life a lot easier for your developers. They can more easily scale up to meet new and changing authorization requests while maintaining stronger levels of security and compliance.

Five questions to ask yourself about FGA    

Still not sure if your organization needs a solution for FGA? Here are five key questions to ask:  

1. Are you adding or enhancing collaboration features within your solution? Whether your solution helps people work together on a project more efficiently, access resources like mobile banking or medical records, or interact in real-time, more capabilities for collaboration and sharing lead to more complex authorization requirements.   
2. Do you have heavy auditing and compliance requirements and/or sell to businesses with heavy auditing/compliance requirements?
   Many of today’s SaaS apps must also support compliance and auditing rules, especially in finance, healthcare, and legal services. Decentralized authorization logic is difficult to audit and can lead to security and compliance risks. 
3. Do you need more granular and flexible authorization control than RBAC provides?
   When you need to grant access to applications based on a combination of parameters rather than one, RBAC can be limiting. Perhaps your app is used by internal and external collaborators who need different levels of access, or you have situations where a user may need to get into an application for a limited time (to troubleshoot a support ticket, for example).   
4. Is it difficult to get visibility into who can access what?
   Ideally, you want to centrally manage and implement access control and permissions across the SaaS landscape.  
5. Are your developers spending too much time overall on authorization? Building authorization capabilities and turning permissions on and off at the code level is time-consuming and can increase security risks. That’s time that could instead be spent on product innovation.

If you answered “yes” to any of the above questions, it’s time to evolve your access control strategy. Okta has a primer that can help put you on the road to more scalable, flexible, compliant, and secure authorization. Read our whitepaper on Okta Fine Grained Authorization to find out more.