Authorization is Broken

3 min readJan 28, 2021


broken lock
Photo by iMattSmart on Unsplash

With last year’s widespread shift to remote work, IT and security teams saw their challenges with identity and access control magnified many times over, making it clear that existing perimeter-based access control strategies are entirely insufficient for the modern world.

According to IDG and CISO’s Security Priorities Report, 32% of the organizations they talk to have earmarked new investments into modern authentication, authorization policies, and role-based access control, and nearly 70% are currently piloting Zero Trust programs in production or evaluating them. Whether or not we return to work soon, it’s clear that perimeter-based access control strategies are dead.

Zero Trust initiatives address coarse-grained access control at the edge, but fine-grained authorization is a core part of the application, and therefore has to be modernized by each and every SaaS application vendor.

This is a massive undertaking: unlike authentication, which has standardized on OAuth 2, SAML, and OpenID Connect, there are no standards for authorization — each application has to invent its own permissions and roles, and implement authorization and access control in a one-off fashion.

And everyone suffers:

“I can’t wait to build RBAC and permissions!” said no SaaS application developer, ever. These features are critical for customer adoption, but they offer no differentiation or perceived value to end-users, and are seen as a chore. SaaS engineering teams burn many sprints reinventing this wheel, because developers don’t have a simple, turnkey solution to rely on. And even when they’re “done”, they continue to worry about how secure their one-off solution really is, and are on a constant treadmill for implementing new requirements, making authorization the “gift that keeps on giving”.

App admins miss the days of LDAP and Active Directory, where they could centrally manage attributes and roles. Instead, they now live in dozens of different admin consoles, each offering its own authorization model, and are left to worry about misconfigured permissions that lead to disasters such as accidental privilege elevation and data leaks. They’d like to have consistent authorization policies that can draw on user attributes stored in their various corporate directories (LDAP, AD, Okta, OneLogin, AWS Cognito, Azure AD, Google Cloud Identity, WorkDay, Auth0, etc).

SecOps is frustrated by every app they license having different authorization models and policies. SecOps want a Zero Trust architecture applied at every layer of the stack, providing “defense in depth”. They want consistent yet flexible authorization policies across both purchased and internal applications. Their threat model explodes and they grapple with a complex security posture because every app’s authorization model is different.

Compliance professionals are faced with a manual, error-prone nightmare, trying to reason about the authorization aspects of SOC 2, ISO 27001, and PCI-DSS audits. They face a time-consuming, manual auditing process since each system has its own (often insufficient) audit trails for authorization events.

It’s time to fix this! We founded Aserto to help.

  • If you’re an engineer and are as passionate about this problem as we are, join us in building the future of authorization!
  • If you’re a developer at a SaaS company, reach out to us for a demo!
  • Follow us on Medium, LinkedIn, and Twitter to find out more about how we intend to fix application authorization.