Sometimes, I think we’re all trapped in the future.
In a time when we depend so much on technology for our productivity, comfort, and security, we tend to be obsessed by what’s next. We’re surrounded by seers, futurists, and sometimes crooks who make a great living painting their vision of Tomorrow 2.0. Now, there’s nothing wrong with trying to forecast the trends so we can evolve our present toward a better future. We all need to see where the world is moving, so we can make our business align with our customer’s needs—however they might grow and change. But there’s a danger with projecting ourselves too much into the future, that better, smarter, more organized time.
It’s a little like the crowded gyms in January, where everybody’s trying to make their New Year’s resolutions come true. We all have a wish list, along with the best intentions, but wishing doesn’t make a habit. Dreams can only become reality when you can tie what’s coming to where you’re at today and make a map for how to get to where you want to go. Otherwise, we’re all just a bunch of hype-chasers on the lookout for the next shiny object in our path—and hey, I’m as guilty as the next guy.
We must be careful about going too far in search of the perfect world, without taking our current world into account. There’s no clean slate: tomorrow comes with yesterday’s baggage, whether it’s those last ten pounds you want to lose or that directory infrastructure that’s no longer serving your needs. If we don’t start with what’s real right now as we plot our evolution forward, we’ll become victims of a syndrome I would call “Trapped in the Future,” along with its related strains of “Frozen Status Quo” and “Paralysis by Analysis.”
That’s enough philosophy for now—let’s look at a specific case where we’ve all been victims of this illusion: the idea of basing access on attributes.
George Jetson vs. Fred Flintstone: Who Wins?
I think we can all agree that it’s a pretty cool idea—one that could do a lot for authorization and even authentication. It’s also a timely idea, because in a world of sensors and the nascent “Internet of Things,” with its myriad of collected attributes, we should be able to substitute ye olde name and password with something stronger, smarter and a lot more usable. Something like multi-factor authentication but with even more attributes to drive authentication by context, for instance. But as this paragraph progresses, did you notice that my sentences are starting to drift from reality to the world of the Jetsons, with its flying cars and jetpacks?
The truth is every SCO, architect, and security team has been talking about ABAC for years, and yet how many true attribute-based systems have been deployed? We dream about driving the Jetson’s flying car, imagining it in gleaming detail, then we wake up and jump into our Flintstone cars to get to work on time. ABAC always seems out of reach, in the future, just like our New Year’s resolutions.
Now, of course, there are the happy few who achieve their goals, who drive the future (in their flying cars). After all, we live in a world where the rate of change in technology is staggeringly high, which is why we’re in awe of people like Edison, Tesla, Ford, or Steve Jobs. So what are their secrets? We know they’re visionaries, but vision isn’t the real driver here—there’s plenty of that going around. There are lots of early adopters who live in a perpetual version 0.01. And the rest of us are trapped in the future, without the will (or willpower) to change our lives. But the real geniuses are the ones who can envision a future, then make it real using what exists today. Think of them as the MacGyvers who can make tools out of toothpicks, who can blaze a trail from what is to what will be.
Smarter and More Secure: Making the Dream of ABAC a Reality
So in our case, the story is very concrete: we knew that if people would love ABAC, they’d also love its next evolution, context-based access control (and talk about being trapped in the future—you should read my previous posts on how this is possible today!). But most companies haven’t been able to get ABAC up and running, because it’s really hard to pull all the attributes you need from across a mess of data silos. So the dream of ABAC has remained out of reach for today’s highly diverse, distributed enterprises.
But what if I told you that most enterprises are already using a primitive form of ABAC through the use of static groups? And what if I told you that we can turn those impossible-to-manage static groups into full-fledged ABAC solution—without having to change any habits? This innovation makes ABAC a reality (without all those hours at the gym). Now, I probably sound like one of those hucksters from the beginning of my blog, peddling a brighter future. But let me explain how this works…
The innovation in our layer is to allow you to have full ABAC without having to change your infrastructure. If we continue our car metaphor, think of this technology as the Tesla or hybrid. It’s not the perfect version of what it will become, but it’s a big leap forward. Now, this doesn’t mean that XACML can’t make lots of things better at the level of the policy server and the portability of your policies, but alas, the truth is that XACML hasn’t been widely deployed yet, so the infrastructure isn’t there. What you need—and what we deliver—is a way to turn your existing infrastructure, your classic web access management deployment, into something that’s like ABAC-lite. So instead of dreaming about it, you can unlock the future today.
Too good to be true? Stay tuned for my next blog, where I’ll break it all down for you…
PS: And if you want the full story today, check out the replay of our recent webinar on delivering ABAC for SiteMinder.