An Interview With Omri Gazitt
Hiya,
This is another in my series of interviews about the future of CIAM from experts in the space. CIAM isn’t just authentication, it’s also authorization, and I’m glad to have an interview with an expert in that space.
Omri is the co-founder/CEO of Aserto, a modern authorization company. He is regarded as an identity pioneer, contributing to the SOAP stack and WS-Federation in the early 2000’s, which eventually gave rise to OAuth2 and OpenID Connect. In 2023, Omri co-founded OpenID AuthZEN, which is standardizing the authorization space. Omri is a co-chair and co-editor of the AuthZEN Authorization API.
During his 13 years at Microsoft, he was co-founder/GM of Azure AppFabric, Azure Access Control Service, and Azure Active Directory. He also held GM roles responsible for SQL Server, Application Server, and was one of the co-founders of .NET. A prolific OSS contributor, Omri was heavily involved in OpenStack and Cloud Foundry, where he served as a board member, and has contributed to a few CNCF projects. Aserto is an open core company, and maintains the Topaz and the CNCF Open Policy Containers open source projects.
I’m excited to hear Omri’s views on CIAM, identity, authorization and more.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Omri: CIAM has long focused on the identity ("I") aspects and not so much the access management ("AM") problems that customers face.
When I was at Microsoft right when we were starting up Azure and Azure AD in 2008, we had to "solve" identity first. And today, identity is mostly a solved problem: engineers that need a modern login system can pick from a set of mature solutions from Okta/Auth0, Microsoft (Entra B2C), AWS (Cognito), Google, FusionAuth, and many others for implementing standards-based authentication in their applications.
The "standards-based" is important here because their customers need every one of the apps they build or buy to plug into their organizational SSO system. By adopting an off-the-shelf CIAM platform, you're not only saving yourself the trouble of building and maintaining "undifferentiated heavy lifting", you're also making it easy to plug into your customer's workforce identity infrastructure.
By contrast, access control is far from a solved problem. Every B2B SaaS app needs to enforce permissions in some way. I'll use the term "authorization" to describe this capability. Whether your authorization model is RBAC (meaning, assigning monolithic roles to users), ABAC (determining access based on attributes or policies), or ReBAC (determining access based on relationships between subjects and resources), you've had to build this yourself.
This is about to change. We now have about a dozen vendors and at least six open source implementations of authorization engines, which all help you answer the question "does user U have permission P on resource R". So engineers don't have to reinvent this wheel anymore.
My company, Aserto, is one of these vendors. Our open source project, Topaz, brings together two really important ideas in modern authorization: policy as code (using the popular Open Policy Agent CNCF project), and a stateful directory based on Google's Zanzibar paper (in which Google describes how they built authorization for all their services).
Topaz is fast (1ms evaluation times); flexible (supporting RBAC, ABAC, ReBAC, or any combination, and running on any cloud); and easy to integrate (SDKs for every language, as well as REST/gRPC/graphQL APIs).
We built Topaz to make it trivial for engineers to build a robust authorization system for their SaaS apps without having to build and maintain a whole bunch of code.
In the future, a CIAM platform won't be complete without offering fine-grained access control as a core value proposition.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Omri: The modern authorization offerings that I mentioned above solve one half of the problem - giving engineers an "easy button" for building a robust AuthZ system.
But going back to the analogy I made to authentication, there was also a huge value for engineers to use a standards-based approach to login. When engineers adopt OpenID Connect or SAML-based frameworks, they make it easy for their customers to integrate that application with their workforce SSO system.
For authorization, this is still in the embryonic stage. Organizations want to build an "authorization control plane", where each of the apps they build or buy can enforce a standard set of authorization policies. But until there's a standard for how an application can call an externalized authorization system, this is really hard to achieve.
The OpenID Foundation was very successful in solving "standards-based authentication" through OpenID Connect. Last year, a few of us decided to charter the OpenID AuthZEN working group to try to do for authorization what OIDC did for authentication.
We're still in the early innings of this effort, but we already have an Implementor's Draft and about 15 interoperable implementations. The "heavy lift" here is to make the "externalized authorization" pattern emerge as the dominant way for engineers to build authorization into their applications. Once this happens, we can finally make it possible for organizations to have a "single pane of glass" for understanding what permissions their users have across their various applications.
Dan: What excites you about the future of CIAM? Any predictions?
Omri: Standardizing and democratizing identity and authentication was a 10 year journey (if you count from when OIDC became a standard).
I believe we're on a similar journey to standardize and democratize the "AM" part of CIAM.
We have a ton of innovation going into this space, and I believe that by 2030, engineers won't be rolling their own authorization - instead they'll be using standards-based externalized AuthZ systems. And those apps will plug into their customers' "authorization control plane", which will help enforce organizational policy across all of their applications.
Thanks again to Omri for sharing his perspective, and thanks to you for reading!
Dan