I have been noodling a few things in my head, trying to work out what my next projects will be.
I think Authentication is going to have to move over to FIDO-like solutions only. That's an effort but all the pieces are in place.
But Authorisation strikes me as needing a rethink on how everyone everywhere handles data. I cannot work out how to handle "can this person see this data" unless all data is, well, labelled.
Having little pieces of custom code written in each app to do custom checking just seems like it's the wrong way round.
I like the idea of Twitter's Strato (mentioned here I think) - which roughly seems to be "we labelled every field in every database" and then we have a data access layer that makes accessing those and validating the permissions
I get that enforcement still needs other things - but without that data access layer i think complexity will kill you.
I think Authentication is going to have to move over to FIDO-like solutions only. That's an effort but all the pieces are in place.
But Authorisation strikes me as needing a rethink on how everyone everywhere handles data. I cannot work out how to handle "can this person see this data" unless all data is, well, labelled.
Having little pieces of custom code written in each app to do custom checking just seems like it's the wrong way round.
I like the idea of Twitter's Strato (mentioned here I think) - which roughly seems to be "we labelled every field in every database" and then we have a data access layer that makes accessing those and validating the permissions
I get that enforcement still needs other things - but without that data access layer i think complexity will kill you.