June 8, 2021

Connecting the “Missing Middle” of Authentication and Authorization with PortX’s Identity and Access Management

by Russell Duhon in Cloud , Fintech , IT Management , Open Source 0 comments

Today, developers have access to a vast number of excellent, hypermodern integration platforms that provide excellent tooling options for developers. However, when we designed PortX, our team went beyond simply curating best-in-class open source solutions for technical users to building a platform that also enables non-technical users. With this reimagined design, business users can accomplish technical tasks that would have otherwise required a developer’s time. And one of the biggest challenges facing business users at financial institutions is “auth,” – authentication and authorization. Ok, that’s two problems rolled into one, but here’s how we’re solving it.

What is the missing middle?

Likely, you have at least heard of some of the startups solving Identity and Access Management as a Service (IAMaaS). Some names that may sound familiar are Okta, OneLogin, Auth0, Ping Identity, and many more, including entries from every major cloud provider… plus, Oracle.

It’s important to note here that it is not our goal to be an IAMaaS (say that five times fast). In fact, we designed PortX expecting the majority of our customers to bring their existing IAMaaS subscription to the platform. But there’s a big difference between “I have a powerful IAMaaS” and “my newly developed applications are nicely secured.” We refer to this gap as the “missing middle” in IAM.

Bridging the gap with IAP

Thankfully, for those facing the challenge of authorizing application access for your authenticated users, several “cloud-native” solutions aim to reconnect the two. These are generally labeled as Identity and Access Proxies (IAP). Essentially, an IAP translates authentication between the outside world and your application, which allows you to control access to applications and verify user identity and privileges, including authenticating with your IAM service. For example, Google offers a great IAP… if you’re all-in on Google Cloud.

As part of the design process, we evaluated the IAP options available in the open source community and selected ORY Oathkeeper to perform this important feature in our overall solution. However, no one solution solves the fundamental business problem on its own. Instead, they present a solution to a small subset of the problem in a developer-friendly perspective. This approach shifts more and more of the responsibility for managing “auth” to developers and away from business users. 

If the organization wants to reassign user access to systems beyond simple group or role membership changes, a developer must make changes to the code. Critical security changes can only move as fast as the deployment process and depend on developer time availability. This constrains the organization’s ability to adapt to threats quickly.

What’s next?

We are committed to supporting the Financial-grade API (FAPI) Security Profile 1.0 baseline specification and OpenAPI-driven customizable permissions, roles, and policies. In Kent Brown’s blog, Six Software Design Principles That Make PortX a Financial-Grade Integration Platform, he defined the high-level requirements of financial-grade software. PortX IAM contributes to this designation because it can be easily audited with the proper controls over who can make changes and an accurate record of those changes. Additionally, it is affordable and portable, mainly because PortX IAM is built on open standards and uses all open source components.

On our mid-term product roadmap, we plan to deliver additional features that enable simple but customizable control over application access. We’re excited about this functionality because it will eliminate the dependency on developers to make code changes, transferring more capability into the hands of business stakeholders. This aligns the organization’s auth reality with its auth needs and it means that early, high-productivity time in a new project can be spent rolling out business features instead of fiddling with auth plumbing.

If you would like to learn more about how PortX IAM solves for the missing middle utilizing open source technologies and standards without creating vendor lock-in, start a conversation with our team today. Or, we’d love to hear your thoughts in the comments below.

Leave a comment