Fine-grained access control has gained popularity over the past few years. Large enterprises, the likes of Google, Netflix, and Airbnb, have written about how they have solved access for their companies. Commonalities and best-practices emerged from their descriptions of how they developed purpose-built centralized authorization systems. We used these as the basis for the five laws of cloud-native authorization.
Tune into Aserto CEO, Omri Gazitt, as he shares these principles and discusses the state of access control in the age of cloud with Alan Shimel on Techstrong TV. Watch the on-demand interview (staring at the 27 min mark) or read the transcription below:
Alan Shimel:
I want you to understand a little bit about who Omri is, what he's done and why I have a ton of respect for him.
Omri Gazitt:
I’ve been building software for developers for about 30 years. I worked at Microsoft where I was a founding member of .NET and Azure. I also worked on the Azure Access Control Service, which became Azure Active Directory. Those are my roots in identity and access. Later I led cloud engineering at HP and, most recently, I was the Chief Product Officer at Puppet.
Alan Shimel:
That's a pretty impressive story. Are we now with Aserto? Why don't you give us a little background?
Omri Gazitt:
The story starts 15 years ago, back when I was at Microsoft and we were thinking about what will happen to identity and access in the age of SaaS and cloud. Fast forward 15 years, identity moves to the cloud. We have OAuth2 and OpenID Connect, and SAML and JWT, and companies like Auth0 and Okta. And today no one has to build authentication if they don't want to. It's all standards-based and cloud-based. But the access part of identity and access hasn’t moved forward at all over the past 15 years.
My co-founder and I worked together on what became Azure Active Directory. We decided to focus on this problem and solve it. This problem is even bigger than that of identity.
Alan Shimel:
Absolutely. You mentioned Active Directory. There was a time when Microsoft used to get banged on for being a monopoly with Windows. But the fact of the matter was the real monopoly was Active Directory. Active Directory became the de-facto standard for directory services like identity and access.
Omri Gazitt:
We had 95% market share. Bob Muglia, who was the President of Server and Tools Business, used to call it the linchpin workload for the Windows Server franchise - it was that important.
Alan Shimel:
It was that important, right? There was a time when a company called Novell created something called LDAP. LDAP was very much the first directory. And it was great. Then Windows came along with 95% market share for Windows Server. It became how you assigned access control. How you did identity. Now, like you said, the cloud comes along and Microsoft isn't at 95%. They're probably at 80%. But you have more places and sitting in your data center or your server closet isn't going to do it. Microsoft moved Azure as a service, right? Even that wasn't enough.
Omri Gazitt:
Yeah. If we think about the challenges today that admins face, they used to live in LDAP or Active Directory. And they assigned users to groups that represented roles in business applications. It was clunky, but it was one place to administer all that. Now, in the age of SaaS and cloud, admins have dozens or hundreds of different consoles. So the admin’s life is hell right now. Not to mention the developers, who have to reinvent that wheel every time they build a new microservice or application. And every microservice builds its own access control. As a result, it becomes impossible to reason about the surface area of a microservices-based application.
That's why we built Aserto. And we recently open-sourced our client-side authorizer, called Topaz. Topaz is an open-source project that combines OPA, the Open Policy Agent, as a decision engine, and includes an embedded directory that represents the Google Zanzibar model. You know how Google Docs and Drive work? They have an authorization model where you can assign a viewer, commenter, or owner type of permission to users or groups. And that cascades all the way down through the object directory. Until you can evaluate queries like "Does Alan have viewer access to a document, if Alan is in this group and the document is in this folder." Sound familiar?
Alan Shimel:
It is a directory.
Omri Gazitt:
That's what we brought together: a directory and OPA.
Alan Shimel:
Now I understand. So we are marrying OPA to a directory, but it’s not your grandpa’s directory. It’s a portable directory.
Omri Gazitt:
That's right. And that directory contains not just users and groups. It has objects and the relationships between the objects and the users and groups.
Alan Shimel:
So it takes that zero-trust model where just because I put you in a group doesn't mean you get everything. And I'm not going to have 3 million groups and 3 billion permutations of what I'm going to do. I'm going to marry you to certain objects and that’s what you can access.
Omri Gazitt:
That's right. And that adheres to the principle of least privilege, which is what all of us are trying to get to. Today, if you look at breaches it's not a matter of if, but of when. You want to make sure to lock down each user to the smallest set of operations that they need, but no more than that. So you can limit the blast radius of these types of breaches. Authorization companies, like Aserto, can help you do that.
Alan Shimel:
Topaz is open to outside clients, right? Can you use it without Aserto?
Omri Gazitt:
Absolutely. Topaz is completely standalone. It has everything you need to build fine-grained, policy-based, real-time authorization into your SaaS app, microservice or API. And then we have a control plane. It's a SaaS control plane that helps you manage your policies, user groups, connections to identity providers (e.g. Okta, Auth0), collect decision logs and pour them into your logging systems (e.g. Splunk, ELK). All the stuff that you need to make it enterprise-grade is in our control plane.
Alan Shimel:
Omri recently authored an article called the “Five laws of cloud-native authorization.” Give us the five laws.
Omri Gazitt:
Sounds good. One of the things we noticed is that while we haven't moved forward in 15 years, in the last year or two large companies like Google, Intuit, Airbnb, Carta and Netflix, have all written about how they do cloud-native authorization. From that we've abstracted a set of principles, we call the “five laws of cloud-native authorization,” which describe the best-practices these companies write about.
The first one is that you want to extract authorization out of each microservice and centralize it into a purpose-built authorization service. Every one of the five companies mentioned does that, and they all built it as a distributed system. You're not processing over stale data, but making decisions over live data.
The second principle is fine-grained. Instead of relying on coarse-grained roles and permissions you want to assign the smallest set of permissions that you can to users.
The third principle is policy-based. You want to make sure that authorization policies are expressed as code. I worked on things like configuration-as-code and infrastructure-as-code, now policy is code. You also want to express the policy in a domain specific language. In our case, it's Rego. You also want to store and evolve your policy separately and maybe even put it under the control of your security engineering team. Application engineers can work on app logic and security engineers can own and maintain that policy.
The fourth one is real-time. You want to make decisions based on real-time data. Rather than relying on stale permissions stored in access tokens you want to make a call to the authorizer right before you decide if you can show a particular resource to a user.
The last principle is fine-grained decision logs. Like we talked about, it's not a matter of if, but when you get breached. So rather than just having a login trail that shows you that Alan logged in at 2:35pm, you want to know what Alan did and see every decision that every application made. Whether he was allowed to view this resource or access that resource, or not.
Those are the five laws of authorization. If you want to build a modern authorization system, we advise you to follow these laws. If you need help with that, within an open-source solution, we have Topaz for you.
Alan Shimel:
And if you just want a really good commercial solution that incorporates all of that?
Omri Gazitt:
If you don't want to build everything on your own we can help you too.
Alan Shimel:
And who does? If it's not core and critical to your business, don’t do it.
Omri Gazitt:
Exactly, that's what most people tell us. It doesn't make their beer taste any better. Access control is critical and is the cost of doing business, but it's not differentiating.
Alan Shimel
It's not the core thing they do either. Aserto.com - check them out!