The journey to scalable, fine-grained authorization is an increasingly common challenge for technology organizations. With the security landscape changing rapidly, the need for robust solutions to secure applications from breaches and limit the potential damage of a breach are absolutely crucial. Especially if your application is mission-critical, or has a complex web of permissions. But how do you build a fine-grained authorization service for your applications?

Join Sebastian Rohr, Co-founder of Umbrella Associates, and Omri Gazitt, Aserto CEO, as they discuss the architecture of scalable granular permission systems in this on-demand webinar. Their insights shed light on the challenges, innovations, and best practices around implementing fine-grained authorization for applications.

Here’s some of what they discussed:

A shift from identity to access control

Identity is mostly a solved problem. Authorization, on the other hand, remains a complex puzzle. Over the past 15 years we’ve seen a shift from the chaos of individual website credentials to single sign-on solutions, like Okta and Azure AD. Identity standards like OAuth2, SAML, and OpenID Connect revolutionized authentication. They brought us “SSO of the web” and an interoperable identity fabric that propelled the industry forward. It’s time for the same to happen for authorization.

Today, we don’t have authorization standards, protocols, or developer APIs. So every application builds its own permissions. They typically implement coarse-grained roles, which tend to be overprovisioned. Unfortunately, even coarse-grained authorization can be tricky to get right. In fact, the OWASP, a foundation dedicated to applications security, found broken access controls in an astonishing 94% of the 318,000 applications it tested.

Thankfully, there’s a new wave of modern authorization projects that help organizations implement varied degrees of fine-grained access controls. These include:

• Open Policy Agent: general purpose decision engine for attribute-based access controls (ABAC).
• OpenFGA: relationship database for relationship-based access controls (ReBAC).
• Topaz: a superset of both, allowing us to combine attributes with relationships for maximal flexibility.

The community around modern authorization is also growing. And a recent vendor-neutral initiative to standardize authorization is being spearheaded by the AuthZEN OpenID Foundation working group. Standardization and collaboration are critical in shaping the future of authorization protocols and practices.

Siemens: fine-grained permissions at scale

Siemens hired Umbrella Associates to tackle the challenge of managing permissions across multiple organizations involved in a complex machinery system, each with distinct organization structures and access requirements. In other words, they needed a fine-grained authorization system.

Umbrella Associates identified a combination of ABAC and ReBAC requirements, and built five different subsystems based on a number of open-source projects. Once they discovered Topaz, Aserto’s authorization engine, Umbrella Associates estimates that they can collapse this complex system into a single authorization service based on Topaz.

Authorize locally, manage centrally

The nature of application authorization requires it to be lightning fast. Every user interaction with the application involves determining whether that user is allowed to perform that action. In other words, authorization lies in the critical path of every application request, so authorization decisions need to be made in single-digit milliseconds, to avoid becoming a bottleneck and impacting the user experience.

In addition to low latency, the authorization service must have high availability. To achieve both, the authorizer must be deployed in the same environment as the application - in other words, as close to the application as possible.

With that said, we want to manage authorization centrally across services and even applications. This will allow us to have a clear view of the authorization logic, consistent enforcement, and streamlined administration and governance. We also want to use the most up to date information, to avoid authorizing over stale data. To this end, we need a “single pane of glass” to manage all of the locally deployed authorizers and synchronize the data required for access decisions, as well as collect and aggregate audit logs from each authorizer for compliance and auditability.

This hub and spoke model requires a distributed systems architecture. It’s the only way to achieve low latency, high availability, and centralized control. Building a complex distributed system is something that most organizations cannot afford to spend their engineering resources on.

Aserto delivers a solution on top of Topaz which solves these distributed systems problems: the Aserto Control Plane allows you to manage policies, data, and decision logs centrally, while handling all the synchronization to and from Topaz authorizers deployed next to your application. This delivers on the promise of “authorize locally, manage centrally”.

Watch the webinar for more.

Conclusion

As organizations strive to navigate the complexities of securing their applications in today's digital environment, this webinar offers valuable perspectives and best practices in modern authorization.

Authorization is hard to get right. The authorizers need to be local for high availability with low latency. But we want to manage all of the users, policies, resource and relationship data, and decision logs centrally. This hub and spoke model requires a distributed systems architecture, requiring a large engineering investment, beyond what most organizations want to spend on building it right.

Thankfully there are open-source projects that can reduce the work required to build a modern authorization system. By leveraging projects like Topaz to implement fine-grained access controls, developers can build scalable and flexible authorization systems tailored to their specific needs.

Topaz is fast, flexible, and easy. It makes authorization decisions in ~1ms, supports any authorization model (role-based, attribute-based, and relationship-based), and is easy enough to implement that a single developer can launch a POC in a day and be production-ready in weeks. Try it out and let us know what you think, either here, or on the Topaz community Slack.