SE Radio 664: Emre Baran and Alex Olivier on Stateless Decoupled Authorization Frameworks

Emre Baran, CEO and co-founder of Cerbos, and Alex Olivier, CPO and co-founder, join SE Radio host Priyanka Raghavan to explore "stateless decoupled authorization frameworks. The discussion begins with an introduction to key terms, including authorization, authorization models, and decoupled frameworks.

They dive into the challenges of building decoupled authorization, as well as the benefits of this approach and the operational hurdles. The conversation shifts to Cerbos, an open-source policy-based access control framework, comparing it with OPA (Open Policy Agent). They also delve into Cerbos's technical workings, including specification definitions, GitOps integration, examples of usage, and deployment strategies. The episode concludes with insights into potential trends in the authorization space.

This episode is sponsored by Penn Carey Law school

Emre Baran, CEO and co-founder of Cerbos, and Alex Olivier, CPO and co-founder, join SE Radio host Priyanka Raghavan to explore “stateless decoupled authorization frameworks.” The discussion begins with an introduction to key terms, including authorization, authorization models, and decoupled frameworks.

They dive into the challenges of building decoupled authorization, as well as the benefits of this approach and the operational hurdles. The conversation shifts to Cerbos, an open-source policy-based access control framework, comparing it with OPA (Open Policy Agent). They also delve into Cerbos’s technical workings, including specification definitions, GitOps integration, examples of usage, and deployment strategies. The episode concludes with insights into potential trends in the authorization space.

Show Notes

References

• Zanzibar: Google’s Consistent, Global Authorization System (PDF)

• How Netflix Is Solving Authorization Across Their Cloud (YouTube)

• OpenID AuthZEN Working Group

• Cerbos Github repo

• Cerbos Blog:

• Authorization Remains Number 1 Issue: OWASP 2023 Top 10 List

• The Importance of Data Security for Startups

• The Future Is Stateless: It’s Time to Ensure Your Security Is as Scalable as Your Business

• Designing an Authorization Model for an Enterprise

• Why Granular Scalable Control Is a Must for Every CTO

• Cerbos News:

• Jamstack Radio Podcast: Revolutionizing Access Control

• The Security Repo Podcast: Emre Baran Explains Why Authorization Matters More than You May Think

• Webinar Recap: 4G Capital’s Cloud-Transformation Journey

Related Episodes

• SE Radio 492: Sam Scott on Building a Consistent and Global Authorization Service

• SE Radio 406: Torin Sandall on Distributed Policy Enforcement

Transcript

Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.

Priyanka Raghavan 00:00:19 Hi everyone, this is Priyanka Raghavan for Software Engineering Radio and today on our show we are going to be discussing the topic ìstateless decoupled authorization” frameworks. And for this we have two guests, Alex Olivier, and Emre Baram. Emre is an entrepreneur and a software executive with more than 20 years’ experience in B2B and B2C product areas. He’s currently the co-founder and CEO of Cerbos. And before that he co-founded Turkey’s largest social network in the mid-2000s, called yaja.com. And after that, has been in a variety of different organizations — one is, of course, Google. And Qubit. And one of the podcasts he appeared on, they called him a serial entrepreneur. So I’m going to stick with that. And Alex, he’s the CPO and co-founder at Cerbos. He has a wide variety of roles and experiences — be it engineer, consultant, tech lead, product manager. And there’s also this one line which says, “always an eye on developer experience.” So that’s great for us here at SE Radio. He’s worked on different companies, again, Microsoft, Qubit, and a myriad of startups with a focus on areas such as authorization, data management, and security. So welcome to the show, Emre and Alex.

Emre Baran 00:01:35 Thank you for having us. Yeah.

Priyanka Raghavan 00:01:38 Great. So in SE radio, we have done a few shows on authorization as well as authentication on Episode 492, which I just want to call out to the listeners, we had a show on building consistent authorization service, mainly on the Google Zanzibar project that we talked about. And then Episode 406 on the open policy agent. We’ve done a few shows on OAuth 2.0 and API authorization. However, since we are exploring this topic again, I think nearly after gap about four years, can I pose this question to both of you on what is authorization? So Emre, can I start with you?

Emre Baran 00:02:16 Sure. I want to start by saying what it is not. Authorization usually comes with its twin authentication. And authentication is a fact of who you are. Are you, who you say you are and what roles and what attributes you have: that’s authentication in your directory. And authorization is the fact that now we know who you are, are you allowed to do a certain action or not? And you can think about this, the application of this, in many things in life as well as in software. Now the fact that you can log in doesn’t really mean you can do every action in any given software. And the control mechanism of what are you allowed to do versus not is authorization.

Priyanka Raghavan 00:02:59 Great.

Alex Olivier 00:02:59 Yeah, I think there’s a really good analogy for anyone that’s taken a flight recently; you got your passport, you fly to some exotic location for your vacation. You get to passport control, they take your passport, they authenticate it to you by comparing your photo and your biometrics. It’s like, cool, Alex has arrived, this is his document. But the actual decision around whether you’re allowed into the country or not is an authorization decision, which is based upon, have you got the right visa? What’s your immigration status? Have you got the right funds? Those sorts of things. And that’s a check: knows who you are, but should you be allowed in — is the difference between authentication and authorization.

Priyanka Raghavan 00:03:33 That’s a great example and I think maybe Alex, I’ll ask you this question then, in a lot of literature I see there’s this term called as an authorization model. Is that something that you can describe for us and maybe what are the key components?

Alex Olivier 00:03:47 Yeah, so authorization, authorization models, there’s kind of various ways you can think about what decides access to a particular system. And the term that I imagine most of this audience would be familiar with is RBAC or Role-Based Access Control, where your authorization — your access — is controlled by whether you have a particular role or not. So you must be an admin to do certain actions. You must be a user to do other actions. You must be a subscriber to do the download action let’s say. RBAC is one that probably most people are familiar with. ABAC or Attribute-Based Access Control is kind of the, either the evolution or the superset or the subset — depends on how you look at the world — of that. And that’s about deciding your access based on more than just your role. It’s about deciding access based on attributes. And those could be attributes about who you are, it could be attributes based upon the resource you’re accessing.

[...]

Original source

📄 5068.pdf