Cloud-native authorization standards

00:00

hello my name is omary gazit I'm the

00:03

co-founder and CEO of Certo an

00:06

authorization company and I'm very

00:08

excited to spend the next 30 or so

00:11

minutes with you talking about fine

00:13

grained authorization and why

00:14

everybody's so excited about

00:18

it first a little bit about myself I've

00:21

spent well over three decades building

00:23

software for developers um the last 15

00:28

years of which uh we're really focused

00:29

on on cloud platforms uh in identity and

00:32

access in particular I love doing

00:34

startups this is my third startup uh and

00:37

when I'm not start uping I'm skiing I

00:40

was super fortunate to have worked on

00:41

some really cool projects uh over my

00:44

career uh I was one of the co-founders

00:46

of the net project at Microsoft uh as

00:49

well as the Azure project where I was uh

00:51

I worked on Azure Access Control service

00:54

that became Azure active directory uh

00:56

and then the last 10 years I spent a lot

00:58

of time in the open source Source base

01:00

uh working on things like openstack and

01:02

specifically I am an openstack Cloud

01:05

Foundry where I was a board member U

01:07

puppet in

01:10

kubernetes so let's start by talking

01:12

about the differences between

01:14

authentication and authorization some

01:16

people talk about them as being the same

01:18

thing off but they really are two

01:20

distinct processes authentication is

01:23

really about proving that you are who

01:24

you say you are so in the old days we

01:26

used to do it using emails and passwords

01:29

and these days is we have password list

01:31

and Biometrics and magic links and two

01:35

Factor but ultimately it's the same

01:38

process and the ecosystem at this point

01:40

is pretty mature we've had standards in

01:42

the space for almost 20 years now saml

01:45

is the OG The Original Gangster of um

01:48

single sign on standards uh and open ID

01:51

connect has been around for about nine

01:53

years oo 2 a little bit longer than that

01:56

and we also have some fairly mature

01:58

developer services right so you can use

02:00

OCTA or ozero or Azure active directory

02:03

or Cognito uh to be able to implement

02:06

login without having to write it

02:08

yourself in fact no one writes login

02:10

anymore everybody uses a developer

02:12

service so this is mostly a solved

02:14

problem for

02:15

developers authorization not so much now

02:18

authorization is once you're logged in

02:21

what can you do in the context of this

02:23

application and specifically do you as a

02:26

user have this particular permission on

02:28

this particular resource

02:30

now there are not any real standards in

02:32

the space as of yet certainly there are

02:34

patterns like rback and aback which

02:36

we'll talk about later um and there's

02:39

also no implementations at scale at

02:42

least of developer Services right every

02:45

framework every language has uh a set of

02:48

libraries uh every framework has a set

02:50

of libraries that help you build uh

02:52

authorization but really every one of

02:55

these implementations is fairly

02:56

inconsistent that creates a lot of

02:58

problems the first first one is bad

03:00

security uh and the case in point is

03:03

that number one on the oosp top 10 list

03:07

of application security issues is broken

03:09

access control so they've tested uh a

03:12

whole bunch of applications and like a

03:14

whopping 94% of the applications that

03:17

they tested have had some sort of broken

03:20

Access Control vulnerability so this is

03:22

a huge problem um uh in terms of

03:25

security Now not to mention the fact

03:28

that if every micro service implements

03:31

permissions differently you have a a

03:33

budg of inconsistency in the application

03:35

and it's really hard to reason about the

03:38

authorization surface area of your

03:39

application not to mention the

03:41

opportunity cost imagine that you had to

03:43

go build login uh by yourself or text

03:46

messaging or uh payments or things like

03:49

that that's just a whole bunch of wasted

03:51

effort um and that is unfortunately

03:54

still the state-of-the-art with

03:55

authorization every application

03:57

essentially rolls their own

04:01

now things are not all bad it turns out

04:04

that a lot of Technology organizations

04:06

in the last couple of years have been

04:08

looking at authorization as something

04:10

that they need to centralize and they've

04:11

been been giving it to their platform

04:13

Services teams or Central Services teams

04:16

to go build a single consistent

04:18

implementation and they're writing about

04:20

it so a lot of Technology organizations

04:23

have written papers or blog posts or

04:26

have given talks about how they do

04:28

authorization and if you look at um all

04:31

the different patterns uh that they've

04:33

written about they're really five that

04:35

bubble up to the surface and we contrast

04:38

those here with some of the old school

04:40

or anti patterns the first one is that

04:42

each service does its own authorization

04:44

this one's kind of obvious right in the

04:46

modern best practice is that these

04:48

technology companies are basically

04:50

empowering their censal services teams

04:53

to go build a purpose-built

04:54

authorization service that all the other

04:57

microservices can actually go rely on

05:01

the second uh anti pattern is to use

05:04

coar grained rolls that are baked into

05:06

the applications and the modern best

05:09

practice is to uh replace that with fine

05:12

grain to access control really adhering

05:15

to the principle of lease privilege what

05:17

that principle means is you want to

05:19

basically give as much permission to the

05:22

user as they need to be able to do their

05:25

job but no more than that and the reason

05:28

why is because if you have a compromised

05:30

identity you want to limit the blast

05:32

radius of what that user can do and so

05:34

it just makes sense to lock down

05:36

permissions as much as possible and that

05:38

really is the the impetus for fine grain

05:41

access

05:42

control the third one is that you know

05:45

you find in the you know kind of old

05:47

school way of doing things authorization

05:50

built as a bunch of if and switch

05:51

statements in each of the microservices

05:55

so authorization spaghetti code is what

05:57

we call it and the best practice is to

06:00

extract the authorization logic out of

06:03

the micros service out of the

06:04

application and store inversion it

06:06

separately really achieving a separation

06:08

of concerns that enables in turn uh

06:11

another important security principle

06:13

called separation of Duties so you have

06:15

the application developers worrying

06:17

about the application code then you have

06:19

people who really reason about the

06:21

authorization surface area able to go

06:23

look at all the authorization policy Al

06:26

together and figure out uh whether that

06:29

authorization policy makes

06:31

sense the fourth anti- pattern is

06:34

creating uh Scopes that are baked into

06:37

access token as

06:39

permissions and the modern best practice

06:42

is to make a realtime call to an

06:45

authorization service right before you

06:47

want to Grant access to a protected

06:49

resource a realtime access checks why is

06:52

uh relying on Scopes baked in Access

06:55

tokens bad well you know for a number of

06:57

reasons first of all um they basically

07:00

have a lifetime so as soon as you mint

07:02

that access token it's good for two

07:04

hours or two days for for as long as

07:07

that access token is good for and so if

07:09

you want to actually take away

07:11

permissions uh that's not quite possible

07:13

without token revocation which which is

07:15

a really complicated thing uh if you're

07:17

making a real-time access check right

07:20

before you grant access to a protected

07:21

resource you don't need to rely on

07:24

essentially kind of uh stale tokens the

07:27

other thing that uh these tokens don't

07:29

really give you uh the ability to do is

07:32

find grained access control so let's say

07:35

that you wanted to Grant somebody the

07:37

right to read a document if you put a

07:39

read document scope in an access token

07:41

well you know the calling application

07:43

can go look at that scope and say okay

07:46

uh the user can read a document but

07:48

which document all the documents are you

07:51

going to go create a scope for every

07:52

document that the user has access to at

07:55

login time you know clearly it's just

07:57

not a scalable practice

08:00

and then lastly um most applications

08:03

sadly barely even have a trace of the

08:06

you know the the folks who have logged

08:08

into them much less any kind of fine

08:10

grained audit trail of what users have

08:13

done in the application and the modern

08:15

best practice is to have comprehensive

08:18

monitoring basically uh record the

08:21

decision log for each decision that the

08:24

application made and be able to

08:25

centralize that for compliance and

08:27

forensics again you know a breach is not

08:30

a matter of if it's a matter of when at

08:31

this point in time and so once you

08:34

detect that something happened you

08:36

really want to know why it happened you

08:38

want to have the forensics uh to figure

08:40

out how the application uh did the

08:43

authorization what you know the

08:46

application authorized the user to do uh

08:48

and of course it's also very important

08:50

for compliance uh you need to be able to

08:52

prove that users were only able to do

08:54

what they were allowed to do within the

08:56

scope of the

08:58

application

09:00

great so let's dive into each one of

09:02

these the first one I want to dive into

09:04

is these uh this idea of purpose-built

09:06

uh authorization service it seems like

09:08

it's the new hotness everywhere we look

09:10

uh there's some tech company that's

09:12

writing a paper about it so it started

09:14

out about three years ago with Google uh

09:16

writing about their Zanzibar system

09:18

Zanzibar is basically their uh

09:20

distributed system for uh access control

09:23

for a wide variety of Google services

09:25

Google Docs Google Drive Google Calendar

09:28

uh uh cloud and so on and so forth and

09:32

um it's a large scale Planet scale

09:35

service and one of the things that

09:38

they've done is they've created

09:40

essentially this new model uh that they

09:42

coined the term relationship based

09:44

access control for and we'll talk about

09:46

that uh in a couple slides um into it

09:49

built one that's based on a different

09:51

set of principles more of a uh attribute

09:53

based model hedi from Airbnb was

09:56

inspired by Zanzibar in fact uh the AR

09:59

architect for hedi was one of the folks

10:02

on the Zanzibar team from Carta was also

10:05

inspired by the Zanzibar paper Netflix

10:07

is again more of an aback model so we

10:10

have different types of implementations

10:12

but all these folks are basically

10:14

building uh these centralized services

10:17

and so that you know every one of their

10:19

application teams doesn't have to

10:21

reinvent that

10:24

wheel the next principle is fine grained

10:27

access control and so let's go down a

10:29

trip down memory lane here and talk

10:31

about how that's evolved over the years

10:34

so back in the 80s and 90s we had uh

10:37

Unix systems and later on Linux systems

10:40

uh and NT and those relied on access

10:43

control lists basically the type of

10:45

question that you answered with an

10:46

access control list was does Alice have

10:48

read access to this file a file system

10:51

had read write and execute bits uh for

10:53

users and groups and other and that was

10:55

basically the as fine grained and access

10:58

control model model as you could get uh

11:00

with Linux

11:02

systems now in the '90s and 2000s we saw

11:06

uh this new idea called the directory

11:09

ldap uh and later on active directory

11:12

basically uh ushered in this idea of

11:15

role-based access control so roles were

11:17

typically implemented as groups so you

11:19

for example had a group in ldap or

11:21

active directory that you put users in

11:23

and that would correspond to a role in a

11:25

business application and you can answer

11:27

questions like is Bob in the sales admin

11:29

role by seeing whether Bob was in that

11:31

group you had this idea of nested groups

11:34

and you know life was kind of simple but

11:36

pretty clunky and very much coarse

11:38

grained the problem there was that you

11:40

had this group explosion where uh in

11:42

Microsoft I remember we had uh let's

11:44

call it you know 50,000 users uh at at

11:47

one time in 250,000 groups uh so it was

11:50

impossible to reason about what

11:51

permissions uh users actually

11:54

had in the 2000s and 2010s we had this

11:58

new idea called attribute based access

12:00

control and the idea there was that you

12:02

basically computed Access Control

12:04

decisions based on attributes either on

12:07

the user or on the resource or even

12:10

environmental attributes so you could

12:11

answer questions like is mallerie have

12:14

access if mallerie is in the sales

12:16

department and the document is in the

12:18

sales folder and it's currently working

12:20

hours um so you could write a policy

12:23

that evaluated all those attributes and

12:25

gave you a yes or no answer the you know

12:28

the original system that implemented

12:30

this uh was known as exactl uh that's

12:33

kind of like the Original Gangster of uh

12:35

the ABAC systems and of course uh you

12:38

know now in the last five years we've

12:39

had successors to that and I'll talk

12:41

about that in the next slide and lastly

12:44

uh we have relationship based access

12:46

control like I said before it actually

12:47

predates the Google's ends of our paper

12:49

but Google uh really repop poize that

12:52

model uh and the idea is that you

12:54

basically have relationships defined

12:56

between subjects and objects so so for

12:59

example uh a subject like Eve is a user

13:02

and she can be in a group uh and that

13:05

group can have say view access on a

13:07

folder and there can be documents inside

13:11

that folder and so we can answer

13:13

questions uh like does Eve have read

13:15

access to this document uh by chasing

13:19

the edges that link uh between that

13:21

subject Eve and the object uh the that

13:24

particular document and see whether

13:26

those edges carry the read permission

13:31

so after the history lesson uh let's uh

13:34

fast forward to the present over the

13:35

last 5 years we've seen two different

13:37

ecosystems emerge around fine gr

13:40

authorization the first one I call the

13:42

policy is code Camp uh and the flag

13:45

bearer for that is the open policy agent

13:47

project uh which basically started from

13:50

the aback uh view of the world and so

13:53

there's a lot of stuff going for it it's

13:55

a cncf graduated project it graduated

13:57

about two and a half years ago so

13:58

there's a single mature open source

14:00

implementation it's a general purpose

14:02

decision engine uh fairly flexible and

14:05

primarily used today for infrastructure

14:07

authorization scenarios like kubernetes

14:09

admission control uh and it's really

14:11

tailor made for policy based access

14:14

management and ABAC it's essentially the

14:16

successor to exagal now there are some

14:18

drawbacks as well the language is has a

14:22

high learning curve so unless you're a

14:24

prolog head you know this is a side

14:26

effect free data log derivative uh and

14:30

you have to kind of go build your

14:31

authorization model from first

14:33

principles it's really an unopinionated

14:35

language so you have to kind of design

14:37

your authorization mod model from

14:39

scratch and it's a little like you know

14:41

writing something in the sembler

14:42

language and furthermore you really

14:44

don't have much help with how to manage

14:46

data in the system Opa has an effective

14:49

policy plane but it doesn't really have

14:51

a data plane so if you want to start

14:53

with Opa you have to kind of roll that

14:55

out on your own on the other side

14:57

there's the Zanzibar model model uh I

14:59

call this the policy as data camp and

15:01

like I said before Google uh built their

15:05

uh model over an abstract model called

15:07

reback relationship based Access Control

15:09

they didn't invent it but they certainly

15:11

popularized it uh if Opa has no opinions

15:14

reback has plenty of opinions it's a

15:15

very opinionative model uh and the idea

15:18

is again like I said you're modeling

15:20

your um access control rules essentially

15:23

as data as a set of relationships

15:25

between subjects and objects and so if

15:27

your domain looks a lot like Google Docs

15:30

you have subjects like users and groups

15:32

uh and objects like uh folders and files

15:36

you can uh very much use this as an

15:39

opinionated model that you can start

15:41

from now it's a fairly immature

15:43

ecosystem there are at least half a

15:44

dozen uh competing open source

15:46

implementations uh because Google didn't

15:48

open source anything they didn't even

15:50

write a spec they built they wrote a

15:52

technical report so there are uh a bunch

15:55

of different uh open source

15:56

implementations at this point and they

15:58

don't really share uh any common schema

16:00

language or a common data language uh

16:02

and it's also hard to extend the reback

16:04

model into uh attributes although some

16:07

of these projects are starting to do

16:09

that uh they're they each do it in kind

16:12

of an inconsistent way as

16:14

well now fortunately there's a third

16:16

path uh we call this the uh don't

16:19

succumb to the tyranny of the ore a lot

16:21

of people think of these as competitive

16:23

ideas but we think of them as compliment

16:25

and so topaz is a project uh that Asser

16:28

of my company maintains but the idea

16:30

there is to take the Best of Both Worlds

16:32

you take the decision engine from Opa

16:34

and so you have a policy based Access

16:36

Control model uh that is uh supports

16:39

attributes and you take the Zanzibar

16:41

directory and you kind of put them

16:42

together in a single open source project

16:44

that's delivered as a single container

16:46

image so here I have a as a reference a

16:49

URL to Topaz uh go check it out uh the

16:52

QR code will also take you to the GitHub

16:57

repo the next principle I want to talk

17:00

about is policy-based access management

17:02

and as a reminder this is the idea of

17:04

lifting the access control logic out of

17:07

the application where it's uh expressed

17:09

as if or switch statements and instead

17:12

expressing it in its own domain specific

17:14

language uh and storing and versioning

17:17

it as code just like any application

17:20

artifact so here I have a policy written

17:23

in Rego uh which is the surface syntax

17:26

for the open policy agent this happens

17:28

to be a topaz policy uh because it has a

17:31

little bit of an Easter egg here uh that

17:34

uh basically uh makes a call to one of

17:37

the topaz built-ins uh that computes the

17:40

policy based on a relationship between a

17:44

subject the user and an object uh one of

17:48

their reports so this policy has two

17:50

allowed Clauses one of them uses

17:52

attributes so uh basically you're

17:54

allowed if the uh logged in user's

17:57

property is a Department property I

18:00

should say equals operations or you're

18:02

allowed if you're the manager of uh this

18:04

particular user and so it's important to

18:08

note that uh it's not just Opa that

18:11

adheres to this principle any Zan ofar

18:13

BAS system also equally believes that

18:16

you should extract that policy logic

18:18

don't express it as if in switch

18:20

statements inside of your application

18:22

instead store inv verion it as a domain

18:26

model but what does that get you

18:29

basically instead of having to go again

18:32

like I said write if we switch

18:34

statements to express authorization

18:36

logic you can go use a middleware so

18:40

here we have this check off Z middleware

18:42

that we've placed in the dispatch path

18:44

of uh this route Handler for this

18:46

node.js this expressjs uh route Handler

18:50

and all we have to do is just uh tell

18:53

the developer to make sure to call that

18:55

middleware that middleware makes a call

18:57

to an authorization server that computes

18:59

a decision if that decision comes back

19:01

as uh you know aess denied uh the whole

19:05

route gets uh basically returns and

19:07

access denied otherwise you dispatch to

19:10

the next Handler here what does that

19:12

give you uh it allows you to store

19:14

inversion uh that policy artifact just

19:17

like you do application code and every

19:20

policy change is part of a get change

19:22

log so every Access Control change that

19:24

you want to make in the policy is loged

19:27

just like any other

19:28

uh G change uh so that means that the

19:31

policy can evolve uh from using a

19:34

different team so a different team like

19:36

the security team can own that policy

19:38

and it's decoupled from the application

19:40

Logic the application delivery team

19:42

doesn't have to worry about uh how to

19:44

evolve that access control logic and the

19:46

security team can reason about the

19:49

entire surface area uh authorization

19:51

surface area of the application lastly

19:53

we think of these policies as something

19:56

that you should treat just like like any

19:59

application artifact so application code

20:01

you build into an immutable image

20:03

typically a dock or container that's how

20:05

you distribute it and that's the same

20:07

thing that you should do with policies

20:09

you should build them into oci images

20:11

and sign them using something like

20:13

cosign to secure uh the software supply

20:16

chain for these artifacts in fact here I

20:18

have a reference to a project called the

20:20

open policy containers project which is

20:22

a cncf u sandbox project s is also

20:25

involved with that uh and you can build

20:27

not just topaz policies but also any

20:30

generic Opa policy into a container

20:32

image sign it with cosign and verify the

20:37

signatures and lastly I want to talk

20:39

about real time access control so this

20:42

is where I kind of go into my

20:44

infomercial about authorization actually

20:47

being a distributed systems problem and

20:49

I'll explain why I what I mean by

20:52

that you really need to do authorization

20:55

locally authorization is different than

20:57

any other developer service because if

20:59

you think about uh things like stripe or

21:01

twilio or even ozero those are hosted

21:03

services and it's fine for them to be

21:05

hosted because you basically make a call

21:08

to them and it's important that that

21:10

call complete and it's important that

21:11

they maintain you know a high SLA but

21:14

you know it doesn't really matter if it

21:17

happens in a second uh because it turns

21:20

out that it's not really in the critical

21:22

path of every application request

21:24

whereas authorization is if you're doing

21:26

it correctly uh you're basically making

21:28

a call to the authorization system right

21:31

before you grant access to a protected

21:33

resource and that can happen one or more

21:35

times for every user request so it's got

21:39

to be fast it's got to be done in around

21:42

a millisecond and it's got to be 100%

21:45

available to the calling application so

21:47

it can't really be a hosted

21:49

service but um you also want to be able

21:53

to manage all of the policies and the

21:56

data that's used for authorization in a

21:58

centralized manner so you really need to

22:02

have some kind of control plane that

22:04

allows you to manage the life cycle of

22:08

policies uh and as well as uh you know

22:11

all the all the data all the user and

22:13

group and resource data that are used

22:16

for policy decisions uh and

22:18

relationships and be able to mediate

22:20

those decision logs back to a

22:22

centralized control plan so data uh

22:25

about users comes from an identity

22:27

provider

22:28

uh data from you know the source code

22:30

for policies comes from a source code

22:33

control system and then decision logs

22:35

really want to end up in your scene tool

22:37

in your log aggregation tool so you

22:40

really need kind of this central control

22:42

plane that allows you to manage all this

22:44

stuff at

22:47

scale so as we bring this presentation

22:50

to a close I want to close with what we

22:52

call the Five Laws of authorization if

22:55

you're building an authorization system

22:58

for your entire organization you want to

23:00

have it have the following five

23:02

properties at the very least you want to

23:04

be fine grained and you want it to be

23:06

also flexible enough to support all the

23:07

different types of authorization models

23:10

so rback aback reback any combinations

23:12

of them you want to make it policy based

23:15

so you really want to make sure that you

23:17

give the opportunity to the application

23:20

developers to not have a bunch of switch

23:23

and if statements in their code and

23:24

instead allow them to extract the

23:26

authorization policy their applications

23:29

and store and version it into in it as

23:31

its own artifact that you can actually

23:33

go build into assigned image make sure

23:36

that authorization is done in real time

23:39

as a local call executing over fresh

23:42

data and yet you want to have Central

23:45

management of the policies and all the

23:47

resource data that are used in

23:49

authorization decisions and finally you

23:51

want to Aggregate centralize and

23:53

aggregate all the decision logs that

23:55

come out of these authorization requests

23:57

so that you can use those later for

23:59

compliance and forensics and if you're

24:02

building a system like this you also

24:03

want some nonfunctional requirements

24:06

like you want to make it super easy for

24:07

your developers to adopt so uh you want

24:10

to uh have a system that allows you to

24:12

do authorization uh to an external

24:15

system with a single line of code you

24:17

want to be able to have it integrate

24:18

with all of the systems you already have

24:20

so identity providers uh source code

24:22

repositories artifact Registries logging

24:25

systems and finally uh it's important

24:28

for it to be open uh so you get a lot of

24:30

ecosystem effects from betting on

24:32

kubernetes Native Technologies like open

24:34

policy agent and

24:37

topaz now this is a lot of work to do

24:40

and fortunately there are some places to

24:42

start there are open source projects

24:43

that you can start from Opa is one of

24:45

them topaz is one that I've talk talked

24:47

about as well it's the project that my

24:49

company maintains so we're very partial

24:51

about it um this is a QR code for

24:54

getting to the repo and topaz uh we'

24:56

like to say that it's fast flexible and

24:58

easy fast uh it does authorization in

25:01

under a millisecond flexible it supports

25:03

all the different U Access Control

25:06

Models All The Backs as we like to say R

25:08

back a back and reback it runs in any

25:10

cloud and finally easy it has sdks uh it

25:14

has grpc apis it has rest apis graphql

25:17

apis sdks from every language so it's

25:19

super easy for your developers uh to

25:22

incorporate no matter what language

25:23

they're

25:24

using and lastly my company ass Certo

25:28

uh basically builds commercial solutions

25:30

for authorization so if this is not

25:32

something that you want to roll out by

25:33

hand using open source uh we're happy to

25:36

provide you readymade Solutions thank

25:38

you so much for listening over the last

25:41

almost 30 minutes uh please come find me

25:44

on social I'm om G at Twitter I'm

25:47

rto.com if you have any questions or

25:50

comments uh we'd love to answer U join

25:52

our slack uh it's at aso.com slack uh

25:56

check out our repo uh that's soru ddev

26:00

toaz on GitHub and uh let us know what

26:04

you think thank you so

26:06

much