Back in the day, organizations built monoliths, and you had one place where you would go and set up the mapping between users and roles. But with the advent of cloud-native containers, Kubernetes, the stack has become much more layered and complex. And when it comes to large organizations, some various microservices and applications further complicate things. Today’s agile environments lead to divergence in authorization models. So it only makes sense that authorization has become a hot topic.
Most solutions these days push authentication and authorization together and create an overlap. This is where Aserto comes in with its open-source, fine-grained authorization service, Topaz.
In today’s article, we will briefly review the basics of authentication and authorization. Then, we’ll dive deep into how Aserto helps organizations with its authorization capabilities and list a few major benefits.
Authentication and authorization
Authentication is about proving who you say you are. It requires verifying user or service identity. Authorization, conversely, is about determining what you can do in the context of a particular application. The two go hand-in-hand, If there is no authentication, there is no user context and nothing to authorize. But, it is critical to remember that authorization is a distinct operation, and you cannot treat your authentication system as your authorization system.
The stakes of getting authorization wrong
When you build authorization incorrectly, there is a definite risk of broken access control – users have some permissions to resources they shouldn’t. Furthermore, microservices have multiple applications, each exposing permissions and roles differently. Managing the cross-product of users and applications is a personal nightmare for admins.
Additionally, misconfigurations have become rampant, and overprovisioning has become the norm. Not having a fine-grained authorization system in place also results in not being able to employ and follow zero-trust principles. So, the costs are enormous in terms of being a risk to the business and when issues with real breaches crop up.
Aserto – a deep dive
When setting out to build a sustainable authorization system, the team at Aserto never wanted to compete with other organizations in the field that were doing authorization well, they merely wanted to complement them. Two things were taken into consideration before building an authorizer:
1. Open policy agent (OPA)
The open policy agent project by the Cloud Native Computing Foundation (CNCF) facilitates the idea of policy as code, and the nice thing about that is it allows for the separation of duties. It facilitates a natural workflow between the application teams that no longer have to deal with authorization in their code and the security teams that own that. OPA is the first developer-friendly packaging of attribute-based access control (ABAC) ideas.
2. Zanzibar
Google’s Zanzibar paper popularized the relationship-based access control (RBAC) model. The technical report says authorization is the relationship between objects and subjects. It places users and their relationships with the resources at the model’s center. The nature of a user’s relationship with a resource determines which actions are possible.
Best of both worlds – Topaz
Topaz brings the best of the two approaches together in a single open-source project. It provides real-time, developer-focused, policy-based access control for modern cloud-native applications. Topaz is beginner friendly and simple, as you don’t need anything to get started with it besides Docker on your machine.
Topaz boasts a hybrid architecture with a local authorizer in the application’s backend and a centralized control plane that manages everything. Since the authorizer is run locally, it has all the significant data required to make a decision cached locally. So, it’s just making a local authorization call. This happens rapidly because it happens over cache data. The Topaz authorizer is a single container image with an embedded database, aka cache. The index database enables easy lookups.
When it comes to real-time data, anytime a user attribute changes in the control plane, it’s sent over a high-speed data fabric to all the authorizers connected to the control plane. They have the latest policy and the latest data. So, when it comes to making an authorization decision, they can make it locally.
So, you essentially have near real-time data that you’re making authorization decisions on and the cached data, making it easy to retrieve. This is what sets Aserto apart from its competitors. Aserto focuses on authorizing locally but managing centrally.
Top three benefits of Aserto
- Time to market: Employing Aserto’s authorizing system takes a much shorter than building your own authorization system.
- The total cost of ownership: It is much cheaper to adopt a solution where most steps are off the shelf, and you only have to customize maybe ten to twenty percent. Building an authorization system from scratch can prove to be quite expensive.
- Security posture: It’s safer to bet on and use a product built by security experts instead of using one built by developer teams. This is also because many significant zero trust principles, like separation of duties, the principle of least privilege, etc., are built into the system.
Conclusion
Building a great authorization system can prove to be quite difficult. Only big enterprises with handsome engineering teams can afford to accomplish this. Aserto enables organizations of all sizes to access a standardized, unified authorization service. Additionally, Aserto’s distributed architecture ensures data is near real-time and authorization calls are lightning fast. With a focus on some non-authorization scenarios in the coming future, it is going to be exciting to keep an eye out for what lies ahead for Aserto.
Also watch this interview we had with Omri Gazitt, Co-founder and CEO at Aserto.
