A SCALABLE AND SECURE ACCESS CONTROL SOLUTION SIMPLIFIES AUTHORIZATION
Salesroom is an interactive video conferencing platform for sales professionals. It uses AI to help salespeople accelerate their sales cycles.
Salesroom wanted to get permission control right the first time. Chuck Hardy, the Head of Engineering at Salesroom, and David Workman, a Senior Software Engineer chose Cerbos to simplify the implementation and management of user permissions and authorization.
The result of this partnership was a simple, secure, and scalable access control solution that allows Salesroom to focus on achieving product market fit.
We had a chat with Chuck Hardy, the Head of Engineering, and David Workman, a Senior Software Engineer to discover what led Salesroom to hire Cerbos — and the phenomenal results that came from the collaboration.
Q: Why did you decide to get a third-party access control solution instead of building an in-house system?
David: We implemented an in-house authorization system at my previous company. It kind of did the job but it was difficult to update. It couldn’t support all the use cases and we never had time to develop it after release. This caused a lot of confusion and we were often worried that it was not working correctly.
From past experience, developers don't like dealing with authorization. It's tedious code and can be a bit tricky to get right. And if you get it wrong, it has major implications. So the less of it people have to deal with, the happier they tend to be.
Q: How long did it take you to build the in-house authorization system in your previous company?
David: The process of building the bare bones took place fairly quickly. However, there were lots of applications in place that had to be updated and tracked down. When I left the system wasn’t fully integrated after 2 to 3 years.
Q: What was the cost of the in-house system at your previous company?
Chuck: When I did an audit, I found that the cost of managing authorization and authentication in-house over the entire lifespan of the company was in the 7 figures. And this is without factoring in the opportunity costs.
Q: How was Salesroom handling access control before implementing Cerbos?
David: When I started working at Salesroom, a baked-in authorization solution was starting to take shape. We realized that we had to change track before we ended up in our previous mess: an authorization system that was difficult to support, update, and maintain.
Q: Why was it important for Salesroom to outsource access control?
Chuck: From a business perspective, I wanted to make sure that David spends his energy and focus on solving customer problems and achieving product market fit. I want the engineering team to work on scalable projects that provide value.
Q: What were you looking for in an access control solution?
David: I wanted a solution that wasn’t a single point of failure, one that we could run in a way that's good enough performance without causing major slowdowns in processing requests. We wanted the ability to write policies easily and have people who aren't engineers write and deploy updates without needing an engineer’s support. That point was quite important because we don't want the engineers to be writing policies. That role should be held by IT or similar functionality as the organization matures.
We also wanted the power to audit and test the policies to ensure that they are definitely doing what we expect them to do. Finally, we wanted a solution that could integrate with our existing systems easily.
Q: How did you have any reservations about implementing a third-party access control system?
David: We worried about an external single point of failure. As a SaaS product, every interaction with the platform could be making calls to Cerbos for authorization needs - potentially multiples, dozens, or even hundreds of times in a single request. So if we had only one instance of Cerbos running that could go down separately from the application, then at that point, our application, even if all of our code is up and running, no longer works.
Chuck: If you want to be an enterprise company and sell to big companies such as banks et cetera. You can't have tedious or fragile disaster recovery programs. You have to be able to prove, not only where your data is flowing, but also that you control the foundations of the house and you haven't built them on any kind of sand, et cetera. And if you can't prove that, you're not gonna get any kind of contract. That was another reason why avoiding a single point of failure was super important.
Q: What convinced you to implement Cerbos?
Chuck: I met Emre (Cerbos’ CEO) at a party. And we were talking and he said, "Look, I'm thinking of solving this problem, or at least I've just started solving this problem." I replied, "Oh my God, dude, no jokes." And so we kept in touch. When he was ready to release the product I proposed it to the team.
The team had a look and then we decided that it ticked all our boxes and didn't have the risk associated with it. Looking at the plans they had for the future, it was something we wanted to invest in.
When you meet people like Emre, who are crazy passionate about a subject that you find difficult to maintain, tedious to understand, you can't help but think that you shouldn't reinvent the wheel.
Q: How long did it take you to set up Cerbos?
David: It didn't take long to get Cerbos up and running. Cerbos integrates well with the tools we use and the policy was nice and easy to write.
Chuck: I remember Dave just saying, "Oh, I'm done." And I asked, "Done with what? The proof of concept?" He replied, "No, I'm done." I asked, "What's going on?" It was funny.
Q: How secure is Cerbos, is there a risk of it being a single point of failure?
David: We can run Cerbos next to our application with as many instances running as we need. Plus, we can have one dedicated host we're running it on so there’s less risk of it going down and taking everything down without us knowing.
Q: How is the policy writing process in Cerbos?
David: It’s easy to write policies in Cerbos, you can look at them and have a good idea of what they're doing and whether they're doing it correctly.
Q: Is it easy to update policies in Cerbos?
David: Cerbos decouples nicely because I don't need to look at the code. I don't need to look at a bunch of database queries and so on to check whether something's right or figure out what we want to do. All I need to do is add extra roles for this user to pull up what we want and none of the application code needs to change.
Q: What about scalability?
David: We’re not worried about scaling because we can easily increase our load on Cerbos. It will also be easy for us to change how we’re distributing policies as we reach different points of scale.
Q: What is it like to work with the Cerbos team?
Chuck: They're flipping it to be developer-first, focused on us. The language. You can see it on the website. The documentation. I mean, it's even on my notebook, I got a little Cerbos sticker. It feels like they're part of this team, not my boss' team.
They're ridiculously close to us and appreciative. And I mean, they're definitely crossing the boundary on just being friends. You can tell by how much effort we're giving to this. You don't give that unless you have a certain high degree of respect and appreciation for another group of people.
We know that if something goes wrong, they will do everything in their power to resolve it. It gives us that extra bit of confidence. And they're always talking to us with respect and love as well. And that's nice, too
Q: How has deploying Cerbos benefitted Salesroom?
Chuck: Startups live and die by a few levers. We need to get PMF before we run out of money. Deploying Cerbos has allowed us to spend time on what really matters for Salesroom’s success. And I sleep better at night.
Q: What would have happened if Salesroom had not deployed Cerbos?
Chuck: We wouldn’t have the confidence that we have with Cerbos. Managing authorization would have been more complex. This isn’t the case with Cerbos, our engineers felt that it was easy to pick up and learn.
Q: How much time has deploying Cerbos saved Salesroom?
Chuck: Instead of thinking of how much time Cerbos has saved us, I think about how much time it didn't cost us. It didn’t cost us any time. It just works and I don't have to think about it. It's done.
Q: How is Cerbos the ideal solution for Salesroom?
David: It gives us peace of mind. It's the time not spent worrying about authorization and time not spent trying to stare at a query and work out whether it's the right thing or not.
Chuck: It just works and I don't have to think about it. It's done. It's as simple as that for me. I have an analogy, I love Android phones. But I'm an iPhone user. Why? Because it just works. I don't have to care about it. I don't have time in my life to spend on such things. I'm too busy. So anything that gets in that bucket of "the job is handled," gets a big tick from me.
Q: If you were to recommend Cerbos to someone, what would you tell them?
Chuck: Feel free to do the research, but make sure that you give it a quick proof of concept. And I think that'll be enough for you to know how to go forward. Just have fun with it. It's easy. It's enjoyable.
Salesroom still uses Cerbos for access control. Chuck and David look forward to scaling the company with the support of Cerbos.
You can read the full case study with Salesroom here.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team