Securing your tech: The importance of authorization layers

Published by James Walker on February 28, 2024
image
Learn more about Cerbos Hub

Security breaches are existential threats for companies and their customers: IBM research found that the average financial impact of an incident reached $4.35 million in 2022.

Defending against such threat starts with adopting a security-first approach to product development. Planning security measures from the outset ensures they're integrated into your system instead of being added as a hasty checkbox exercise near the end of a feature cycle.

Out of all the product decisions that affect security, how you handle user authorization is arguably one of the most impactful. Authorization is your frontline defense against improper access attempts, privilege escalations, and leaks of sensitive resources.

In this article, we'll explore how to increase your system's security with a purpose-designed authorization layer.

The importance of authorization layers

How do you ensure that user access to resources is as robust as possible? Enter authorization layers, your defense against malicious access attempts and incorrect policy decisions.

The primary role of authorization layers is to separate your authorization logic from your application's source code. They permit you to easily utilize versatile access management solutions such as RBAC, ABAC, and access control lists (ACLs) without having to implement complex authorization logic yourself.

An effective authorization layer should be impervious to unauthorized access and capable of reliably preventing access to restricted resources without revealing any useful information to attackers. The system should also be flexible and easy to integrate with your applications while supporting complex policies that developers can quickly author and consume.

Authorization layers are hosted independently of your main application service. When the application requires user authorization, it should call the authorization layer's API, which will supply the "allow" or "deny" decision for whether the user can access the requested resource.

The benefits of authorization layers

Here are some of the ways in which authorization layers can enhance your system.

Scalability

Because you can scale your authorization layer separately from your main application's deployment, you can manage user activity spikes by scaling up only the authorization layer without incurring unnecessary extra costs for your other services.

Authorization layers also provide increased scalability for the logic in your authorization policies. You can develop complex policies without impacting your application's performance. Policy decisions can be cached for a short time after they're determined, reducing the overheads associated with subsequent checks.

Flexibility

Adopting an authorization layer provides increased flexibility for your authorization controls. You can integrate with external identity providers, choose to use RBAC or ABAC-powered access control, and write your own policies for comprehensive control over authorization rules.

It's possible to implement these functions in your own codebase, but homegrown implementations often prove restrictive or contain security oversights. By choosing a proven authorization layer, you can use any authorization technology you require without affecting your product's maintainability or security.

Simplified access control management

Authorization layers simplify access control management by giving you a centralized place to associate users with roles, actions, and resources. You can quickly onboard user accounts from your existing identity provider then assign them the resources they need.

When changes are required, you can push them to all your services from the centralized platform. This eliminates the repetition and risk of errors that's inherent when services use their own access control management systems or fail to synchronize with each other.

Auditing and accountability

Authorization layers facilitate robust auditing and accountability controls. These are essential capabilities for regulated industries where you need to prove constant compliance by demonstrating who has accessed a resource and why they were authorized to do so.

When you use an authorization layer, authorization outcomes are automatically captured, irrespective of the service that makes the request. You gain excellent visibility into the effects of your policies, which helps enable early detection of misconfigurations that could affect security.

Who's using authorization layers?

An authorization layer is a critical component of most major systems running at scale, and several big tech companies have improved their product's security by implementing one.

Google

Google's authentication system is designed to accommodate several different use cases through a centralized service.

Identity and access management (IAM) is the main authorization component protecting access to Google Cloud resources. Resources such as organizations and projects are protected by roles that define the actions different user identities can perform.

IAM supports all of Google Cloud's resources and many different kinds of user identity, including Google accounts, groups, Workspace accounts, Cloud Identity domains, and service accounts. The system means that all new Google Cloud services can expose their authorization controls through IAM without having to launch their own authorization layer.

AWS

Amazon Web Services (AWS) also refers to its authorization layer as Identity and Access Management (IAM). Similarly to Google's approach, it functions by assigning fine-grained permissions to policies that are grouped into roles.

Roles are then granted to identities such as users and applications. It's possible to centrally manage these identities and delegate access to other AWS accounts. AWS IAM also supports organization-wide defensive guardrails; these policies prevent inappropriate permission assignations that could expose data to unauthorized users.

Microsoft

Microsoft's primary authorization layer is Azure AD, a service that underpins authorization across all Microsoft cloud accounts.

It describes Azure AD as a cloud-based identity and access management service. You can use it to grant principals (such as users or applications) access to any resources you require, such as Microsoft 365 data, Azure services, and external applications that integrate with the platform.

Netflix

Netflix developed its own authorization layer to match its unique requirements. Beginning around 2018, the company reevaluated its solution to support the service's ever-growing scale.

The current Netflix authorization layer is designed as a unified identity and authorization platform that runs at the edge. It processes incoming authentication tokens as early as possible in the lifecycle of new requests before they reach the application servers running services such as the Netflix API and streaming architecture.

This approach ensures users are pre-authorized before they interact with the application. Applications are able to evaluate further authorization decisions by inspecting data provided in a "passport," a short-lived identity structure that's passed from the edge authorization layer to downstream services.

The risks of neglecting security

Neglecting security in product development can have devastating repercussions for your organization. From data being leaked online to legal complications and regulatory sanctions, a security breach is inevitably expensive and time-consuming and a distraction from your regular operations.

Don't expect breaches to immediately recede into history once they're resolved either. The reputational damage has lasting consequences that often prove to be more severe than any immediate penalties. New customers may be less likely to choose your services for fear of data loss while the trust earned from existing clients could be permanently lost.

Only halfway into 2023, there have already been numerous reports of security incidents affecting major organizations. The June breach of file transfer tool MOVEit compromised the personal data of over 15.5 million people, spanning more than 140 victim organizations. In January, AT&T disclosed a hack at a marketing vendor that affected 9 million customers, while telecoms rival T-Mobile has suffered two separate events. And in March, OpenAI, the company behind the trendy generative AI tool ChatGPT, was forced to take the service offline after users were shown the personal details of other active users.

While there are many reasons why a security issue can occur, missing or improper access control is one persistent factor. This kind of breach can also be difficult to detect if you don't have full visibility into the authorization decisions being made.

Verizon's 2022 Data Breach Investigations Report found that around 20 percent of all breaches involved "privilege creep," where an internal employee held roles and permissions they did not actually need. Separately, a study by Palo Alto Networks discovered that a staggering 99 percent of cloud user accounts, applications, and roles were assigned excess privileges that the organization may have been unable to detect.

The Cerbos solution

Cerbos is a comprehensive authorization layer that provides developers with a secure, flexible, and efficient way to manage access controls across software services.

Cerbos uses policies instead of code. Your authorization policies are simple YAML files that exist independently of your app’s source code. Changes are made centrally within the Cerbos platform, so they immediately apply across all the services that interact with your authorization layer.

Powerful Cerbos features include the following:

  • Scalability: The platform runs as a dedicated component in your stack. It's stateless, self-hosted, and easy to deploy to physical hardware, any cloud platform, or a serverless environment.
  • Policy-based authorization approach: Cerbos is configured using authorization policies. These are rule sets that compare a user's characteristics against the requirements of the resource and action involved in the request. Policies produce an "allow" or "deny" authorization decision.
  • Developer-friendly YAML-based policy authoring: Policies are authored as expressive YAML files. Cerbos uses a simple syntax that's easy to read and learn. You can version your policies in a Git repository and then validate and test them with the Cerbos compiler.
  • Bring your own identity: Cerbos is focused on access controls. You can bring your own identity provider to handle user authentication. Whether you use Azure AD, AWS Cognito, Okta, or your own OIDC implementation, Cerbos is capable of authorizing your existing user identities.
  • ISO 27001 and SOC2 auditing and accountability: Cerbos is designed for audit and accountability. It records real-time change logs that satisfy the requirements of ISO 27001 and SOC2. Audit records capture every access decision Cerbos makes, including the contextual data present in the request.

Cerbos offers SDKs and integrations for an extensive list of popular programming languages and frameworks. With Cerbos, you can improve security by separating access control from your application, which centralizes your authorization logic, provides detailed visibility into policy outcomes, and minimizes the risk of authorization oversights occurring.

Cerbos success stories

Cerbos has been adopted by leading service providers that collectively support millions of users. Here are three success stories from organizations that improved their security posture with Cerbos.

Loop

Loop is a rapidly expanding fintech company that sought a scalable authorization platform. Security is critical for Loop because of the regulated nature of the markets it operates in.

Loop launched its initial Cerbos-powered authorization layer within a single week. It found that the platform's quick setup, centralized permissions management, and comprehensive access logs allowed it to develop more flexible authorization policies that it can confidently rely on. Loop's developers also praised the quality of documentation and support available.

Utility Warehouse

Utility Warehouse is a multiservice utility provider that connects customers to over 45,000 independent distributors. It used Cerbos to replace a legacy authorization solution with a centralized access control model that offers improved security.

Cerbos now covers the critical authorization processes within Utility Warehouse's systems. In addition to its policy-based features, Cerbos' comprehensive audit logging helps Utility Warehouse's team to maintain vital SOC/ISO compliance and demonstrate how authorization outcomes were determined.

Nook

Nook is a fintech provider that adopted Cerbos to help it establish a more extensible role and permission model with improved security. To get roles and permissions right from the beginning, Nook's team needed scalable authorization with clean separation from its main application code.

Integrating Cerbos allowed Nook's developers to quickly set up an initial authorization solution and then continue to scale it with additional permissions, policies, and version-controlled validation. Cerbos provides them with the safety and extensibility to rapidly scale up authorization capabilities in response to new product demands.

Conclusion

To build robust systems that users can trust with confidence, you need a security-first approach that prioritizes security in your product development processes. Failing to implement effective security and access controls can expose you to profoundly impactful data breaches—and the financial, legal, regulatory, and reputational penalties they incur.

Implementing an authorization layer such as Cerbos helps to continually promote security and defend against unauthorized system access. Decoupling authorization from your main application code improves scalability and flexibility while reducing the risk of security oversights that are inherent in homespun solutions.

How to get started with Cerbos Hub
GUIDE

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team