Solving the Enduring Pain of Authorization With Aserto’s Co-Founder and CEO, Omri Gazitt

Whether you're at a startup, enterprise, or something in between, authorization and access control are likely major pain points for your team.

This week on Dev Interrupted, we talk to Omri Gazitt, co-founder and CEO of Aserto. Omri joins us to chat about the future of authorization, how to handle access control on your team, and how to avoid the toil and tech debt often associated with access control. 

Episode Highlights

• (2:36) Omri's path to becoming a founder
• (4:58) Advice for first-time engineers-turned-founders
• (8:38) What is authorization?
• (12:06) Aserto's founding
• (15:38) Implementing authorization the right way
• (18:55) Who should own access control for your team?
• (21:00) What is cloud-native authorization?
• (24:32) Getting access control in a good place
• (26:26) Open source and authorization
• (32:20) Startup vs. enterprise: authorization transformation

Episode Excerpt

Omri: Cloud-native is such an amorphous term, you know, it's basically kind of applying a lot of the lessons that we learned around zero trust and things like that, but on the developer side. Developers generally don't like security and don't want to know about security, but they kind of have to know about security now because they used to be protected by a kind of perimeter. 

Right. So, you know, a lot of the security burden was on the perimeter. And now it's shifted to the application itself. But the application developers haven't really kept up. And so, you know, just some of the things that are really important for security and for the business, the principle of least privilege, right? So, the idea that you want to limit the set of entitlements or rights or permissions that you give to users to just the smallest set that they need in order to get their job done, that goes against this idea, old school idea, anti-pattern now of these core screen roles and permissions. Nobody wants an admin these days for everything in the application. 

They want admins for different pieces of the application. They want to be able to, you know, kind of like, rather than a sign of permission to read documents, what does that mean? Read all the documents? That doesn't make any sense; you want to be able to set specific permissions on specific documents or folders or things like that. So, that's, you know, fine-grained access control. That's a core pattern that we see all these authorization systems enabling. 

Another one is this idea of separation of duties, this thing, this authorization policy out of the application, and storing and versioning it in its own textual DSL, its own authorization language, we call that policy as code. And the kind of front-runner project for that these days is the open policy agent. So, it has a language called Rego. And if you do that, you can actually basically have the authorization surface area be kind of controlled by a security team. And they can reason about all the different authorization logic across all your microservices. So that's a huge plus. Another pattern is what we call real-time authorization. 

So, rather than relying on two scopes that are baked into access tokens and using those for permission, you basically make a call to an authorization service with the user context and the resource context and the permission and ask the question, is this user does this user have this permission on this resource in real-time, and that's a much more secure practice. Another one is gathering decision logs for every decision that the application makes, right? Because these days, the reality is it's not a question of if you have a breach, it's a question of when. And it's not enough to know, like all the times that people log into your app, you really want to know every decision that the application made so that you can kind of figure out the blast radius of what compromised that DNA actually did. So we call that fine-grained decision logs. Those are some of the patterns that we've seen that we call cloud native optimization.

March 15th, watch one of Uber’s former top engineers answer your questions about the world-changing company live!

Best of all, we’ll be doing a livestream episode of the podcast with special guests, former senior engineer at Uber and current Head of Product and Engineering at Kyte, Nick Cobb. Both of your favorite hosts — Dan Lines and Conor Bronsdon — will be joining Nick as he provides exclusive, insider insights on…

• The AI behind self-driving cars, 
• On-demand vehicle platforms
• Why Uber has lost its product innovation DNA.

Register for the livestream now. You’re not gonna want to miss this.