Slide 1

Slide 1 text

All about AuthZ @dschenkelman

Slide 2

Slide 2 text

Building a SaaS in 2021…

Slide 3

Slide 3 text

Security

Slide 4

Slide 4 text

Privacy

Slide 5

Slide 5 text

Compliance

Slide 6

Slide 6 text

Table Stakes https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

Slide 7

Slide 7 text

Collaboration

Slide 8

Slide 8 text

Sharing

Slide 9

Slide 9 text

Partnerships

Slide 10

Slide 10 text

Differentiator https://medium.com/pm-insights/how-to-pick-winning-product- features-7b03abcf7d12

Slide 11

Slide 11 text

Authorization

Slide 12

Slide 12 text

NOT Authentication

Slide 13

Slide 13 text

Authorization

Slide 14

Slide 14 text

In the beginning… RBAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

Slide 15

Slide 15 text

In the beginning… RBAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

Slide 16

Slide 16 text

In the beginning… RBAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

Slide 17

Slide 17 text

In the beginning… RBAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

Slide 18

Slide 18 text

In the beginning… RBAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); if (user.role === "admin")) { // delete customer // return 204 } else { // return 403 } select role from users where userId == {uid};

Slide 19

Slide 19 text

I want to use attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

Slide 20

Slide 20 text

I want to use attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

Slide 21

Slide 21 text

I want to use attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

Slide 22

Slide 22 text

I want to use attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

Slide 23

Slide 23 text

I want to use attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

Slide 24

Slide 24 text

I want to use attributes from subject and object… ABAC DELETE /customers/{id} const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && !customer.subscribed)) { // delete customer // return 204 } else { // return 403 } select department from users where id == {uid}; select subscribed from customers where id == {cid};

Slide 25

Slide 25 text

I want to know who did what… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

Slide 26

Slide 26 text

I want to know who did what… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

Slide 27

Slide 27 text

I want to know who did what… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

Slide 28

Slide 28 text

I want it to be reliable and fast… DELETE /customers/{id} // log: cookie.userId requesting authz to delete customer const user = await db.users.get(cookie.userId); const customer = await db.customers.get(req.path.id); if (user.department === "IT" && customer.unsubscribed)) { // log: cookie.userId authorized to delete customer // delete customer // return 204 } else { // log: cookie.userId unauthorized to delete customer // return 403 } select department from users where id == {uid}; select unsubscribed from customers where id == {cid};

Slide 29

Slide 29 text

Access Review? Who can access what?

Slide 30

Slide 30 text

Approval? Change Management

Slide 31

Slide 31 text

Auditing? What happened?

Slide 32

Slide 32 text

Reliability?

Slide 33

Slide 33 text

Latency?

Slide 34

Slide 34 text

Developer SaaS

Slide 35

Slide 35 text

Approach #1: Policies

Slide 36

Slide 36 text

Policy

Slide 37

Slide 37 text

XACML http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

Slide 38

Slide 38 text

Rego https://www.openpolicyagent.org/docs/latest/policy-language/

Slide 39

Slide 39 text

Polar https://docs.osohq.com/reference/polar/polar-syntax.html

Slide 40

Slide 40 text

Architecture Abstract 4. get user and customer data 2. can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP (the original DB) 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy

Slide 41

Slide 41 text

Architecture Concrete 4. get user and customer data 2. can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP (the original DB) 6. delete customer 5. user is authorized Policy Repository

Slide 42

Slide 42 text

Alternatives

Slide 43

Slide 43 text

Advantages • Auditing is implemented outside of business logic • Authorization change management is simpler than having it in code • Easier to understand what authorization logic applies

Slide 44

Slide 44 text

Disadvantages • Requires operating more components

Slide 45

Slide 45 text

Architecture Services 4.1. get user data 2. can user delete customer? 1. can user delete customer? PEP PDP PIP (users service) 5. user is authorized PIP (customer service) 4.2. get customer data

Slide 46

Slide 46 text

us-west-2 us-east-1 Architecture Services + Multiregion PEP PDP PIP PIP 4.1. get user 2. can user delete customer? 1. can user delete customer? PEP PDP PIP 5. user is authorized PIP 4.2 get customer

Slide 47

Slide 47 text

us-west-2 us-east-1 Architecture Services + Multi-region + Failure PEP PDP PIP PIP PEP PDP PIP PIP

Slide 48

Slide 48 text

Disadvantages • Requires operating more components • Does not handle storage of authz data • 👉 latency + reliability + scale

Slide 49

Slide 49 text

Approach #2: "Zanzibar"

Slide 50

Slide 50 text

Zanzibar Not this one…

Slide 51

Slide 51 text

Google Zanzibar https://research.google/pubs/pub48190/

Slide 52

Slide 52 text

ReBAC

Slide 53

Slide 53 text

Multi-region

Slide 54

Slide 54 text

Sweet spot Policies (AuthZ needs) DBaaS (handles data) Zanzibar "as a Service”

Slide 55

Slide 55 text

Alternatives (disclaimer: I work on “Sandcastle") "Sandcastle"

Slide 56

Slide 56 text

DEMO

Slide 57

Slide 57 text

Architecture Sandcastle in "PDP Mode" 2. check(user, delete, customer) 1. can user delete customer? Customer Service PDP Sandcastle 4. delete customer 3. user is authorized nginx

Slide 58

Slide 58 text

Enforcement

Slide 59

Slide 59 text

us-west-2 us-east-1 Architecture Services + Multi-region + Sandcastle Users Service Customers Service Sandcastle Sandcastle nginx Customers Service Users Service nginx check(user, delete, customer) check(user, delete, customer)

Slide 60

Slide 60 text

Advantages • Auditing is part of "aaS" • Authorization change management is simpler than having it in code • Easier to understand what authorization logic applies • Multi-region and operated by someone else

Slide 61

Slide 61 text

Disadvantages • Many things are a relationship, but not everything (e.g. time of day)

Slide 62

Slide 62 text

Approach #3: Combined

Slide 63

Slide 63 text

Architecture Sandcastle in "PIP Mode" 4. check(user, delete, customer) 2. can user delete customer? 1. can user delete customer? Manage Policies Distribute Policies PAP PEP PDP PIP Sandcastle 6. delete customer 5. user is authorized Policy Repository 3. evaluate policy

Slide 64

Slide 64 text

us-west-2 us-east-1 Architecture Services + Multi-region + Sandcastle + Policies PEP PDP Users Service Customers Service Sandcastle Sandcastle PEP PDP Customers Service Users Service

Slide 65

Slide 65 text

Sandcastle + OPA

Slide 66

Slide 66 text

Final Thoughts

Slide 67

Slide 67 text

@auth0lab Resources • Sandcastle playground: https://learn.sandcastle.cloud/ • Auth0 Lab discord: https://t.co/ybHn8hEOBl?amp=1 • Authorization in Software: Subject Matter Expert Chats: https:// www.youtube.com/playlist? list=PLZuCrkqyqw9wY0bCosGYDMI9enFpg_tk- • @auth0lab: https://twitter.com/auth0lab

Slide 68

Slide 68 text

Resources • OPA: https://www.openpolicyagent.org/ • Styra: https://www.styra.com/ • OSOHQ: https://docs.osohq.com/ • XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html • NIST ABAC: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf • RBAC: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1992/10/13/ role-based-access-controls/documents/ferraiolo-kuhn-92.pdf

Slide 69

Slide 69 text

Resources • Facebook TAO: https://www.usenix.org/system/ fi les/conference/atc13/atc13- bronson.pdf • Google Zanzibar: https://research.google/pubs/pub48190/ • Himeji (Zanzibar @ Airbnb): https://medium.com/airbnb-engineering/himeji-a- scalable-centralized-system-for-authorization-at-airbnb-341664924574 • AuthZ (Zanzibar @ Carta): https://medium.com/building-carta/authz-cartas-highly- scalable-permissions-system-782a7f2c840f • Authzed: https://authzed.com/ • Ory Keto: https://www.ory.sh/keto/docs/

Slide 70

Slide 70 text

Questions?

Slide 71

Slide 71 text

Thanks! @dschenkelman @auth0lab