Modernizing Authorization: From Basic Roles to Decoupled ABAC

Explore the evolution of authorization systems in this conference talk from Conf42 DevSecOps 2023. Dive into the journey from basic role-based access control to advanced attribute-based access control (ABAC) as companies scale and face new challenges. Learn about the distinctions between authentication and authorization, and follow a hypothetical company's growth through six stages of increasing complexity in access management. Discover a new approach to authorization, including the concept of authorization-as-a-service and the transition from code-based to policy-based systems. Examine the rise of sidecar patterns in microservices architectures and their impact on authorization. Gain insights into practical implementation, advantages, and challenges of modern authorization systems. Conclude with an introduction to Cerbos, an open-source authorization solution.

intro
preamble
about alex
authn ≠ authz
let's scale a company
stage 1 - the blissful days of roles
stage 2 - let's change our product packaging
stage 3 - let's sell into another region
stage 4 - let's sell to 'enterprise' organisations
stage 5 - new ciso: let's get iso27001 / soc2
stage 6 - we need microservices!
a new approach
authorizaion-as-a-service?
code to policy
rise of sidecars
in practice
advantages, challenges
about cerbos
thanks