Omri Gazitt

Omri Gazitt

Co-founder & CEO - Aserto

Omri is the co-founder/CEO of Aserto.com, an authorization startup, and his third entrepreneurial venture. He’s spent the majority of his 30-year career working on developer and infrastructure technology, most recently as the CPO of Puppet. Previously he was the VP and GM of HP’s Cloud Native Platform (with business, product, and engineering oversight for OpenStack, Cloud Foundry, CloudSystem products and services), and a General Manager at Microsoft with responsibilities for Azure, SQL Server, Application Server, and the .NET Framework.

Presentation Abstract

Fixing Broken Access Control

Broken Access Control is #1 on the OWASP top 10 list for good reason. Every cloud-native application needs some form of access control to secure protected resources. Unfortunately, only a very limited few have the expertise and teams required to build centralized authorization systems that avoid broken access vulnerabilities.

Google, Airbnb, Intuit, Netflix and Carta have successfully built fine-grained access control systems. The common application has not. In fact, an astonishing 94% of applications tested by the OWASP exhibited some form of broken access!

When trying to tackle this most applications implement role-based access control (RBAC), which allows restricting certain functions to privileged users. But a zero-trust approach to application security requires that we go further. Following the principle of least privilege, modern cloud apps implement fine-grained access controls. With a fine-grained model, access rules can be defined on the application’s resources, often down to individual items.

Two ecosystems have emerged around cloud-native authorization: Policy-as-code and policy-as-data. The first expresses authorization logic as code that is versioned and stored separately from application code, and the latter bases authorization logic on relationships between application resources.

Open Policy Agent (OPA) brings a policy-as-code approach to fine-grained authorization, and is rooted in an attribute-based access control (ABAC) approach. Google’s Zanzibar, the unified authorization system Google uses across its clients, including Gmail, Drive, Cloud, and Calendar, represents the policy-as-data camp. Zanzibar is based on a relationship-based access control (ReBAC) model, and has inspired other systems, such as Airbnb’s Himeji and Carta’s AuthZ, as well as numerous open-source implementations.

In this talk, we’ll explore the principles and patterns of cloud-native authorization, and compare the strengths and weaknesses of OPA and Zanzibar as foundational models for a robust access control system. We will also share a couple open-source projects you can use today to add fine-grained access controls to your applications and APIs.