API World 2023

Omri Gazitt, Aserto, Co-founder and CEO

Authorization is finally having its moment: Google, Intuit, Airbnb, Netflix, Carta, and many others have recently described the architectural challenges surrounding authorization at scale, securing microservices, and the solutions that they’ve built internally to address them. And hot new tech like Open Policy Agent and the Relationship-based Access Control model described in Google’s Zanzibar paper are real game-changers for doing API authorization correctly.

Early on in an application’s lifecycle, these challenges may not be obvious: you have a small number of coarse-grained roles, and you write some logic in the API handler to determine whether the caller has the correct role to execute the operation. Life is simple.

But as your application gains users, it’s a sure bet that a coarse-grained authorization model will no longer cut it. Your security team knows that Broken Access Control is #1 on the OWASP top 10 list of web application / API security risks. They will want you to apply zero-trust principles like “default to deny”, the principle of least privilege, policy-based access management, and comprehensive decision logs. And customers will ask for finer-grained authorization on a number of dimensions. That’s when things get interesting.

This talk will describe this evolution, and make some practical suggestions on how to add fine-grained, policy-based, real-time access control to your applications and APIs.