What factors affect the efficacy of the cloud and present problems for the digital areas of business operations? Providing insight into the matter via a Digital Journal interview is Torin Sandall, Vice President of Open Source at Styra.
Digital Journal: What are the top authorization mistakes happening in the cloud?
Torin Sandall: Let’s look at this in two parts. First, let’s look at it from the infrastructure space, where we often see authorization frequently get left behind. Teams rely on tribal knowledge and manual checks and balances to make sure the cloud infrastructure resources are configured correctly. This approach offers little to no guarantee that the organization is adhering to important best practices or regulatory requirements. Organizations making this mistake are risking downtime, cost overruns, and security breaches every time configuration changes are made—and since more and more organizations are trying to practice DevOps and share the responsibility of operating software across many teams, this problem is only getting worse.
Secondly, in the app space, we see authorization being reinvented over and over because that’s just how it has always been done. However, app authorization is an expensive feature to build. We frequently see organizations spend many months of software development time just to get a solution off the ground—at which point they need to continually operate and maintain the solution and evolve it to meet new requirements.
DJ: What problems does using different programming languages lead to when it comes to authorization policy? Can you share these pitfalls in detail?
Sandall: I think a good way to answer this question is to think about microservices architecture. What would happen if each team (responsible for their respective microservice) went off and built authorization from scratch using whatever programming language they chose (as well as whatever frameworks, and data formats, and with support for different identity types, and protocols, and so on)? Not only will this waste time, since each team has to duplicate the work of others, but it’s also incredibly risky: if any team makes a mistake, data gets leaked or modified, etc. Moreover, it becomes extremely difficult for anyone to answer basic questions about the authorization posture of the overall application because the implementation of the authorization policies has been done piecemeal and cannot be reasoned about easily.
So, if you let everyone implement authorization from scratch in different ways (which would not be unreasonable since you’ve carved everyone off into their own little islands so that they can move faster), it decreases productivity and makes it hard to prove compliance.
That’s why Open Policy Agent (OPA) utilizes Rego, a simplified and concise coding language that is easy to read and write. This simplification reduces ambiguity and allows policy authors to focus on what queries should return rather than how queries should be executed.
DJ: What compliance issues can organizations face if they aren’t tracking their policy changes?
Sandall: If companies aren’t tracking their policy changes compliance and regulation can be a headache when an audit comes around. Essentially, companies need to track policy changes to ensure they are continually in compliance with the most recent industry regulations, especially if they are in healthcare (HIPAA), financial services or work with the government. By treating policy-as-code and leveraging tools like OPA, organizations can apply industry-standard software best practices to policies, including automated testing, peer review, version control, auditing and rollback—all of which make it substantially easier to prove compliance.
DJ: How can IT teams begin to overcome these mistakes using open source solutions?
Sandall: Creating individual solutions to overcome these top authorization mistakes can be a mistake within itself. IT teams can avoid this with open source solutions because the technology evolves at a faster rate compared to homegrown tools, it is proven, and it can be customizable to the business.
Open source solutions, like Open Policy Agent, provide a unified toolset and framework for policy across the cloud-native stack. For example, OPA decouples policy from the service’s code so one can release, analyze, and review policies (which security and compliance teams love) in real-time without sacrificing availability or performance.