Episode 046: 09‐10‐2024 Yes please to multi‐layer authz - GluuFederation/identerati-office-hours GitHub Wiki
Title: Multi-layer authz? Yes please!
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Omri Gazitt, Co-founder / CEO at Aserto
- Co-Host: Nicholas Hunt, Founder / Chief Identity Officer at HatSec
Description
- Q: Where should you enforce your authorization policy?
- A: Everywhere you can!
There are four common scenarios and enforcement points for a defense-in-depth strategy:
- ⚡ during the authentication ceremony
- ⚡ in the resource server
- ⚡ at the API gateway
- ⚡ in service-to-service communication
Homework
- Aserto blog: Where should I enforce my authorization policy?
Takeaways
-
Lock the front door, and all the doors behind it! Zero Trust! Zero Standing Privilege. That's the direction enterprises are headed.
-
Agreed: authz is everywhere and we need to externalize policies. If PDPs are everywhere, we can't have 100 different PDP ways to do everythying. We need standard ways to express policies, standard ways to query for authorization, and standard ways to log security events.
-
A "stateful" PDP retains some form of memory or state between policy evaluations. A "stateless" PDP evaluates based on the current input, without reference to past decisions or data. The former is better for large cloud PDPs, the latter is better to embed in a web or mobile application.
-
The PDP audit log is a gold mine for forensic analysis. Without it, most application developers don't consistently log security decisions. And given that 94% have broken access control accord to OWASP, that makes it hard to respond to a breach.