The evolution of application design and cloud-native technologies means that developers can no longer rely on traditional authentication and authorization methods to be effective.
While new standards for authentication already exist and are easily implemented, authorization remains a challenge, especially in a fast-paced, dynamic cloud environment. One method of solving this issue is to externalize authorization, allowing policy management to be decoupled from the application itself.
This article discusses externalized authorization management (EAM) and how organizations and developers can benefit from EAM when building applications.
What is externalized management?
Authorization defines what an authenticated user or system can access within an application or system, and what actions they are allowed to perform. Externalized authorization management separates policy management from the application lifecycle and delegates access control decisions to an external decision point. Authorization logic is decoupled from the software code, following in the footsteps of other externalized functionalities, such as authentication, logging and data storage.
The centralized EAM architecture consists of an external authentication layer and an external authorization module. All applications interact with these components on a transactional basis.
The eXtensible Access Control Markup Language (XACML) architecture was designed in the early 2000s to be a standard for externalized authorization. The typical XACML architecture has a policy decision point (PDP) that handles policy decisions sent over by the policy enforcement point (PEP). A policy administration point (PAP) manages the PDP and PEP functions.
The complexity involved in writing and maintaining XML policies prevented widespread adoption. However, the XACML architecture is still relevant today and has inspired the creation of better, more advanced policy engines such as the Open Policy Agent (OPA).
OPA replaces the XACML architecture’s PDP component, and a central control plane is used instead of the PAP.
Styra Declarative Authorization Service (DAS) is the preferred control plane for OPA, purpose-built by the creators of OPA to provide a unified framework for policy in cloud-native applications.
Watch our webinar on the need to standardize authorization practices.
8 Externalized authorization benefits
Using externalized authorization has the following benefits:
1. Centralized policy management
Policies for all services or applications can be added, changed and managed from one central plane. For example, deploying Styra DAS for OPA allows you to manage policy lifecycle and governance across all teams. Policies can also be monitored, updated and promoted in real-time for multiple OPA deployments such as for separate test, staging, and production environments.
2. Focus on business logic
Using a standalone externalized authorization solution enables developers to focus their efforts on the business functions of an application. They can spend more time adding new features instead of allocating resources and personnel toward designing authorization. Consequently, time to market is also shortened.
Using a unified policy language standardizes the authorization policy development process, while allowing application development teams the freedom to use the programming language and technology stack of their choice.
4. Reduce overhead
EAM allows developers to apply the three Rs to programming — Reduce, Reuse and Recycle. Instead of hard-coding authorization within each application, developers can reuse common blocks anywhere access control is required. Platform engineering teams can be leveraged for their multiplier effects by developing common policy snippets and library functions.
With the explosion of interconnected components necessary in modern microservice applications, applying hard-coded authorization to each service would result in scalability issues. Externalized authorization solves this problem and prevents access control from being a limitation.
6. Consistent policy enforcement
Rather than relying on individual system administrators, organizations can enforce policies across the entire system from one central control plane.
7. Fine-grained control
Externalized authorization allows you to have more fine-grained access control to resources based on user attributes and effectively puts the security principle of least privilege into practice.
8. Regulatory requirements
Organizations can comply with regulatory requirements by automatically tracking and auditing external authorization policies through a central control plane.
Why legacy authorization methods are insufficient
Traditionally, developers built applications with hard-coded authorization solutions. Within the monolithic application, authorization can simply be added to a single access point that secures the entire application. However, thanks to the rise of microservices, that is no longer an effective strategy. According to Verified Market Research, the microservices market is projected to reach $6.62 billion by 2030 — and see a 21.7% CAGR growth from 2023 to 2030.
Legacy authorization practices have challenges, including:
— Making policy changes: When authorization logic is coupled with the software code, updating or changing policies can affect the application’s functionality. Therefore, developers must make these changes with the utmost care, often spending a lot of time going through the code. If one part of the application crashes, it also shuts down all other functions.
— Dealing with numerous components: Hundreds or thousands of individual autonomous services require authorization policies to handle requests in a microservices application. A single policy decision point is unable to manage that amount of traffic without driving up latency costs, and without central externalized authorization management, making policy changes to every component is impossible.
— Overcoming role-based access control (RBAC) limitations: While easy to set up and implement, RBAC cannot cope with the dynamic nature of modern IT systems that require a more fine-grained approach to authorization. The RBAC model requires regular maintenance and factors such as role explosion prevent it from scaling.
— Taking a longer time-to-market: Designing an authorization solution for application security requires more effort and resources, leading to a longer time-to-market. Dev teams have less time to spend building an application’s business functionality.
Learn more about Dynamic Authorization for Zero Trust Security.
Manage external authorization with Styra DAS for OPA
Open Policy Agent is the de-facto standard for cloud-native authorization and an open-source policy engine. Styra designed it with cloud-native environments in mind. It allows policy decision-making to be externalized from any underlying software service, including applications, CI/CD pipelines and platforms.
In microservices, it can be deployed alongside each microservice to manage policy decisions at a service level. All policies are administered and stored in the central control plane for OPA, Styra DAS. For every authorization request, the client application asks OPA for a decision, and OPA reaches a decision based on the policies stored in Styra DAS. For organizations that have adopted API Gateways and Service Meshes, OPA can be deployed next to those components to provide a unified decision point for all microservices.
OPA also runs on the edge, bringing the availability and speed of hard-coded authorization logic to externalized authorization. Policies are written in Rego language.
Using a unified policy language across the entire stack simplifies authorization despite the polyglot nature of microservices. Queries and decisions can be any JSON value, which lets you add context to enforce fine-grained access control. This capability means that OPA can make dynamic decisions instead of just allowing or denying access.
Interested in learning more about externalized authorization?
Styra Academy has several courses that teach you all you need to know about designing authorization for microservices and writing policies for OPA using Rego. Enroll for free.
What is the difference between EAM and dynamic authorization?
Dynamic authorization is an access control solution that dynamically uses attribute-based rules and policies to grant access in real-time. Since it also involves decoupling policy code from the business logic, it is sometimes referred to as EAM.
What is customer identity and access management (CIAM)?
Customer identity and access management (CIAM) is a subset of identity and access management (IAM) that involves managing and recording customer identity and profile information and their access to a business’s applications and services.