How Styra DAS Entitlements Power Application Authorization
With the power of modern cloud computing, enterprises are building and updating applications quicker than ever. Expanding your business through the cloud is a fast-paced endeavor, which can be daunting to IAM teams more familiar with on-premises setups. While running applications on self-hosted infrastructure is still a best practice in some cases, businesses are finding it easier than ever to find and pounce on opportunities for growth by shifting to the cloud. In fact, many organizations now use self-hosted private clouds and public cloud environments interchangeably, and they are exposed identically, with the same paths to production and architectures, for enterprise development teams.
Moving to the cloud is easier said than done, and there are several processes that don’t have simple translations. One of these issues is entitlements, or the privileges belonging to a user within an application. Basically answering the age old question, “Can Bob read this document?”. Entitlements define what actions an identity can perform in an application, and reference existing systems of record to understand their users and permissions. IAM teams have been tasked with ensuring privileges are still accurate as the organization transitions into the cloud — and they typically build authorization systems into applications themselves. This, however, is still not an ideal solution, as maintaining that authorization in the individual apps is a tall task, especially as you continue to scale.
Styra Declarative Authorization Service (DAS) Entitlements helps to ease this pain, by giving you the ability to decouple policy from applications themselves, while still leveraging your existing systems of record. As we’ll show you below, Styra DAS synchronizes with your existing enterprise data sources such as LDAP, then feeds relevant data to Open Policy Agent (OPA) in order to unify your policy across the stack. You can use these policies within your application code, or within microservices that are being developed as part of your RESTful-based APIs. Deploy the application Policy Decision Points (PDPs) close to your application to maximize performance and architectural flexibility.
Leveraging existing systems of record
Traditionally, entitlements are managed by referencing tier0 datasources, such as LDAP, HTTP, SCIM, OAPIv3, AWS S3, Git or popular cloud identity providers like OKTA or auth0. In Styra DAS, Entitlements uses information from existing data sources as a base, but expresses policy declaring users’ capabilities in Rego, OPA’s custom-built policy language. Entitlements provide a mechanism to understand your policy as data, as well as policy as code.
Styra DAS Entitlements allows you to take advantage of your existing systems of record, utilizing the data stored within them to create a powerful, context-rich authorization policy control plane across your organizations applications. This authorization system, unlike CIEM tools of the past, allows IAM teams to implement authorization on an application level, making sure every user accessing every resource is cleared to do so. Externalizing authorization decisions to a centralized policy decision point allows application developers to focus on business logic, while leaving the associated application authorization policies to those individuals who understand them and the regulations that an organization is required to implement.
Styra with cloud-native Entitlements reads many common systems of record, allowing many different types of users to use entitlements with their existing systems. These include tier0 data sources such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD), which can be time-consuming for enterprises to convert by hand. Styra DAS transforms these data sources into an opinionated object model that supports authorization models such as RBAC and ABAC. This opinionated model is used to provide the necessary structure to the policy decision engine so that it has the appropriate identity and contextual information to make an appropriate application authorization decision. This policy is written for the declarative, CNCF-owned, open-source policy engine OPA. OPA provides the unique language Rego, which is used to codify your company’s policies into code that can be stored in source control systems, and reviewed by auditors or compliance individuals.
After you understand your users and roles and incorporate them into your entitlements object model, you can build your policy as code based around whatever rules your organization deems necessary. For example, you can provide administrator access in an application to all users with the admin role. Alternatively, if certain users are not allowed to have access to actions on particular resources, that access can also be restricted. Additionally, you may want to establish some baseline policies that all applications must adhere to. Perhaps one baseline policy is that all requests must have a valid JWT token that includes the user’s identity as a claim. Styra DAS enables IAM and API teams to set up these types of global policies that affect all applications within the entitlements authorization scope. In this way, Styra DAS Entitlements allows users to establish enterprise-level governance while retaining the decentralization that makes developers’ work less onerous.
Enforcing entitlements policy
Referencing and transforming your existing identity sources into the entitlements opinionated object model is only one step in the process of enhancing your systems, as the entitlements system must still handle requests. Every Entitlements request is made up of an input document that minimally includes the subject, action, and resource to be authorized, with the possibility of adding additional contextual information such as JWT tokens or metadata to allow for even more detailed authorization policies. Conceptually, an authorization request is the subject attempting to perform an action on a resource. The input request can include any additional contextual information that is required for the authorization policy to be processed. Here is an example of an authorization request input document:
{
”subject”: “bob",
“action": "read",
"resource": "/cars",
}
This authorization request shows the subject bob attempting to read something in the /cars API endpoint. The shown policy specifies that bob will be allowed to read the resource from /cars if the information provided within the known relationships for the Roles based access control specifies Bob can read the resource AND that Bob is allowed to perform this action within the specified months and days. If it is Saturday or Sunday, Bob is out of luck, and can not read the resources based on the existing policy.
Authorization policy is written in OPA’s policy language, Rego. Styra DAS provides assistance for the full policy lifecycle of your application authorization policies. Styra DAS also assures that your policies are syntactically correct and configured. To test or simulate requests to your new policy, Styra DAS Entitlements comes with the Entitlements Playground, an open-source docker container that includes examples of Python and Go requesting authorization decisions, as well as the code for the entitlements playground itself. The entitlements playground helps you test inputs of subject, action and resource, in order to ensure your policies are doing what you expect.
After you have established the data sources for your entitlements, and defined how they are mapped to the entitlements opinionated object model and defined your policies, the next is are to deploy the OPA PDPs to your infrastructure to support whichever architectural pattern you have chosen for your organization. For Day 2 operations, you can audit your policies, determine if any changes need to be made and test any modifications to policies against historical authorization requests to understand the impact any policy change may have before moving the enhanced policy into production.
Why use Styra DAS for cloud-native entitlements?
Styra DAS Entitlements is a robust offering that can be replicated to as many clouds as you need, and can be updated without needing to redeploy applications. This give you with the policy flexibility you need, while providing you with a centralized way to handle decision logs, policy authoring and data management from one location.
Styra allows teams to synchronize their traditional sources of truth with a powerful, opinionated entitlements model, backed by OPA and Rego. Entitlement policies are intended to be richly expressive, while at the same time allowing non-developers to understand the intent of the policies that are being developed. Particularly valuable in the fast-paced world of the modern cloud is the ability to validate your code before it is published, so you can rest assured that any updates will not bring your system to a grinding halt.
To learn more about how Styra DAS Entitlements can help your enterprise be more secure, watch our Entitlements webinar, Rapid Deployment and Less Friction for IAM and App Teams, check out our whitepaper or read our documentation.