Tuesday, June 25
2:40 - 3:05 pm
Policy-enabling your services: elastic, dynamic access control for your APIs, microservices and data
APIs have become the backbone of many services nowadays - from the weather forecast to delivery notifications and photo printing services. Not only can we consume data and services more readily through those APIs but we can also mash them up into greater services. To do so, we tackled API security through OAuth and OpenID Connect. They form a good basis to handle authentication and basic authorization delegation, but there is so much more to consider from an authorization perspective. This session will discuss how security concerns can be addressed through policy-driven authorization in a way that meets the needs and expectations of application developers, owners, and auditors alike. We will show how complex access policies can be handled through a dedicated authorization microservice. With this approach, you can automate security deployment changes within the same CI/CD pipelines used for application management. Furthermore, new deployment configurations are possible, such as implementing the authorization service as a sidecar, to meet advanced performance and scale requirements. All this without changing a single line of code.
Thursday, June 27
4:25 - 4:50 pm
The Developer’s Guide to Policy-Driven Auth'z (or: how to make the right decision 100% of the time)
Only a few years ago, most app developers would use RBAC or hard-code authorization into their applications. And they would get away with it. Nowadays though, with the growth of users, apps, and data as well as the advent of cloud and DevOps, we see a sharp increase in the need to tackle contextual, fine-grained authorization. To address this, we’ve observed a rise in authorization alternatives, all policy-driven, such as ALFA, OPA, and platform-specific languages. Policy enablement empowers users to read, write, and manage these rules without the need for specialized development or operational expertise. When developers can implement policies without having to compile source code, then the application is policy-enabled. Policy-driven authorization has several benefits including lessening the burden on developers who will no longer have to write authorization code. Policies are also easier to maintain and audit and can tie straight into an enterprise’s existing IAM environment. Policy-driven authorization makes it easier to implement complex scenarios such as GDPR compliance, export control, and many more use cases.
This talk will navigate the universe of policy-driven authorization to introduce attendees to the different alternatives before diving into a live example using ALFA, Java, and JSON. the Abbreviated Language for Authorization. Attendees are encouraged to bring a laptop, follow along, and implement their own examples.