Listen to this story
Sample this: You sent a Google Docs link to your editor. A few minutes later, you receive an email from her requesting access to the document. Of course, you act immediately and give your editor the ‘edit’ access. This is authorisation.
In computer systems, authorisation is part of the IT discipline called Identity and Access Management (IAM). It is a security mechanism to grant or deny someone access to a network resource such as files, data, application features or computer programs.
Sign up for your weekly dose of what's up in emerging technology.
Why has authorisation become so vital?
In the past few years, addressing the need for authorisation has become vital in our day-to-day life in general, and the IT industry in particular. As businesses move towards cloud-based platforms, the need for security has become ever-so-important. An organisation gives designated individuals access to its systems and not all users need to have the same level of access to the organisation’s systems, applications, data and other resources.
Operating systems today use authorisation processes to deploy and manage applications. However, unauthorised access to cloud-based systems can prove disastrous. Without authorisation, people with malicious intent can access an organisation’s confidential resources impacting its business operations. Added to it are reputational damage, potential lawsuits, issues of non-compliance and imposition of fines. Moreover, sometimes, an enterprise’s clients might have to bear the brunt — sensitive data can leak across the internet.
Zanzibar — Google’s authorisation system
In 2019, Google published a paper titled ‘Zanzibar: Google’s Consistent, Global Authorisation System’ that delves into the details of Zanzibar, a system for storing permissions and performing authorisation checks based on the stored permissions. Zanzibar is a globally distributed authorisation system that handles authorisation for a wide array of services offered by Google, including Calendar, Cloud, Drive, Maps, Photos, and YouTube.
Zanzibar is flexible, global and superfast. It allows Google teams to specify their unique authorisation models and globally replicates authorisation data. Zanzibar can easily scale to handle millions of authorisation requests per second across billions of users and trillions of objects with very low latency. In over three years of production use, Zanzibar has maintained 95th-percentile latency of less than 10 milliseconds. To maintain such low latencies, Zanzibar uses secondary indexing for heavily nested groups, request hedging and distributed caching.
Open-source authorisation systems
Recently, a few open-source authorisation systems have come up inspired by Google’s Zanzibar. Ory built an open-source authorisation system called Ory Keto, which is an implementation of Zanzibar. New York-based startup Authzed released an open-source version of Google’s Zanzibar called Spice DB.
Spice DB is the open-source Zanzibar- inspired database that stores, computes and validates fine-grained permissions. SpiceDB provides verifiable correctness that ensures security of the system. SpiceDB has been designed so that it not only helps decouple policy from the application but also the data that policies operate on. It provides a single unified view of permissions across several applications that a certain organisation has. SpiceDB has dedicated APIs for checking individual permissions, listing all access and ACL (Access Control List) filtering. Also, a powerful graph engine supports distributed, parallel evaluation.
Ory Keto is an open-source implementation of Zanzibar. It is flexible, consistent, highly available and has low latency. Ory Keto is based on a simple, but powerful data model with effective configuration capabilities that serves the needs of different kinds of clients with different access control patterns.
As a policy decision, Ory Keto uses a set of access control policies to determine whether a subject (user or application) is authorised to perform a certain action on a resource. Currently, Ory Keto implements basic API contracts for managing and checking “permissions” with HTTP and gRPC APIs. In the future, there are plans to ensure consistency guarantees using snap tokens, interoperability with other Ory products like Ory Hydra and Ory Kratos and incorporate a global spanning cluster operation mode.
Apart from the above-mentioned open-source authorisation systems, some companies have developed their own authorisation systems. For example, based on Zanzibar, Airbnb created its own centralised authorisation system, Himeji.
Carta, a global ownership management platform that helps companies, investors, and employees manage equity and ownership, came up with AuthZ — a highly scalable permissions system.
Such is the importance of authorisation these days that several types of authorisation strategies have come up, the prominent ones being role-based access control (RBAC), attribute-based access control (ABAC), graph-based access control (GBAC) and discretionary access control (DAC). In fact, of late, Auth0, an authentication and authorisation platform, has been engaged in a new strategy called relationship-based access control (ReBAC). Each strategy helps application developers deal with different authorisation requirements and services to ensure and improve overall system security.