The document discusses building a scalable authorization system that ensures trust across microservices using a zero-trust approach and least privilege principles. It highlights key components like the Envoy proxy and Open Policy Agent (OPA) for managing authentication and authorization, as well as the importance of audit logs and decision logging. The focus is on enabling developers to implement secure policies while minimizing the impact on development speed and complexity.

1. Solving Trust
Issues At Scale
Building an Authorization
System that Devs Don’t Hate
@omerlh

2. @omerlh

3. @omerlh

4. Incident Response
@omerlh

5. Lesson Learned
• Automatic Detection (GitGurdian)
• Harden Authorization System
• Better audit logs
• Who used this token?
• Who created it and why?
@omerlh

6. I’m a builder
@omerlh

7. DevSecOps @
@omerlh

8. @omerlh

9. Registration
Authentication
Analytics
Messages
Content
Notifications
Users API
@omerlh

10. The Authorization
Problem
@omerlh

11. The Fort Approach
@omerlh

12. Registration
Authentication
Analytics
Messages
Content
Notifications
Users API
@omerlh

13. One horse can take down our fort...
@omerlh

14. Let’s talk about blast radius
• One vulnerable service affects all the other
• Ensuring all services are trust worthy is
impossible
• We must narrow the blast radius
@omerlh

15. A Zero-Trust Approach
@omerlh

16. Registration
Authentication
Analytics
Messages
Content
Notifications
Users API
@omerlh

17. The Ideal System
Least Privilege
• Just the permissions required
Secure by Default
• Zero permissions by default
Self Service
• Minimize the impact on development speed
Scale
• Hundred of micro-services to manage
@omerlh

18. @omerlh

19. Let’s Build it!
@omerlh

20. High Level Overview
AppIncoming request
Collect decision logs
Get bundlesPublish bundle
Is Authorized?
@omerlh

21. Zooming In
App
@omerlh

22. Envoy Proxy
• A CNCF project
• Authentication and Authorization filters
• Run as side car on the pod
• No code changes required
@omerlh

23. @omerlh

24. @omerlh

25. @omerlh

26. @omerlh

27. Meet Open Policy Agent
• An open source policy system
• Author policies using Rego DSL
• Built-in Envoy integration
• A CNCF project
@omerlh

28. Demo Time!
@omerlh

29. The Candies Problem
@omerlh

30. Envoy + OPA = KISS
@omerlh

31. @omerlh

32. @omerlh

33. @omerlh

34. @omerlh

35. @omerlh

36. Done?
Least Privilege
• Just the permissions required
Secure by Default
• Zero permissions by default
Self Service
• Minimize the impact on development speed
Scale
• Hundred of micro-services to manage
@omerlh

37. Wait, all devs need to learn Rego?
@omerlh

38. Using data for abstraction
• Policies can load data from JSON/YAML
• Author generic policies
• Devs just needs to fill the input
@omerlh

39. @omerlh

40. @omerlh

41. @omerlh

42. Building our policies
• A common policy, maintained by the security team
• Including unit tests!
• Each service has it’s own data file
• Permission request is just a PR
• Built in audit and review features
@omerlh

43. @omerlh
An Example PR

44. @omerlh
Permissions Request PR

45. Done?
Least Privilege
• Just the permissions required
Secure by Default
• Zero permissions by default
Self Service
• Minimize the impact on development speed
Scale
• Hundred of micro-services to manage
@omerlh

46. Loading Policies
• Bundles are policies archive
• Hot bundle loading
• Dynamic bundle discovery
@omerlh

47. @omerlh

48. @omerlh

49. @omerlh

50. @omerlh

51. @omerlh

52. @omerlh

53. @omerlh

54. @omerlh

55. What about logging?
• OPA log each decision into decision logs
• Can be used for debug and audit purposes
• Support redacting for sensitive input
• Collect with fluentd/Loki
@omerlh

56. @omerlh

57. Putting it all together
AppIncoming request
Collect decision logs
Get bundlesPublish bundle
Is Authorized?
@omerlh

58. Done?
Least Privilege
• Just the permissions required
Secure by Default
• Zero permissions by default
Self Service
Minimize the impact on development speed
Scale
• Hundred of micro-services to manage
@omerlh

59. Everything come with a price…
• OPA/Envoy running as side-car
• Resource usage costs per pod
• A bug in OPA/Envoy has serious implication
@omerlh

60. How can I build it?
• Fork the GitHub repo - https://github.com/omerlh/opa-demo
• Follow the readme
• Reach out with questions 
@omerlh

61. Wrapping Up
@omerlh
Wrapping Up
@omerlh

62. Registration
Authentication
Analytics
Messages
Content
Notifications
Users API
@omerlh

63. Going Forward
• Improved Visibility
• More Complex Policies
• Expend adoption
@omerlh

64. Lesson Learned
• Automatic Detection (GitGurdian)
• Harden Authorization System
• Better audit logs
• Who used this token?
• Who created it and why?
@omerlh

65. Feedback appreciated
@omerlh

66. Questions?
@omerlh

67. @omerlh
Enable Devs to Move Faster and Safer

68. Thank You
@omerlh

69. Resources
• OPA-Envoy integration
• Envoy JWT authentication
• GitHub demo repo
@omerlh