Context: About Me » Recovering system administrator » Secretly French ( ! don’t tell anybody) » Frequently ate lunch with the security folks at Datadog » Oh! I work at a start-up called Cerbos @phrawzty // cerbos.dev 2

Context: About Cerbos » “Externalized, policy-based, runtime authorization for your applications” » It’s literally a self-hosted binary with an HTTP API » There’s also a hub with a bunch of neat features @phrawzty // cerbos.dev 3

What is Authorization? » “Is this entity allowed to perform this action on this resource?” » Related to, but distinct from, authentication @phrawzty // cerbos.dev 4

Early Days: POSIX Permissions » User/Group/World model » Read/Write/Execute primitives @phrawzty // cerbos.dev 5

The Middle Ages: ACLs & RBAC » Access Control Lists » Role-Based Access Control frameworks @phrawzty // cerbos.dev 6

Modern Authorization » Token-based approaches (JWT, OIDC) » Federated systems » PBAC, ABAC, ReBAC… @phrawzty // cerbos.dev 7

When it all goes wrong (and it will) @phrawzty // cerbos.dev 8

Facebook “Privacy bug” Overview » ! May 2018 » Audience selector default changed to public » 14 million users affected » Policy enforcement failure during feature update @phrawzty // cerbos.dev 9

Facebook “Privacy bug” Key Authorization Failures » Default permission setting changed without user consent » Policy enforcement layer failed during UI update » Inadequate permission state validation @phrawzty // cerbos.dev 10

Okta “Support System breach” Overview » ! 2023 » HAR file exfiltration exposed session tokens » Auth bypasses in support systems @phrawzty // cerbos.dev 11

Okta “Support System breach” Key Authorization Failures » Overly permissive access to production » Insufficient isolation between support tiers » Authorization checks bypassed through session token theft » Inadequate token validation controls @phrawzty // cerbos.dev 12

Microsoft “Midnight Blizzard” Overview » ! 2024 » Password spray attack led to tenant compromise » Legacy tenants, basic auth, and privilege escalation @phrawzty // cerbos.dev 13

Microsoft “Midnight Blizzard” Key Authorization Failures » Excessive privileges in legacy tenant configurations » Inadequate role separation » Authorization boundaries between tenants insufficiently enforced » Lack of just-in-time access controls for privileged operations @phrawzty // cerbos.dev 14

How to stop it from all going wrong (or at least give yourself a fighting chance) @phrawzty // cerbos.dev 15

Token Security » Validation best practices (signature, expiry, issuer) » Secure storage and transport » Avoiding common token vulnerabilities @phrawzty // cerbos.dev 16

Permission Management » Role explosion ! » Just-in-time access patterns » Principle of least privilege @phrawzty // cerbos.dev 17

Externalizing Authorization » Clear separation between business logic and authz rules » Update policies without updating code » Enhanced auditability and compliance reporting @phrawzty // cerbos.dev 18

Testing Authorization Systems » Policy unit testing » Automated access review @phrawzty // cerbos.dev 19

Critical Path Patterns » High-availability authorization » Graceful degradation strategies » When in doubt, deny by default @phrawzty // cerbos.dev 20

Conclusion » Authorization fails at boundaries and transitions » Externalize your authorization decisions » Tokens require rigorous validation » Use just-in-time access and live the principle of least privilege » Test continuously and review access regularly @phrawzty // cerbos.dev 21

← play this game! (no really, it’s fun) 22