Slide 1
Slide 2
Context: About Me » Recovering system administrator » Secretly French ( ! don’t tell anybody) » Frequently ate lunch with the security folks at Datadog » Oh! I work at a start-up called Cerbos @phrawzty // cerbos.dev 2
Slide 3
Context: About Cerbos » “Externalized, policy-based, runtime authorization for your applications” » It’s literally a self-hosted binary with an HTTP API » There’s also a hub with a bunch of neat features @phrawzty // cerbos.dev 3
Slide 4
What is Authorization? » “Is this entity allowed to perform this action on this resource?” » Related to, but distinct from, authentication @phrawzty // cerbos.dev 4
Slide 5
Early Days: POSIX Permissions » User/Group/World model » Read/Write/Execute primitives @phrawzty // cerbos.dev 5
Slide 6
The Middle Ages: ACLs & RBAC » Access Control Lists » Role-Based Access Control frameworks @phrawzty // cerbos.dev 6
Slide 7
Modern Authorization » Token-based approaches (JWT, OIDC) » Federated systems » PBAC, ABAC, ReBAC… @phrawzty // cerbos.dev 7
Slide 8
When it all goes wrong (and it will) @phrawzty // cerbos.dev 8
Slide 9
Facebook “Privacy bug” Overview » ! May 2018 » Audience selector default changed to public » 14 million users affected » Policy enforcement failure during feature update @phrawzty // cerbos.dev 9
Slide 10
Facebook “Privacy bug” Key Authorization Failures » Default permission setting changed without user consent » Policy enforcement layer failed during UI update » Inadequate permission state validation @phrawzty // cerbos.dev 10
Slide 11
Okta “Support System breach” Overview » ! 2023 » HAR file exfiltration exposed session tokens » Auth bypasses in support systems @phrawzty // cerbos.dev 11
Slide 12
Okta “Support System breach” Key Authorization Failures » Overly permissive access to production » Insufficient isolation between support tiers » Authorization checks bypassed through session token theft » Inadequate token validation controls @phrawzty // cerbos.dev 12
Slide 13
Microsoft “Midnight Blizzard” Overview » ! 2024 » Password spray attack led to tenant compromise » Legacy tenants, basic auth, and privilege escalation @phrawzty // cerbos.dev 13
Slide 14
Microsoft “Midnight Blizzard” Key Authorization Failures » Excessive privileges in legacy tenant configurations » Inadequate role separation » Authorization boundaries between tenants insufficiently enforced » Lack of just-in-time access controls for privileged operations @phrawzty // cerbos.dev 14
Slide 15
How to stop it from all going wrong (or at least give yourself a fighting chance) @phrawzty // cerbos.dev 15
Slide 16
Token Security » Validation best practices (signature, expiry, issuer) » Secure storage and transport » Avoiding common token vulnerabilities @phrawzty // cerbos.dev 16
Slide 17
Permission Management » Role explosion ! » Just-in-time access patterns » Principle of least privilege @phrawzty // cerbos.dev 17
Slide 18
Externalizing Authorization » Clear separation between business logic and authz rules » Update policies without updating code » Enhanced auditability and compliance reporting @phrawzty // cerbos.dev 18
Slide 19
Testing Authorization Systems » Policy unit testing » Automated access review @phrawzty // cerbos.dev 19
Slide 20
Critical Path Patterns » High-availability authorization » Graceful degradation strategies » When in doubt, deny by default @phrawzty // cerbos.dev 20
Slide 21
Conclusion » Authorization fails at boundaries and transitions » Externalize your authorization decisions » Tokens require rigorous validation » Use just-in-time access and live the principle of least privilege » Test continuously and review access regularly @phrawzty // cerbos.dev 21
Slide 22
← play this game! (no really, it’s fun) 22
