Looking at any data breach in the last couple of years, there is a common pattern of employees with access to data they should not have had. Authentications and authorization across organizations can be a massive challenge in the age of multi-cloud.
Isobel Redelmeier, a software engineer working on Cloud Foundry at VMware, pointed out the challenges organizations face today when it comes to authorizations and authentications. It goes beyond the massive lists of different permissions for different employees. There are challenges regarding fixed roles. A developer should be able to write and push code without access to environment variables for security reasons. It can’t be done. You either have a space developer who can push code, or you have a non-space developer who cannot push code. There’s no middle ground.
The Cloud Foundry community is working to solve this problem and give organizations more control over permissions. The community is working on a new open source project called ‘perm,’ which provides authorization features for the Cloud Foundry platform.
Perm is creating the much needed middle ground. It’s focused on role-based access control, which makes it easier to distribute assignments to a particular role or group. Perm looks at two scenarios: a) can a given actor perform a particular action on a resource?; and b) for which resource patterns can an actor perform a given action? In order to be able to do those two things, perm looks at what roles are assigned to a user and what permissions those roles grant.
Perm is fully open source so users can go to GitHub and start playing with it. It’s implemented iteratively behind a GitHub tool called Scientist, which allows users to run two or more code pads to compare permissions and fine tune them using migrator.
The developers behind perm are also planning to support external group management, such as LDAP, so that organizations can sync their own identity provider with UAA. It will enable organizations to more efficiently manage permissions eliminating risks of data breaches that happen due to existing complexity of permissions.
You can watch the full talk from Isobel on YouTube: