PBAC; OPA
Facebook X LinkedIn

PBAC; OPA

Combined Session
Wednesday, May 10, 2023 15:30—16:30
Location: B 07-08

Lessons Learned from Implementing PBAC Solutions with OPA

During the last 3 years we have seen a significant uptake on decoupled authorizations solutions, the main drivers behind this is a move to the cloud, micros services and ZT implementations. In this speech Gustaf Kaijser will walk you through the feedback he has been getting from the organisations that have implemented OPA based solutions the last years, and the significant gains that they have seen in:

Lessons Learned from Implementing PBAC Solutions with OPA
Event Recording
Lessons Learned from Implementing PBAC Solutions with OPA
Click here to watch the recording of this session. Please note that this video is only available to event participants and subscribers. You'll need to log in to watch it.
Lessons Learned from Implementing PBAC Solutions with OPA
Presentation deck
Lessons Learned from Implementing PBAC Solutions with OPA
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Gustaf Kaijser
Gustaf Kaijser
SlashID
Gustaf Kaijser has experience from over 50 implementations of PBAC solutions from his time as Sales Director EMEA at Axiomatics (XACLM) and Styra (OPA). He currently works at Head of Sales...

From A (ACLs) to Z (Zanzibar): Standardizing Access Policies with IDQL/Hexa

The adoption of multiple clouds is accelerating across all industries. While multi-cloud brings many benefits, it also results in new challenges. Organizations must manage platform-specific access policies in the bespoke policy syntax of each cloud.
Security and risk gaps arise between cloud identity systems due to the increased policy fragmentation and technical complexity that can obscure visibility and make it difficult to determine who has access to what.
These challenges grow exponentially when you consider the various access policies (and system languages) associated with each data, network, and platform layer (and vendor) in an organization’s tech stack.
This session will describe an open-source solution to multi-cloud access policy fragmentation: Identity Query Language (IDQL) and Hexa Orchestration. IDQL and Hexa are two sides of the same coin that together perform policy orchestration across incompatible cloud platforms.
IDQL is the universal declarative policy language that can be translated into a target system's proprietary or bespoke access policy format. Hexa is the open-source reference software that brings IDQL to life and makes it operational in the real world by connecting to target systems and performing the three main functions of discovery, translation, and orchestration.
Hexa Policy Orchestration was recently accepted as a Cloud Native Computing Foundation (CNCF) sandbox project. The session will include a technical review of Hexa plus a demonstration of current capabilities.

From A (ACLs) to Z (Zanzibar): Standardizing Access Policies with IDQL/Hexa
Event Recording
From A (ACLs) to Z (Zanzibar): Standardizing Access Policies with IDQL/Hexa
Click here to watch the recording of this session. Please note that this video is only available to event participants and subscribers. You'll need to log in to watch it.
From A (ACLs) to Z (Zanzibar): Standardizing Access Policies with IDQL/Hexa
Presentation deck
From A (ACLs) to Z (Zanzibar): Standardizing Access Policies with IDQL/Hexa
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Gerry Gebel
Gerry Gebel
Strata Identity, Inc
Gerry is a recognized leader in the identity management space. His accomplished career spans over two decades in which he has been instrumental in providing requirements definition, architecture...

Modern Authorization: The Next IAM Frontier

Identity and access have always been joined at the hip. In the age of LDAP, authenticated users were granted permissions based on group membership. But this mechanism hasn’t transferred into the federated identity landscape.

Instead, modern identity systems try to generalize permissions into scopes that are embedded into access tokens. But this doesn’t facilitate fine-grained authorization - a “read:document” scope doesn’t typically mean the user can access every document!

While identity has moved to the cloud, we still don’t have fine-grained, scalable mechanisms for generalizing authorization. So every application builds its own, and IT ends up administering every application differently.

Fixing this is arguably the most pressing challenge for the IAM industry. In this talk, we propose a set of principles, inspired by zero-trust and the latest work in cloud-native authorization, that should underlie the solutions we build:

  1. Support for fine-grained authorization (both ABAC and ReBAC), delivering on the principle of least privilege. Google’s Zanzibar provides an important blueprint.
  2. Managing authorization policy-as-code, enabling separation of duties and policy-based access management. Open Policy Agent is a good building block.
  3. Performing real-time access checks for continuous verification. This function should be downstream from authentication.
  4. Collecting fine-grained decision logs, providing the underpinning for comprehensive offline auditing and access analysis.

Modern Authorization: The Next IAM Frontier
Event Recording
Modern Authorization: The Next IAM Frontier
Click here to watch the recording of this session. Please note that this video is only available to event participants and subscribers. You'll need to log in to watch it.
Modern Authorization: The Next IAM Frontier
Presentation deck
Modern Authorization: The Next IAM Frontier
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Omri Gazitt
Omri Gazitt
Aserto
Omri is the co-founder/CEO of Aserto.com, an authorization startup, and his third entrepreneurial venture. He's spent the majority of his 30-year career working on developer and infrastructure...
Subscribe for updates
Please provide your email address