build.security today announced it has raised $6 million to launch a platform that promises to make it simpler for developers to centralize the management of authorization controls across multiple applications.
The goal is to enable DevOps teams to shift control over application authorization further left to advance adoption of best DevSecOps practices using a platform based on the open source Open Policy Agent (OPA) software, which enables developers to create policies that manage authorization as code.
Company CEO Amit Kanfer said every application deployed today requires its own unique set of authorization requirements based on roles, permission models and complex hierarchies along with relevant identity, resource and context attributes. Streamlining that process requires a platform that provides a uniform approach to managing that process that is more flexible than existing approaches based on either role-based access controls (RBAC) or attribute-based access controls, said Kanfer.
Otherwise, developers are required to build an array of complex authorization models, policy engines and enforcement points themselves to manage identities, resources and attributes. Those tasks are not only time-consuming but also highly prone to errors that leave applications vulnerable to cyberattacks. he said.
OPA makes it easier for developers to implement fine-grained access controls using a drag-and-drop interface that decouples authorization policy from code. That approach makes it easier to declaratively make changes and updates to applications over time as more end users are added or removed, Kanfer said.
Designed to be deployed on-premises or in the cloud, the authorization platform also provides integrations with identity providers, databases and other services that expose application programming interfaces (APIs). It will also automatically generate policy suggestions based on the runtime interactions between services.
Historically, authorization to access applications has been poorly managed because it’s been difficult to manage manually. Business leaders are supposed to inform IT organizations when to add and delete end users. In practice, they often forget, resulting in end users still having access to applications long after they have left the company. Even when IT is informed that an end user has left a company, it can take a day for the end user to be deleted from all the applications they have been granted access over the span of their career at that organization. Shifting control over authorization left toward developers creates an opportunity to automate a process that is often haphazard at best.
It also should allow organizations to reduce their dependency on Microsoft Active Directory (AD), which many organizations have employed to manage access to applications and files in Windows environments in favor of a centralized approach that can be more broadly applied to multiple applications.
Authorization management may not always be at the top of the IT management agenda. However, at a time when cybercriminals are stealing credentials with more abandon than ever, the time may have finally come for IT organizations to reconsider how those credentials are managed and updated. After all, based on the number of data breaches involving stolen credentials, current approaches are clearly not working.