The presentation discusses best practices for managing policy in DevOps and cybersecurity, including decoupling policy from code, using GitOps for policy, and planning ahead for future demands.
- Decoupling policy from code is important for flexibility and scalability
- GitOps for policy allows for auditable and testable policy management
- Planning ahead for future demands ensures that the system can grow without needing to be rewritten from scratch
The speaker mentions a common mistake of mixing up authentication and authorization, and explains the importance of translating organization roles to application roles. They also discuss the limitations of using Json web tokens for storage and the inflexibility of changing permissions mid-session.
Broken Access Control is the top vulnerability in the OWASP Top 10 security risk list. Proper configuration and enforcement of access control are critical to modern organizations, as privacy and compliance awareness are at their peak. Yet, building authorization or permissions management is a painful process for developers, due to complex and ever-evolving requirements and lack of knowledge for avoiding common pitfalls. OPAL (Open Policy Administration Layer) is an open-source administration layer for OPA (Open-Policy Agent). OPAL detects changes to both policy and policy data in real-time and pushes live updates to policy engines, making them real-time and event-driven. OPAL uses Git as the source-of-truth for policy, enabling GitOps workflows for policy delivery and versioning. OPAL is used by thousands of engineers, from Tesla, Zapier, Cisco, Accenture and others. In his talk, Asaf Cohen, co-maintainer and author of OPAL, will explain the challenges of managing modern authorization and access control and how these challenges can be solved by using open source tools like OPAL. In the end, he will provide use cases and tips for implementing simple and scalable authorization.