VMblog: If you were giving a KubeCon attendee a quick overview of the company, what would you say? How would you describe the company?
Omri Gazitt: Aserto is a cloud-native authorization platform. It makes it easy for developers to add resource-level, scalable access controls to their apps/APIs in minutes.
Aserto is built on top of Topaz, an open-source authorizer that uses the Open Policy Agent decision engine and an embedded BoltDB relationship database to support every popular authorization model (RBAC, ABAC, and ReBAC). Aserto adds a central control plane for easy management of policies, users, relationships, resources, and Topaz instances.
VMblog: How can attendees of the event find you? What do you have planned at your booth this year? What type of things will attendees be able to do at your booth?
Gazitt: Attendees can find us at booth M29. Drop by the booth to talk about your authorization needs, or grab one of our shirts. We are also raffling off axolotl plushies every day, right after lunch.
Open Policy Containers, a CNCF Sandbox project which we are the main contributors to, will also have a presence at KubeCon. Stop by stand P6-A in the Project Pavilion in the AM hours to learn how this project enables you to secure the software supply chain of OPA policies.
I actually have a session about Open Policy Containers, on November 6th at 5:30pm. Go here for more details.
VMblog: Have you sponsored KubeCon + CloudNativeCon in the past? If so, what is it about this show that keeps you coming back as a sponsor?
Gazitt: We sponsored KubeCon last year as well. We launched Topaz, our open-source authorizer, at the show last year. There is no other show that collects so many open-source projects and engineers under one roof. Given that we have developed a few open-source projects, it is only natural that we would also sponsor the conference and support the open-source community.
VMblog: Do you have any speaking sessions during the event? If so, can you give us the details?
Gazitt: Yes, I do. On November 6th I have a 5:30 pm session where l will demonstrate how to build, tag, and sign OPA policies as OCI containers using Open Policy Containers (OPCR), a CNCF sandbox project. OPCR enables you to secure the software supply chain of OPA policies, and treat them as the important artifacts that they are.
VMblog: What are you personally most interested in seeing or learning at KubeCon + CloudNativeCon?
Gazitt: Authorization standards. Authorization is finally getting its moment in the sun! A group of authorization vendors, including Aserto, Forgerock, Microsoft, Axiomatics and others, have gathered together to form an OpenID Foundation working group that focuses on establishing standards for application authorization. We call this working group AuthZEN, join our mailing list here.
VMblog: What kind of message will an attendee hear from you this year? What will they take back to help sell their management team and decision makers
Gazitt: There is no zero-trust without fine-grained access controls. The principle of least privilege hinges on resource-level authorization.
We are now getting to the point where authorization is getting some well deserved attention. There are modern authorization vendors that provide varied degrees of fine-grained authorization. More importantly, we are now starting to work together to form authorization standards, with the ultimate end goal of solving authorization as we have solved authentication. The days of building your own permissions will soon be gone, just like no-one builds their own login anymore.
Aserto is your Auth0 for access controls. Our platform makes it easy for developers to add fine-grained, scalable authorization to applications/API in minutes. Our open-source authorizer, Topaz, supports every popular authorization model (RBAC, ABAC, and ReBAC), so you can seamlessly evolve your model as requirements change.
VMblog: Can you double click on your company's technologies? And talk about the types of problems you solve for a KubeCon + CloudNativeCon attendee.
Gazitt: Aserto is a scalable, fine-grained authorization service for cloud-native applications. Our platform makes it easy for developers to add resource-level, scalable authorization to apps/API in minutes. It is built on an open foundation using mature open-source projects, including the Open Policy Agent, Open Containers Initiative, Topaz OSS authorizer, and Open Policy Containers to secure the software supply chain of OPA policies.
Aserto is especially useful in adding granular permissions to external-facing multi-tenant applications. It offers blazing-fast authorization of a local library coupled with a centralized control plane for managing policies, users, resources, relationship data, and decision logs. And it comes with everything you need to provide the most granular permissions with built-in support for RBAC, ABAC, and ReBAC.
Aserto also provides centralized control over your policies, users, relationships, resources, and authorizers. It enables you to view everything from one place, reuse policies across applications, and create a consistent experience. This is especially useful for organizations with a multitude of in-house applications used by employees and partners, each with its own permissions.
Let's face it, building authorization correctly is no easy feat. You need to be an expert. My co-founder and I have collectively spent over 60 years working on authorization, infrastructure, and developer tools. We've built what we have learned into Aserto.
VMblog: While thinking about your company's solutions, can you give readers a few examples of how your offerings are unique? What are your differentiators? What sets you apart from the competition?
Gazitt: Aserto is the only modern authorization service that combines both approaches to modern authorization: policy-based authorization (or "policy-as-code") and relationship graph-based access controls ("policy-as-data"). Other services only support one approach, while we believe that developers need the best of both worlds. We also have a unique distributed architecture with Topaz authorizers running right next to your application, while our control plane is hosted. This provides blazing-fast authorization, coupled with the benefits of central management and control.
VMblog: Why is authorization harder than other aspects of building software? Doesn't every application build its own permission system?
Gazitt: That's precisely right, and perhaps that is why the top ten list of application security threats published by the OWASP has Broken Access Controls as the #1 security threat. The OWASP actually found that 94% of the applications they tested exhibited some form of broken access control.
Today, most applications implement authorization using if and switch statements - spaghetti code inside of the app. The way to address this is to 1) pull authorization out of the application logic and express it in its own domain-specific language, and 2) have a team that is focused on implementing authorization correctly across different microservices within the application.
But rolling that out on your own is tricky. Authorization is in the critical path of every request, so it has to be fast like a local library. But, you want to manage your authorization rules centrally for consistency and ease of governance. So it requires a distributed systems architecture that most companies simply cannot invest in. It's also critical to get the most up-to-date information to the decision engines in real-time, so you'll also need to build a data plane.
As you can see, authorization is a far more complex technical problem than some of the other ones engineers tackle day in and day out. Thankfully, there is a set of vendors that focus on this problem and offer their solutions. Aserto is one of those vendors, and it's the only one to support both technical approaches to modern authorization - policy-as-data and policy-as-code - so that developers can enjoy the best of both worlds.
VMblog: Where does your company fit within the container, cloud, Kubernetes ecosystem?
Gazitt: Topaz is delivered as a container image, which you can run as a sidecar in your application pod, or as its own microservice. This makes it really easy to run Topaz in any containerized environment, including Kubernetes of course. In addition, we offer organizations the ability to host a subset of our control plane services in their own k8s cluster via a helm chart. Our software is 100% multi-cloud, and we have customers running in AWS, Azure, and GCP.
VMblog: KubeCon + CloudNativeCon is typically a great venue for a company to launch a new product or an update to an existing product. Will your company be announcing anything new? If so, can you give us a sneak preview?
Gazitt: We are announcing a major milestone for Topaz - version 0.30. We've added a bunch of features, including a modeling language for describing object types, relations, and permissions; a graphical management console; REST APIs for our directory; and a framework for extracting, transforming, and loading data from identity providers such as Okta, Auth0, Azure AD, Cognito, and Google Workspace into Topaz.
We've also added major features into Aserto, including support for social login, a much improved onboarding experience, policy templates for RBAC, ABAC, and ReBAC scenarios, and a model builder.
Finally, I'm also here to promote a new vendor-neutral initiative that we're co-sponsoring called AuthZEN, which is focused on establishing authorization standards and protocols. We've just chartered an OpenID Foundation Working Group around AuthZEN to provide an IPR-friendly home for this initiative. If you're interested, join our mailing list!
VMblog: Are companies going all in for the cloud? Or do you see a return back to on-premises? Are there roadblocks in place keeping companies from going all cloud?
Gazitt: Cloud is here to stay, but with authorization especially, we see a strong need for deployment flexibility and choice. To be truly "cloud native" these days requires an infrastructure product to let customers deploy it in the best way that suits their needs - whether they consume it as a multi-tenant vendor-hosted offering, run it in their VPC (in the cloud of their choice), or even in their own self-managed k8s cluster.
VMblog: Are you giving away any prizes at your booth or participating in any prize giveaways?
Gazitt: We are raffling away an axolotl plushie a day, right after lunch. Stop by booth M29 for a ticket!
VMblog: Do you have any advice for attendees of the show?
Gazitt: I've been going to KubeCons since 2015. It's obviously grown tremendously since the early days. But the best thing about it hasn't changed - it's about meeting really cool people that share your interests. My advice is to reach out to people - whether it's at sessions, at lunch, or in vendor booths, and try to learn not just from the sessions, but also from all the experienced people around you!
