October 30, 2023

KubeCon + CloudNativeCon 2023 Q&A: Aserto Fine-grained Authorization Platform Showcases its Open-Source Authorizer, Topaz

Written by

Ready for KubeCon + CloudNativeCon 2023?  Attending the show?  Make sure to visit with Aserto.

KubeCon + CloudNativeCon takes place November 6 - 9, 2023 in Chicago, Illinois.

Read this exclusive interview between VMblog and Omri Gazitt, Co-founder & CEO of Aserto, a cloud-native authorization-as-a-services platform.

Aserto logo 

VMblog:  If you were giving a KubeCon attendee a quick overview of the company, what would you say?  How would you describe the company?

Omri Gazitt:  Aserto is a cloud-native authorization platform. It makes it easy for developers to add resource-level, scalable access controls to their apps/APIs in minutes.

Aserto is built on top of Topaz, an open-source authorizer that uses the Open Policy Agent decision engine and an embedded BoltDB relationship database to support every popular authorization model (RBAC, ABAC, and ReBAC). Aserto adds a central control plane for easy management of policies, users, relationships, resources, and Topaz instances.

VMblog:  How can attendees of the event find you?  What do you have planned at your booth this year?  What type of things will attendees be able to do at your booth? 

Gazitt:  Attendees can find us at booth M29. Drop by the booth to talk about your authorization needs, or grab one of our shirts. We are also raffling off axolotl plushies every day, right after lunch.

Open Policy Containers, a CNCF Sandbox project which we are the main contributors to, will also have a presence at KubeCon. Stop by stand P6-A in the Project Pavilion in the AM hours to learn how this project enables you to secure the software supply chain of OPA policies.

I actually have a session about Open Policy Containers, on November 6th at 5:30pm. Go here for more details.

VMblog:  Have you sponsored KubeCon + CloudNativeCon in the past?  If so, what is it about this show that keeps you coming back as a sponsor?

Gazitt:  We sponsored KubeCon last year as well. We launched Topaz, our open-source authorizer, at the show last year. There is no other show that collects so many open-source projects and engineers under one roof. Given that we have developed a few open-source projects, it is only natural that we would also sponsor the conference and support the open-source community.

VMblog:  Do you have any speaking sessions during the event?  If so, can you give us the details?

Gazitt:  Yes, I do. On November 6th I have a 5:30 pm session where l will demonstrate how to build, tag, and sign OPA policies as OCI containers using Open Policy Containers (OPCR), a CNCF sandbox project. OPCR enables you to secure the software supply chain of OPA policies, and treat them as the important artifacts that they are.

Details here.

VMblog:  What are you personally most interested in seeing or learning at KubeCon + CloudNativeCon?

Gazitt:  Authorization standards. Authorization is finally getting its moment in the sun! A group of authorization vendors, including Aserto, Forgerock, Microsoft, Axiomatics and others, have gathered together to form an OpenID Foundation working group that focuses on establishing standards for application authorization. We call this working group AuthZEN, join our mailing list here.

VMblog:  What kind of message will an attendee hear from you this year?  What will they take back to help sell their management team and decision makers

Gazitt:  There is no zero-trust without fine-grained access controls. The principle of least privilege hinges on resource-level authorization.

We are now getting to the point where authorization is getting some well deserved attention. There are modern authorization vendors that provide varied degrees of fine-grained authorization. More importantly, we are now starting to work together to form authorization standards, with the ultimate end goal of solving authorization as we have solved authentication. The days of building your own permissions will soon be gone, just like no-one builds their own login anymore.

Aserto is your Auth0 for access controls. Our platform makes it easy for developers to add fine-grained, scalable authorization to applications/API in minutes. Our open-source authorizer, Topaz, supports every popular authorization model (RBAC, ABAC, and ReBAC), so you can seamlessly evolve your model as requirements change. 

VMblog:  Can you double click on your company's technologies?  And talk about the types of problems you solve for a KubeCon + CloudNativeCon attendee.

Gazitt:  Aserto is a scalable, fine-grained authorization service for cloud-native applications. Our platform makes it easy for developers to add resource-level, scalable authorization to apps/API in minutes. It is built on an open foundation using mature open-source projects, including the Open Policy Agent, Open Containers Initiative, Topaz OSS authorizer, and Open Policy Containers to secure the software supply chain of OPA policies.

Aserto is especially useful in adding granular permissions to external-facing multi-tenant applications. It offers blazing-fast authorization of a local library coupled with a centralized control plane for managing policies, users, resources, relationship data, and decision logs. And it comes with everything you need to provide the most granular permissions with built-in support for RBAC, ABAC, and ReBAC.

Aserto also provides centralized control over your policies, users, relationships, resources, and authorizers. It enables you to view everything from one place, reuse policies across applications, and create a consistent experience. This is especially useful for organizations with a multitude of in-house applications used by employees and partners, each with its own permissions.

Let's face it, building authorization correctly is no easy feat. You need to be an expert. My co-founder and I have collectively spent over 60 years working on authorization, infrastructure, and developer tools. We've built what we have learned into Aserto.

VMblog:  While thinking about your company's solutions, can you give readers a few examples of how your offerings are unique?  What are your differentiators?  What sets you apart from the competition?

Gazitt:  Aserto is the only modern authorization service that combines both approaches to modern authorization: policy-based authorization (or "policy-as-code") and relationship graph-based access controls ("policy-as-data"). Other services only support one approach, while we believe that developers need the best of both worlds. We also have a unique distributed architecture with Topaz authorizers running right next to your application, while our control plane is hosted. This provides blazing-fast authorization, coupled with the benefits of central management and control.

VMblog:  Why is authorization harder than other aspects of building software? Doesn't every application build its own permission system?

Gazitt:  That's precisely right, and perhaps that is why the top ten list of application security threats published by the OWASP has Broken Access Controls as the #1 security threat. The OWASP actually found  that 94% of the applications they tested exhibited some form of broken access control.

Today, most applications implement authorization using if and switch statements - spaghetti code inside of the app. The way to address this is to 1) pull authorization out of the application logic and express it in its own domain-specific language, and 2) have a team that is focused on implementing authorization correctly across different microservices within the application.

But rolling that out on your own is tricky. Authorization is in the critical path of every request, so it has to be fast like a local library. But, you want to manage your authorization rules centrally for consistency and ease of governance. So it requires a distributed systems architecture that most companies simply cannot invest in. It's also critical to get the most up-to-date information to the decision engines in real-time, so you'll also need to build a data plane.

As you can see, authorization is a far more complex technical problem than some of the other ones engineers tackle day in and day out. Thankfully, there is a set of vendors that focus on this problem and offer their solutions. Aserto is one of those vendors, and it's the only one to support both technical approaches to modern authorization - policy-as-data and policy-as-code - so that developers can enjoy the best of both worlds.

VMblog:  Where does your company fit within the container, cloud, Kubernetes ecosystem?

Gazitt:  Topaz is delivered as a container image, which you can run as a sidecar in your application pod, or as its own microservice. This makes it really easy to run Topaz in any containerized environment, including Kubernetes of course. In addition, we offer organizations the ability to host a subset of our control plane services in their own k8s cluster via a helm chart. Our software is 100% multi-cloud, and we have customers running in AWS, Azure, and GCP.

VMblog:  KubeCon + CloudNativeCon is typically a great venue for a company to launch a new product or an update to an existing product.  Will your company be announcing anything new?  If so, can you give us a sneak preview?

Gazitt:  We are announcing a major milestone for Topaz - version 0.30. We've added a bunch of features, including a modeling language for describing object types, relations, and permissions; a graphical management console; REST APIs for our directory; and a framework for extracting, transforming, and loading data from identity providers such as Okta, Auth0, Azure AD, Cognito, and Google Workspace into Topaz.

We've also added major features into Aserto, including support for social login, a much improved onboarding experience, policy templates for RBAC, ABAC, and ReBAC scenarios, and a model builder.

Finally, I'm also here to promote a new vendor-neutral initiative that we're co-sponsoring called AuthZEN, which is focused on establishing authorization standards and protocols. We've just chartered an OpenID Foundation Working Group around AuthZEN to provide an IPR-friendly home for this initiative. If you're interested, join our mailing list!

VMblog:  Are companies going all in for the cloud?  Or do you see a return back to on-premises?  Are there roadblocks in place keeping companies from going all cloud? 

Gazitt:  Cloud is here to stay, but with authorization especially, we see a strong need for deployment flexibility and choice. To be truly "cloud native" these days requires an infrastructure product to let customers deploy it in the best way that suits their needs - whether they consume it as a multi-tenant vendor-hosted offering, run it in their VPC (in the cloud of their choice), or even in their own self-managed k8s cluster.

VMblog:  Are you giving away any prizes at your booth or participating in any prize giveaways?

Gazitt:  We are raffling away an axolotl plushie a day, right after lunch. Stop by booth M29 for a ticket!

VMblog:  Do you have any advice for attendees of the show?

Gazitt:  I've been going to KubeCons since 2015. It's obviously grown tremendously since the early days. But the best thing about it hasn't changed - it's about meeting really cool people that share your interests. My advice is to reach out to people - whether it's at sessions, at lunch, or in vendor booths, and try to learn not just from the sessions, but also from all the experienced people around you!

Last modified on October 30, 2023
David Marshall

David Marshall has been involved in the technology industry for over 19 years, and he's been working with virtualization software since 1999. He was able to become an industry expert in virtualization by becoming a pioneer in that field - one of the few people in the industry allowed to work with Alpha stage server virtualization software from industry leaders: VMware (ESX Server), Connectix and Microsoft (Virtual Server).

Through the years, he has invented, marketed and helped launch a number of successful virtualization software companies and products. David holds a BS degree in Finance, an Information Technology Certification, and a number of vendor certifications from Microsoft, CompTia and others. He's also co-authored two published books: "VMware ESX Essentials in the Virtual Data Center" and "Advanced Server Virtualization: VMware and Microsoft Platforms in the Virtual Data Center" and acted as technical editor for two popular Virtualization "For Dummies" books. With his remaining spare time, David founded and operates one of the oldest independent virtualization news blogs, VMblog.com. And co-founded CloudCow.com, a publication dedicated to Cloud Computing. Starting in 2009 and continuing all the way to 2016, David has been honored with the vExpert distinction by VMware for his virtualization evangelism.

Platinum Sponsors











Gold Sponsors

Ambassador Labs



Silver Sponsors




Latest Videos