CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Understanding intent based access control with Uri Sarid

In this episode of the Security Repo we dive into intent-based access control. This is the concept of limiting access to just what is intended, it sounds simple enough, But how does one understand and define the intent? And more importantly, how to we enforce our intentions with access control?

Video Transcript

and all that means that the mechanisms but also the kinds of things that you do when you do machine to machine is inherently different when you do user to machine that also gives us an opportunity to do something called intent based access control and that is that you can capture the intent what is that client supposed to be doing to the server and say if that's what it's supposed to be doing I'm going to make sure that's the only thing that it's allowed to do and in fact the set of clients that have declared their intents that's the only thing that the server will allow anyone to do that was part of a conversation that we had of URI serid on intent based access control rui is the CPO and co-founder of odorize a company that's really looking at making Access Control transparent for developers through intent-based access control or ibac but before autorize Ori has a long history of fundamental roles and leadership in Tech that includes being the CTO of mulesoft meaning that vice president of Nook Cloud for Barnes Noble and the VP of engineering for loyalize plus many more positions Rory has lots of experience in these fields and his insights are really valuable so you're going to want to stick around and hear what he has to say but right now it's time to take a look at our breach of the week this week's breach of the week we're going back and having a look at something we'd previously covered Western Digital which is a personal data storage solution company they mainly build Hardware devices to store personal information but they also have some offerings in the cloud Western Digital suffered a fairly significant breach which shut down their surfaces for a long time so what has evolved over the past couple of weeks well the my cloud services has been taken back online but it appears that the hackers that broke into Western Digital Corp stole around 10 terabytes of data it's also reported that the attackers are asking for an eight-figure Ransom free or they're going to release the 10 terabytes of stolen data publicly the hackers also claim to have control of the company's code signing certificate companies executive private numbers sap backed office data and administration access to the company's Microsoft Azure Cloud instance there are a couple of really interesting things that have evolved on this bridge number one is that the attackers actually said that they never really targeted Western Digital they kind of stumble across vulnerabilities randomly and it was a company where they were able to access the shows a kind of current Trend in what we're seeing with supply chain attacks and also scattergun approaches to discovering vulnerabilities whereas your organization doesn't necessarily specifically need to be a target for the attackers to start with for it to end up with them infiltrating your system so again if you're a Western Digital customer that's using my cloud now is time to check to see if there's any sensitive information in your files and make sure to revoke anything that you can that may provide access we still don't know more on the specific vulnerability that the attack is in this case were able to exploit to gain initial access but one of the things that we absolutely need to ensure is that we have strict tight access control and areas like ibac intent based Access Control can really help us with this this brings us into a good segue to dive into our conversation with URI and Dwayne on intent based Access Control so just kind of dive straight into it authorize when you look at it you're really focused on the non-human entities uh an authorizing the proper rights for non-human entities connecting together through devops systems primarily I think anyone that looks your website would think Apache first and foremost but could maybe just walk us through a high level of that problem set like how how is authenticating and authorizing non-humanonymities different than working with humans sure um so first thing is when you when you put it that way non-human entities it sounds like we're talking about some mysterious thing but the reality is that most of the world of software right if you look at the back end of most of the software uh and these days that's a huge part of our world is Services talking to each other right um yes there are humans involved of course right when you buy something uh there's a human buying it uh unless it's of course Google Assistant that's buying it for you but to a large extent everything that happens after that is service is talking to each other so really the the human to service authentication and authorization while it's critical is only the the uh the top of an iceberg of services talking to each other um and I saw a lot of this of course in my previous position as CTO mulesoft uh where we were integrating Services together that's the majority of the work is how do you make Services talk to each other um and so what we're here to do is to make sure that that you're also making sure that only services that are supposed to talk to each other are doing so just like you're making sure that only humans that are supposed to talk to the services are doing so that's really the the framing of the problem it's service to service authentication and authorization sometimes because you really want to make it more secure than what it is now sometimes because it's just obvious that that's the way you connect you know when you connect to a shared platform like RDS you're always authenticating an authorized authorizing there's no such thing as doing it without that so we just want to make that really really simple the outcome is of course a much more secure infrastructure or environment that you have but sometimes it's to make things easy it's sometimes it's the to make things secure something that jumped out to me that I wanted to dive a little bit deeper into is the intent based access control so I understand what you were saying before machine to machine authentication I I get that and I understand the the problems with that um but but what can you define a little bit for me what our intent based Access Control yeah yeah so um I'll actually do that I'll get back to actually that um that answer by finishing to answer um what Dwayne just asked and then you'll see how the intent base actually fits into that right so you asked me about the difference between how machines authenticate and authorize versus how humans authenticate and authorize the mechanisms as we know are quite different because they are different entities you know humans there's a human aspect to it right you might ask for a username and password that's not something that you would normally think as best practices for a machine to have it know a password um you can ask humans to you know refresh their credentials every hour um good luck with that but with machines you actually have a chance to get them to refresh those credentials so there's the actual mechanisms are quite different um and the things themselves are quite different machines tend to do the same thing over and over again humans who knows so the fact that a service is supposed to do something is actually something we can lean into and say if you're supposed to do that let's make sure you can only do that whereas for humans there's much more uh connection often to the application that you're doing uh that you're that you're interacting with so you have a lot more permissions you have a lot more Scopes there's there's a lot of sort of um it's not so much uncertainty but a much bigger surface area of the kind of authorization you need to provide which means usually authorization is almost part of the application that you're talking about it's very connected with the business logic whereas in the case of machines talking to each other they tend to do the same kind of thing over and over again again I saw this from the mulesoft perspective in that you open up apis and apis are kind of designed to do a very specific thing they're not supposed to be a general purpose interface there's an API to do this and an API to do that and all that means that the mechanisms but also the kinds of things that you do when you do machine to machine is inherently different when you do user to machine that also gives us an opportunity to do something called intent-based access control and that is that you can capture the intent what is that client supposed to be doing to the to the server and say if that's what it's supposed to be doing I'm going to make sure that's the only thing that it's allowed to do and in fact the set of clients that have declared their intents that's the only thing that the server will allow anyone to do so again something quite different than what you can do with a person if you can somehow figure out the intent of people boy we should go productize that that's really interesting but I do know the intents of a service or at least the developer of that client knows the intents of the client you know I want to go and call the order service and I want to get the latest orders that's an intent you built your code as a client of the order service to go and do that what we're saying is oh all you have to tell us is the intent of that client you have to go and you say okay uh you intend to call the order service and we take that and we turn that into a set of permissions on the order service on the server to say okay well guess what let this client make that call and anybody who hasn't declared that intent don't let them make any calls so you end up protecting the order service at the same time as you allow its clients to do their thing because we're able to capture the intent of the clients and turn those into permissions that's what's new about this you as a client developer do the easiest thing you just tell me what do you want to do and on the permission side we automatically let you do those things and don't let anything that's Undeclared happen maybe I can just make sure that I understand this that because we know that a machine is doing a specific job we can really restrict what it's able to do right so something that attackers do is they use services in unintended ways if we limit them whatever okay so this leads me this question why is why are we talking about this or as in why why has this not been implemented from from the from the beginning it's one of those things it's so over and I know it hasn't what's the challenge behind it why why is it difficult to be able to under to implement this intent-based Access Control it's a great question um uh and it actually dovetails into why we started authorizing why I decided this was going to be the next thing that I'm going to do because I remember standing on stage in Chicago I forget 2017 2016 something like that giving one of my presentations about sort of the future of apis and distributed services and things of that sort and saying that you know when we have this kind of machine to machine infrastructure we called it the application Network back then um there will be incredibly good ways to do security you can basically ask the machines and figure out what are they all doing and figure out you know is this all intentional and all of this kind of stuff and I got tired of just standing up there and talking about how it should be um I think I even even wrote some blog back then about how I think the whole world should go in this direction because if we can figure out what things are supposed to happen we are very good at automating making sure that everything else is not going to happen and so um you know various things interfered I don't know we had a pandemic we had a whole bunch of things that happened since then um but when I got together with um my two co-founders it was just the obvious thing to go and try to productize I Can't Tell You Why it hasn't happened so far but now it's going to happen yeah it's great that you you brought up that I mean there's a Blog that you wrote on TechCrunch six years ago um that dives into the the intent intent-based programming six years ago in in the software world that we live I mean that's a that's a generation right when you look about the technologies that that have been have been created so I mean before we kind of move away from this topic you've been thinking about this for for six years uh do you think that this is is is really going to be the the standard that we all that we all apply will it enable us to basically achieve become more secure develop faster and build better automations if this becomes a standard really think so but I also think so because fortunately I'm far from the originator of this General concept uh or the only one that believes in it there's this platform you might have heard of called kubernetes um I was super excited when kubernetes came out and saw intent-based uh infrastructure actually realized right here's something and arguably Docker even before that here's something where you just write a manifest that basically declares here's what I want to have happen and then somebody else is responsible to make sure it happens without you having to worry about how I mean if you want you can go back to puppet and other uh platforms that even did that before where it was much more about declaring what you want the out outcome to be and then letting other layers in the middle go and make that happen and I think from my perspective that's the only way that we're actually going to be able to make progress in large distributed software systems is not having people figure out every little bit of how things happen but rather have humans or or somebody declare at a high level this is what I'd like to have happen and let layers underneath that happen kubernetes is built that way or as an intent base to begin with you tell me at the high level you know you tell me a deployment I'm going to go actually figure out the pods and lay them out and all of those details so kubernetes is built that way that's what I love about the sort of the cloud native Market is that the whole mindset is declare what you want at a higher level and make it happen and we're just happening to do exactly that for access controls because there's an opportunity with machines to capture their intents and therefore you can actually turn that into automatic access controls and I think it will catch on because it's such an obvious idea and because it takes away so much of the pain that people are encountering today you know when I joined mulesoft in 2013 and we started to add API capabilities we immediately saw that the number one barrier to apis is actually authentication and authorization to some extent right that's the friction and people try to solve that you know oauth came out and so on and but here we are it's still the number one pain if you ask API developers like how do I actually get connected to that API it's I have to work through the authentication and the authorization so it's an ongoing pain and if we can make that pain just go away I think we got something I remember when the you know their declarative infrastructure First Data becoming mainstream and it was kind of like have you heard about the yaml file yet those those that those that had those that were doing it those that were not I imagine that this is you know it's it seems so obvious in the same uh that the cloud of infrastructure is it's like why why can't we declare our entity and let it figure out and then it's the same here exactly so it sounds like you have been very much for a long while here uh very focused on what's the Forefront of Technology what is the bleeding edge coming what's the the Leading Edge that we're all should be leaning into so the Hot Topic right now and I would love to get your just hot take on this uh is how do you see things like chat GPT machine learning AI impacting this part of devops if you can limit it to just you know calling it devops what we're talking about yeah yeah um I I'll try to answer it in the following way and you can tell me if I'm not answering your question I'll go back and and try again um one thing is just to clarify as far as sort of bleeding edge right I think there are tremendous numbers of technologies that uh you can call them on the bleeding edge you know I used to be particle theorists and as a particle theorist uh it's a very snobby approach that oh all the stuff that they call technology wow you know that's just engineering right we are we are doing the real Cutting Edge but the reality is that until it gets to engineering until it gets to something you can do something with it's just a bunch of academic papers so I'm not talking about technology that's sitting in academic papers I'm talking about something that actually is going to change our world um and that's what I consider sort of the important bleeding edge uh and that's where I I pay my my attention so I do think that in intent based programming in general changes our world is necessary and similarly I think that that chat GPT has shown us that AI has reached a point where it will actually change our world it's no longer for playing chess uh it's really going to change the way that that we're going to interact they even wrote A Blog about it on the on the authorized blog and the way that I think that it's going to change things is that um the way that people do things whether it's devops or whether it's buying online or anything like that will be through agents rather than directly um that's I think what's different right now we're talking about you know writing emails through agents right through through chat Bots and so on um and I'm not talking about voice Bots that has almost nothing to do with this this is Bots that actually have some level of intelligence and can actually do something not just understand the words you say um so in that world if everybody is acting through Bots you for example Market to bots you don't Market to people because the Bots are the ones that are going to recommend to the people what to do well wait who's right who's doing not a search engine optimization but a bot optimization marketing platform I don't know of anybody who's doing that similarly who is opening up apis that Bots can consume versus that developers can consume I don't know of anybody that's doing that so I'm just saying I think we're going to go through a tremendous amount of change societal change because the target is now the Bots not necessarily the people the Bots are the intermediaries and it's in that world it's in that sense that I think all our lives are going to change as a result of this and things like intent based access controls will just be another manifestation where you figure out the intent maybe a little bit more automatically by looking at pattern recognition so developers don't have to declare their intents and then the access controls kind of flow through them I want to dig into there something you said there just for a second not to Rabbit Hole on it um but um buying through agents or agents doing purchasing you first time I've ever heard anyone bring that up believe it or not um maybe you could just explain what that means just a little bit more yeah um you know it used to be 20 years ago that if you had a business trip you would talk to some travel agent or your you know assistant or somebody and you'd say you know I'm super busy but I know I need to be at this conference and I need to meet these customers and so on make the trip happen for me right and they would go and they'd figure out what are the best flights what are the best hotels how do I get from place to place do you want to see some shows after work and so on and so forth and then go orchestrate all of that together and they go buy the tickets and they go buy the airplane tickets and so on right so I didn't need to go and do the buying why don't they do the buying well Bots can do exactly that there's no reason with apis they can't actually do that if you trust them enough and I think they're getting to the point where the Trust might be close enough that all I might have to do today is say yeah that looks reasonable or no why are these flight spaced so closely together and so that the rest happens so now the Bots are coming to me with recommendations or maybe even executing these things which means that if you want to Market to somebody you better Market to those Bots not to me because it's like marketing to your assistant why Market to me they're the ones who are going to do 90 of the legwork here that makes total sense um I also really appreciate what you said about the difference between academic research that's in white papers being tied up there versus what we see in the real world I just had the privilege of attending the International Conference on cyber warfare and security and saw a number of papers that people presented as if i t is this ethereal Cloud idea not not Cloud servers but idea just out there in space that is disconnected from what we do day to day and it was kind of eye-opening for me to see like how much there is just this bubble of so much research being done that probably isn't going to see the why today or if it does it will be way past the point where it would have been useful um but at the same time that's where I think a lot of ideas and conference is like the one I attended is where people you'll start talking about those things and applying those ethereal white Ivory Tower um ideas to real world because I walk to a few new ideas of how to approach a couple of projects yeah and I'm a big believer in fundamental research don't get me wrong right it's nothing that I I did there you know is something that I regret on the other hand I realized that for me uh you know doing research and Publishing papers and maybe something that what I say will come true in 20 years from now is incompatible with a human lifetime and so I wanted to get stuff done in a time that I could see the Returns on it and so I switched out of theoretical physics so I think you know Quantum Computing incredibly important but what I like to do is things that are a little bit more um short-term based and maybe that's you know seems like I'm I'm uh uh you know going down the the pyramid rather than up but I actually think that in terms of actual impact somebody also needs to translate that and recognize which ones it's time to act on now and deal with that and that's kind of where my head is at these days I I want to go um seen as soon as we've entered into this this realm I I want to go on a more theoretical side one of the limitations that we face in technology is often security once we solve the security issues then we unleash technology to be used in ways that we didn't uh expect because we're confident that we can do that right now moving back to apis and everything if if we can secure our apis to a to a a way that we we didn't before and for this world that is using AI if we solve the problem of access control for apis how does this change how we use apis how does this change the direction the theoretical Direction the white paper if you will uh of where we can go with the technology uh that we're using yeah uh let me answer it sort of in a funny way it's not so much that it changes the direction the direction is already going the world is becoming a lot more composable so the question is whether we do it in a responsible way or not so the the reality is that um and I I can quote so I can make an analogy with what's happened recently with banking but like the world is already going in this direction lots and lots of services are already connecting to each other and we have a trust which I would say is more of a hope that everything will just keep working the way it's supposed to work until it doesn't one day and then you realize oh my God I don't have access to my cash or oh my God like all my transportation systems are not working or oh my gosh the electric grid is down or you know and so on so what I think is really important for us to do is to recognize that we're not about changing the direction we're about making the direction more trustworthy and making sure that in fact nobody can compromise this Foundation that we're building our lifestyle on that's really I think what it's all about I want to I want to get to the point where the infrastructure that we're all relying upon to increasingly automate our lives and and be able to spend our time more productively and so on is a trustworthy one I don't think um it has to be done by completely Reinventing anything in many cases what I've seen when there are security problems is you haven't done even the basics you haven't made sure that only the services that can connect to each other you know it's called zero trust it's a big term but only the services that connect to each other should connect to each other I mean it seems obvious but you know again an analogy is you know imagine that the way that you ran your business you all lived in one big office building and um you were very careful about whom to give acts whom to give the keys to that office building but once they go in the office building they can go to any office that they want they can change whatever they want nobody uses any passwords in their on their laptops good luck I mean that's what peripheral uh periphery based defenses are on um that's crazy right nobody would run things like that we all still insist on using passwords on our laptops even inside of our offices well why don't we do that for all the rest of our infrastructure apps uh absolutely and and I mean this is a this is something I've struggled with in security for a long time because I mean you look at the security headlines it's getting a little bit better but a year ago two years ago every single week you had a new uh unsecure Amazon S3 bucket that was discovered by someone and then all the data inside was it why is it the default that it's open like why is that why isn't the default like the intention isn't that it was meant to be open so why is it that it's ended up and I what you're saying uh makes makes total sense yeah I think the answer to that is very simple it's if the default word secure then you're introducing friction at the one point that you don't want as a platform to have friction which is at the beginning you don't want to make it hard to get started so you make it easy to get started but then nobody goes back and back up if you could make it easy to get started and that's what I love about intent based Access Control you just capture the intent that's the one thing that doesn't change so if you make it super easy to get started and then it's by default secure you get you know to have your cake and eat it too it's it's interesting and always interesting to me that the technology evolves to make our lives simpler like kafka's mission was to connect all of these Services yet we just made a whole new pile of work for ourselves and that's why companies like yours exist um but I do want to wrap things up here I would appreciate your time on spending with us but one last question and it is specific to authorize uh otters of course are really cute animals and we all love them and we love your mascot but uh I've never heard otter used as a verb so can you explain that name a little bit yes very simple uh it's authorized in a Hebrew accent uh I like it yeah otherwise yes okay okay it's super security against names and everyone's using some kind of hunting bird as your logo we have an owl there's a bunch of other owls there's Falcons and everything so when I saw the otter the cute Friendly logo it was uh I I quite like the story yes we want to be a cute friendly company we are we don't want to be on the security you know scare everyone's side we we have no such uh aggressive side to this if we figure that you know if we could make it really sweet for the developers then they'll actually adopt it you know what I like to think is is that security that's not adopted is remains as a white paper we want security to be built into these systems and we have to go for make it really really easy and attractive to adopt well well URI I want to thank you so much for for spending time with us and joining us on the security Reaper podcast it was really really interesting uh the final thing just to note here is uh you're you're quite prolific in terms of there's lots of content out there where can people go to kind of read some of your content follow you uh follow the Journey of otherwise what are some of the best links that we could share yeah we're gonna uh try to keep um putting content on our blog that'll be kind of the main one um and then from then on it's where you know we're gonna try to figure out where developers go where platform Engineers go and make sure that our content appears there but a good starting point is from our website and if we're doing our job right we'll help you uh we'll help you find it there and then in general I love YouTube so over time uh look there as well great thanks again hurry and uh we hope that we get to see you again in the future my sincere pleasure thank you