CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

What is intent based access control (IBAC)

Intent-based access control is a new concept that enables you to programmatically declare how you want your applications to authenticate with each other, and let infrastructure fill in the blanks to make that possible. The CPO of Otterize, Uri Sarid explains exactly how this works.


Video Transcript

can you define a little bit for me what our intent based Access Control yeah yeah so um I'll actually do that I'll get back to actually that um that answer by finishing to answer um what Dwayne just asked and then you'll see how the intent base actually fits into that right so you asked me about the difference between um how machines authenticate and authorize versus how humans authenticate and authorize mechanisms as we know are quite different because they are different entities you know humans there's a human aspect to it right you might ask for a username and password that's not something that you would normally think as best practices for a machine to have it know a password um you can ask humans to you know refresh their credentials every hour um good luck with that but with machines you actually have a chance to get them to refresh those credentials so there's the actual mechanisms are quite different um and the things themselves are quite different machines tend to do the same thing over and over again humans who knows so the fact that a service is supposed to do something is actually something we can lean into and say if you're supposed to do that let's make sure you can only do that whereas for humans there's much more uh connection often to the application that you're doing uh that you're that you're interacting with so you have a lot more permissions you have a lot more Scopes there's there's a lot of sort of um it's not so much uncertainty but a much bigger surface area of the kind of authorization you need to provide which means usually authorization is almost part of the application that you're talking about it's very connected with the business logic whereas in the case of machines talking to each other they tend to do the same kind of thing over and over again again I saw this from the mulesoft perspective in that you open up apis and apis are kind of designed to do a very specific thing they're not supposed to be a general purpose interface there's an API to do this and an API to do that and all of that means that the mechanisms but also the kinds of things that you do when you do machine to machine is inherently different when you do user to machine that also gives us an opportunity to do something called intent based access control and that is that you can capture the intent what is that client supposed to be doing to the to the server and say if that's what it's supposed to be doing I'm going to make sure that's the only thing that it's allowed to do and in fact the set of clients that have declared their intents that's the only thing that the server will allow anyone to do so again something quite different than what you can do with a person if you can somehow figure out the intent of people boy we should go productize that that's really interesting but I do know the intents of a service or at least the developer of that client knows the intents of the client you know I want to go and call the order service and I want to get the latest orders that's an intent you built your code as a client of the order service to go and do that what we're saying is oh all you have to tell us is the intent of that client you have to go and you say okay uh you intend to call the order service and we take that and we turn that into a set of permissions on the order service on the server to say okay well guess what let this client make that call and anybody who hasn't declared that intent don't let them make any calls so you end up protecting the order service at the same time as you allow its clients to do their thing because we're able to capture the intent of the clients and turn those into permissions that's what's new about this you as a client developer do the easiest thing you just tell me what do you want to do and on the permission side we automatically let you do those things and don't let anything that's Undeclared happen maybe I can just make sure that I understand