How Loop achieved reliable and scalable authorization with Cerbos

Published by Anna Paykina on March 23, 2023

RELIABLE ACCESS CONTROLS ALLOW BUSINESS TO SCALE WITH CONFIDENCE AND MEET COMPLIANCE REQUIREMENTS

Loop, a rapidly expanding B2B FinTech startup, streamlines the financial operations of businesses by eliminating inefficiencies and generating substantial working capital savings each month.

As the company deals with financial transactions, Loop sought to establish centralized access controls through a reliable and proven solution, which would allow Loop to boost their SDLC and meet the compliance requirements of their regulators.

Mohsin Kalam, CTO and Co-Founder of Loop, opted for Cerbos as the authorization layer for the company, resulting in a straightforward, sturdy, and secure access control system. Thanks to this partnership, Mohsin is now able to rapidly and confidently scale his business.

The result of the partnership was a simple, robust, and secure access control solution that gives Mohsin the ability to scale Loop quickly and with confidence.

We spoke with Mohsin Kalam to learn more about why he selected Cerbos and how their collaboration produced outstanding outcomes.

CHALLENGES

Q: Can you tell me a little bit about yourself and your role?

Mohsin: I'm Mohsin Kalam, the CTO and Co-Founder of Loop Financial Services. We are a fast growing B2B FinTech startup in Pakistan.

Q: If you don’t mind sharing, how many people are in the company as a whole and how large is the engineering organization?

Mohsin: It varies between 8 to 10 engineers. And our company is roughly between 25 to 30 people full-time. But if you add contractors, then it goes to roughly about 50 people.

Q: Can you provide some figures for us to understand the scale of your operation?

Mohsin: We are in the top 5 fintechs in the country in terms of cash collection and digitization.

Q: How did you manage user permissions before you implemented Cerbos?

Mohsin: We just had started building our product and within two, three months of building it, we were finally getting to the authorization layer. We didn't build anything on our own besides a simple table that captured roles. But again, that was coupled to our solution at that time, our internal product. Once we saw the benefits of Cerbos, we scrapped all that work, and we implemented Cerbos. It was so easy to use and it worked right out of the box, the setup was really easy.

Authorization is something that we take very seriously, because we deal with financial transactions. And we wanted to make sure that we have something that's battle tested for our company and we didn't want to reinvent the wheel.

Q: Why did you choose Cerbos?

Mohsin: I was picking between Cerbos and, at that time, I think it was Okta. I studied Cerbos, they are great, receptive people. The APIs were easy to understand, and it was more of a plug and play solution.

We thought that it was a good match and we tried it out. We did a quick prototype and didn't have any challenges. I had one or two engineers work on it, and they came back and said that this is really easy and quick to implement. It worked out great. So I thought it's a no-brainer. The product did the convincing for us. And then we expanded with it.

SOLUTION

Q: How long did it take you to get started with Cerbos?

Mohsin: The API documentation and Get Started section in Cerbos did most of the work. They had really concise instructions on what to do, step by step. We were able to set up the architecture. The thing I love about Cerbos, is that you can just work it as an open source dockerized container - just need to pull in the latest image and boom, you have a server deployed.

Once we were able to do that, our engineering team collaborated with the Cerbos devs to figure out how to define some policies for our use case.

Some of our non-technical team members were also involved in designing some of the policies. The YAML in the policy was so easy to use. They could define a YAML by reading the documentation for five minutes. So it's really extensible for non-technical people as well. Business users and others can interact with Cerbos and fulfill their requirements, without having to get too technical.

Overall, the architecture is really clean. The documentation is really clean. And with the help of the Cerbos engineering team, with a dedicated resource, we were able to get this up and running in a week or so. And after that, it's just been smooth sailing.

Q: Can you walk me through a day in the life of using Cerbos?

Mohsin: We hardly touch it, unless we really need to add or update a policy. That's the best part about having a third party solution that just works.

Unless there's a change in customer requirements, or our internal requirements, in which we say that, we need to allow this person to do this - we just need to tweak some policies and deploy it. And it hardly requires a core application code change on our end. We just deploy it and push the policies to the server and everything just works out of the box.

It’s important to add that if something does go wrong, we don’t have to worry about that, as we have logs available.

Q: How has Cerbos helped you meet any compliance requirements?

Mohsin: Cerbos definitely helps us meet compliance. Some of the compliance checks require us to have security policies up to date. Being able to demonstrate that Cerbos is handling authorization for us is a great convenience.

Q: Do you think Cerbos is a good fit for your product and ATMs?

Mohsin: Definitely, due to the ease of use. Our team is really comfortable with Docker, all of our infrastructure is built on Docker, so that was also one of the selling points.

I'm not saying that other systems are not built on a Docker service, but the first thing that a Cerbos team member mentioned was that it is all Docker-isable. So we pulled the image, and it just started to work.

RESULTS

Q: What would have happened if Loop had not deployed Cerbos?

Mohsin: We would probably have another third party service that we would've had to onboard on. Or maybe we would've invented it on our own. If we would've had to do it on our own, then I know that we wouldn't have been able to scale, as we are now, with the confidence that we have. And we especially would not have been able to meet the compliance of our regulators as quickly.

Due to our partnership with Cerbos, security auditors really trust our product. The trust comes with the great product, technology and brand that Cerbos has built.

Q: How much time would you say Cerbos has saved you as a fast growing startup?

Mohsin: I would say there are two parts to this. The first is how much time it actually saved us from, you know, if we had to develop this on our own. Right off the bat, it saved roughly three to six months of development time. And an in-house solution might not have even been as flexible either.

There is also the maintenance cost. We get the benefit of using Cerbos’ APIs and service. That constantly saves us upkeep time. From the development, to making new changes, and then not having to allocate resources on it and having those resources on other tasks that we were developing - I would say that's roughly six months of development time cost that we've saved, so far.

Q: What have you been able to achieve since using Cerbos, which you couldn’t before?

Mohsin: We were actually able to focus on other parts of the pipeline or other parts of the SDLC. So, speed to release has been impacted, which meant that we could service more customers much faster. Having more releases done, having more time to do experimentation, is also a really good win for us.

We know that the Cerbos solution is battle tested, secure and it's doing what it's supposed to do. We have full trust in the product.

Q: Has anything exceeded your expectations since working with Cerbos?

Mohsin: Initially, we thought that this was only something that could be used in our front end code. And I think that was mainly because we didn't really understand the power of Cerbos.

But then, once we had implemented a policy and it was being used in the frontend, all we had to do was integrate Cerbos in our backend technology. And the thing that's great is that it is technology agnostic. We have Java in our tech stack, we have NodeJS, we have ReactJS. Cerbos integrates with all of them really well, because it works on an API level basis. You ask a question and it returns an answer. So it doesn't matter what the consuming technology is, it just works. Once we deployed it for the frontend, then the backend, all the other middleware just used the same policy. And the integration was really good. It just worked.

So that was a really good win for us, that we didn't expect. It saved a bunch of time on development, which we didn't think it would. Having a clean architecture where both the frontend and the backend teams can work independently, but still have a central point, is valuable to us.

Q: If there’s one word you could use to describe your experience with Cerbos, what would it be and why?

Mohsin: If I had to pick one word between ease of use, or scalable, or cost saving, I would say it's definitely the ease of use. I know it's three words, but it just works out of the box, right.

Q: If you were to recommend Cerbos to someone, what would you tell them?

Mohsin: This product is going to definitely upgrade your security layer and it's going to provide a lot of cost saving, in terms of development cost. I think it's a great product for the overall company, not just the technical part of the company.

And I would recommend Cerbos for the three reasons that I mentioned previously. It works out of the box. You deploy it and it's running in less than 10 minutes. I think that's the biggest benefit. Secondly, the ease of use, the cohesion between the overall system, the back and the frontend, they all talk to a single point. And that's huge in terms of time saving and reliability for us, and maintenance wise as well. And the third point is definitely the great support that we got from the Cerbos team. It's a really responsive team, so anytime we did get stuck, we were just one slack message away.