How Utility Warehouse upgraded and centralized its access control system with Cerbos

A ROBUST AND SECURE ACCESS CONTROL SOLUTION CENTRALIZES AUTHORIZATION

Utility Warehouse is the UK's only genuine multiservice provider. It offers the cheapest variable energy tariff in the UK and is a constituent of the FTSE 250 Index.

Utility Warehouse wanted to upgrade its cumbersome in-house authorization system. Rob Crowe, the Principal Engineer at Utility Warehouse, selected Cerbos to centralize how the company managed user permissions.

The result of this partnership was a simple, robust, and secure access control solution that gives Rob confidence and peace of mind.

We spoke to Rob Crowe, the Principal Engineer at Utility Warehouse to discover why Utility Warehouse chose to scrap its in-house authorization system and implement Cerbos — and the excellent results that came from the partnership.

CHALLENGES

Q: Can you tell me a little bit about yourself and your role?

Rob: My role is Principal Engineer.

Q: What was going on within the company and what triggered you to work with Cerbos?

Rob: We’d built an internal authorization software but we hadn’t looked after it. It kind of worked but it was basic and a bit cumbersome.

Two years ago, we knew that it was a bit long in the tooth and a bit broken. No one actually did anything with it, they just kind of moaned that it was a problem.

Q: How did your authorization process look before Cerbos?

Rob: Before we had YAML files that lived in a repository in GitHub. We had a language to describe role-based access control. We raised a pull request, merged it, and then it was pulled down.

We were using Scopes and they exploded. The JWTs were too big now to fit in browsers and cookies. We had to hack around it. We had no way of testing our pull requests. If we thought it looked right, we merged it and waited to see if it worked.

Q: How did you store your authorization logic?

Rob: We realized that our 200+ engineers were doing their own thing, we didn’t have a standard way of doing authorization.

Q: What was the turning point?

Rob: What turned us onto Cerbos was we knew that we needed to do better. As a FTSE 250 in a regulated market, we had to do things like audit logs and understand why someone got access.

Q: Why did you choose Cerbos?

Rob: Cerbos was close to how we had built our internal authorization system, so it was a natural fit. And it had a ton of extra features on top of that. By being open source and written in a language that we're all very familiar with, it felt comfortable. It felt like if we were to rewrite our stuff, not that it would look the same, but it would've been closer to theirs than anything else.

The fundamental building blocks are still the same, which is why we picked Cerbos. It wasn't a massive departure. We didn't have to think about new languages and glossaries. It fitted into our existing ways of thinking about RBAC and ABAC so that process transitioned over.

Q: Was there any apprehension over moving over to a solution that wasn't built specifically by you, for you?

Rob: Not really, because they are open source. They could completely delete that code and we'd have copies. We could have used our existing tools, but it would've required a lot of investment in something that wasn’t our core business.

SOLUTION

Q: How long did it take you to get started with Cerbos?

Rob: It took us a few days to understand Cerbos and then a couple of weeks to have it up and running in production.

We did six to eight months of understanding our usage of how we did authentication and authorization. We joined their Slack channel and got to know them when we were evaluating it and when we were using it. And the people that are part of that company are just really nice.

Q: And how long did it take to go through the code?

Rob: We could generally get through 90% of their code within a couple of hours.

Q: What was the process of implementing Cerbos?

Rob: Because Cerbos is written in Go and 95% of the company’s 4,500 internal services are written in Go, there was no issue for us from that point of view. It was pretty quick.

Q: How is the policy writing process in Cerbos?

Rob: Cerbos has a grammar in their YAMLs that we can trust. Whereas the one we had before was the wild west, it was thousands of lines of code. Now, we've got a proper tool to depend on.

Q: How does Cerbos help you audit policies?

Rob: One of our favorite features is the audit logs because it allows us to understand what is happening in the black box. We’ve never had that before and we didn’t know we needed it.

Q: How about testing policies?

Rob: We’ve never been able to write tests and validate that changes are taking place, Cerbos allows us to do that.

Q: How would you describe the Cerbos team?

Rob: They are very smart, humble, and completely transparent.

We approach them for advice because they are experts in this field. We’ve said to them, ‘I know this is not what your product does, but how would you do this?’ and they have given us advice.

We’re open and we give them feedback. We ask them hard questions, and it hasn't put them off. Being honest with them has led them to build solutions that work better for us.

They want to build the best product so they ask for our input and feedback. We wouldn’t have been as successful if they weren’t so transparent.

RESULTS

Q: How has deploying Cerbos transformed Utility Warehouse’s authorization process?

Rob: We've completely changed our architecture for how we do authorization. We've gone through sort of our own transformation and rollout, but it's not too far from what we'd built previously, but it has given us a solid foundation.

Q: What would have happened if Utility Warehouse had not deployed Cerbos?

Rob: If we had kept our old system for more than 6 months or a year, we would have been in trouble. Cerbos came along with a product that let us bootstrap and move quickly.

Q: Has deploying Cerbos saved you time?

Rob: We've been sitting on this for years. So from that point of view, we were stalling. We didn't know what good looked like. So I'd say they’ve saved us the opportunity cost of us sitting on it for another six months to a year.

Cerbos allows our team to focus on getting rid of technical debt and other business use cases instead of wondering how to write a policy evaluation language.

Q: How has Cerbos increased your confidence and peace of mind?

Rob: We have a proper tool to depend on and I trust Cerbos’ workflows. If the green tick says that it is built, then we know it should work.

It's weird to say an outside company has our back, but Cerbos does. It's the people. It's their open-source code: it's high quality, you can read it, and it does what it says on the tin. We don’t have any stress or worry.

Q: If you were to recommend Cerbos to someone, what would you tell them?

Rob: It does a lot of good things. And yes, it doesn't have the big enterprise names on it and there's a whole bunch of other products, but it does what it says on the tin and it does it really well, and it's not complicated. If you are earlier on in your development lifecycle, it works particularly really, really, really well.

WHAT’S NEXT?

Rob looks forward to seeing what Cerbos cooks up that his team didn’t know they needed but turns out they did.

You can read the full case study with Utility Warehouse here.