Human Managed creates future-proof ABAC engine with Cerbos

Human Managed is the Intelligence Decision Action (IDEA) Platform for business that generates personalized intel and recommendations from any data. The company was founded in 2018. They are headquartered in Singapore and operate across Hong Kong, the Philippines, and India. Human Managed serves global customers to improve their cyber, risk and digital maturity.

Human Managed needed flexible access controls in order to tailor product packaging to their clients' needs. They knew RBAC policies would not be sufficient, but ABAC would be too time consuming and costly to build themselves. Je Sum Yip, Chief Engineer at Human Managed, spoke with us about his approach to authorization and how he used Cerbos to accomplish his goals.

Q: Can you give me a bit of information about yourself, your role, and the company you work for?

Je Sum: I am a Chief Engineer. I am specifically in charge of APIs for identity and authorization. 

At Human Managed we try to solve operational problems for customers. Imagine you have a scenario where top-level management has decided on a strategy they want to pursue. They've engaged, say, a consulting company like Pricewaterhouse, KPMG to come in. They did a study for two years, and produced a report. Then that gets translated into operational work that middle management and the lower level people will need to execute on.

What we see with most customers is that's the point where it fails in a lot of areas. And so what we do is we try to remove that layer by telling people what to do, exactly what to do, how to do it, and remove the thinking required. 

Q: How many people are in the company as a whole? And also how large is the engineering organization? 

Je Sum: We have about 45 people. About 10 to 12 people in engineering.  

Q: How many customers do you have? 

Je Sum: I think about five customers today. We're a startup. Our oldest and largest customer has been with us for about four years. And then we have four other customers who are brand new customers, been with us maybe about a year, year and a half. 

Q: How did you hear about Cerbos originally?

Je Sum: The story actually started off with us initially using the traditional RBAC model. Easy to understand, easy to implement. But in a lot of the discussions that I had with our CTO, we sort of knew that we would reach the limits of RBAC very, very quickly. 

And so we looked around and we kind of figured, look, there's only two real models in the market right now. It's RBAC or ABAC or a combination of both. So we did a Google search, looked around for ABAC, looked at a couple of other products in the market, and then he said, “Hey, you know what, I remember looking at this thing called Cerbos, can you go take a look at it again?”

I had a look at it, and yeah, lo and behold, Cerbos was great. I also tried to build our own ABAC engine and then quickly realized that it's an engineering task that's way too expensive for us. It's not worth my time to go build it. And so Cerbos actually fit the picture perfectly. 

Q: What made Cerbos stand out compared to the other options? 

Je Sum: That's an easy one. Its simplicity and flexibility. 

In terms of simplicity, it's easy to deploy. There are a couple of deployment models, but it is so straightforward to deploy. It's a single binary. I don't have to worry about a lot of things. It is very easy to integrate into a backend for policy storage. And troubleshooting Cerbos is actually pretty straightforward, not really difficult.

The support from Slack was really good, and I'll be honest, we use a lot of open-source stuff on the platform and out of all the tools that we use, the only one where we consistently get answers from the product development team is Cerbos. You post something in Slack and within a day, sometimes a couple of hours, sometimes even literally minutes, we get an answer. And the answer usually points us straight to the problem, what we need to fix. 

Now, the other part about Cerbos that I mentioned was flexibility. We love the fact that policies and rules are all written in YAML because, from the early get-go, we decided that YAML is going to be like our bread and butter for a lot of things that we do. So we love that. And the fact that the YAMLs can be written with the Google CEL language makes it so, so powerful. 

There's so many things we can do with it. And so these two things really stood out when we had a look at Cerbos and we said, “Yeah, this is future-proofing our ABAC engine,” if I can put it that way.

Q: Is there anyone in your organization you kind of had to convince that this was the right decision that you should follow through on this? 

Je Sum: No. None of that. Part of the reason why we didn't really have to go ask engineering, “Here's Cerbos, here's what it's doing. Can you guys go use it?” was because the way we engineered Cerbos into the platform made it 99% invisible to the rest of the engineers and operations folks.

It just works in the background. You don't have to do it. You don't have to set it up. You just have to make sure you have the correct policy in Git. Everything else just falls into place. 

Q: Could you walk me through your implementation process? 

Je Sum: The entire implementation of Cerbos was done by myself. There was a lot of on-and-off in experiments and POCs. I think it probably took about three months but that's not three months of dedicated time. 

In terms of implementation time of actually inserting it into the production flow, I would say that probably took about two weeks –That's writing the policies, setting up Cerbos with our CD pipeline, which involves writing all the manifests and all the rest of the stuff that we need to have this managed by Argo CD. All the DNS entries, all the rest of the infrastructure stuff. 

Then there's another component included in that two weeks. We use Cerbos extensively in our API layer because API is a very central strategy to our platform. And we have a web application that is using the API. And so there was a bit of development work in that two weeks to sort of write a wrapper library around Cerbos, expose that via the API framework that we have. And all the usual testing, making sure it works and all that. So yeah, took about two weeks to put it into production and we're very pleased with the results.  

Q: What could be improved? 

Je Sum: In the initial stages when I was looking at it, documentation was a challenge. But I'm happy to say in probably six months you guys have done a great job on documentation. A lot of improvements.

The second one is there were a couple of bugs that I hit with Cerbos around policy caching that was actually addressed by you guys after I reported it. I think it took you guys maybe two, or three weeks to come up with a new release. 

Q: Now that Cerbos has been implemented, what is your day-to-day like using Cerbos? Do you even touch Cerbos?

Je Sum: No, it's on autopilot. It just works. That's all. 

This comes back to the two things that stand out for me with Cerbos. The first part of that is the simplicity of Cerbos. It's literally a single binary that just works. I don't have a dependency against six databases in the backend and a middleware that I need to worry about and some caching layer that...None of that. It's so straightforward. So it just runs. And since I've deployed it, I think that was around... Five months ago? When it went into production? Maybe six? I've never had to go back and look at it. Never. 

The part where we do need to look at on a daily basis is when someone's writing policies. But again, you have good documentation around that about how to set up a GitLab job to validate that the policies work, including test scenarios. and so we've got that implemented and you know, that's about it. I mean, it just works. There’s really almost zero maintenance on Cerbos.

Q: What have you been able to achieve since using Cerbos that you couldn't before? What top line business metrics does Cerbos impact for you?

Je Sum: One is operationally, there is a lot less overhead to worry about when trying to figure out authorization for the APIs. 

The way we've set up our APIs with Cerbos is, there is a user who logs into the web app, user gets a JWT token. That token contains information about who the user is, what they're supposed to do, and so on. That information is extended via some metadata that is stored in the backend database, which the API will fetch. Once the API has fetched all that, it builds a request, sends it to Cerbos, and Cerbos just returns a true or false. That's it. 

So operationally having to modify authorization is a five-minute job now. Having to troubleshoot authorization is a five-minute job. So that has actually allowed the team to spend more time where it really matters on the platform, such as building the web UI worrying about the data that gets processed in the background, the talking to the customers, et cetera, et cetera.

Q: Is there anything unexpected that you got from working with Cerbos or anything that exceeded your expectations?

Je Sum: Yeah, I would say exceeded. I initially thought it was going to be difficult. There was a bit of a learning curve to understand Cerbos. The fear there was when looking at Cerbos, and looking at a Google CEL language and the way Cerbos implemented it, that some of the policies would require a lot of metadata to be able to evaluate correctly. But that turned out to be wrong. That assumption was wrong. It was actually surprisingly easy to do. 

We had previously made a switch from using JWT tokens for identity authorization to a design pattern called the opaque token. and that opaque token design actually made it very easy to integrate with Cerbos. All we need is that opaque key and that opaque key allows us to attach additional metadata handled by the API, which pulls from a back-end database and passes that entire set of information to Cerbos. 

Q: What would your business or project look like and operate like now had you not decided to work with Cerbos? 

Je Sum: Oh my god. Well, I can tell you as far as authorization is concerned, we would have an RBAC nightmare. A user is in role A, role A is in role B, role B is in role C, role C is in role D, and role D is in role A. I have no idea how you're supposed to eventually figure out what effective permissions the user is supposed to have. So, good luck trying to figure out who, on your platform, has administrator access. That's the typical RBAC nightmare that we would have to deal with. 

I love it so much that with Cerbos, I move all the “if, then, else” for authorization out of our source code. We used to have to write in the source code, “If user is part of this organization, and requesting data from this API, and so on and so on, then allow”. Every time we had to change permissions, we would have to go into the source code of the API, make that change, and then recompile, push it out into dev, test it, then push it out into production. It was a real pain. 

Everything now is literally, I make a change in a policy and in about 60 seconds the new rule will apply.

Q: How would you explain what Cerbos is to someone who doesn't know what Cerbos does?

Je Sum: So the easiest way to explain it is - You feed in conditions, you give it data in variables and attributes, and then you get a result that says, “Yep, value is true or value is false.” That I found is a lot easier than trying to explain the whole ABAC concept to someone, and then follow up with Cerbos. 

Q: If there's one word you could use to describe your experience with Cerbos, what would it be and why?

Je Sum: I would say it was surprising.

Surprising because of the combination of the speed and the commitment from you guys in improving Cerbos, taking feedback from the community, and helping out when there are questions. That is so rare in the open-source world.That convinced us that Cerbos is here to stay for good, at least on our platform. 

And you know, you sort of look at Cerbos and go, “Are you sure you can do this? It's a single binary and you just link it up to Git and that's it? Is it really that powerful? Can it do all this?” And when you actually get down to doing it, you realize that, yeah, it is. And that's the beauty of it. 

Q: How likely would you be to recommend Cerbos to others on a scale of 1-10? 

Je Sum: I would love to say a 10 because to a fellow engineer, it’s a 10. The moment that conversation pivots away from the technical implementation of Cerbos and it starts moving into the operational benefits, the business benefits, I would say probably a 9, maybe an 8. And I'm saying that because of one thing only, which is if you can have that GUI driven way of writing policies, that immediately becomes a 10.

Q: What would you tell someone who's on the fence about Cerbos?

Je Sum: I would say, take the time, go to Slack, ask your questions, clear your doubts. And then you will see that it makes sense. And, you know, the automatic answer to that question is normally go try it out. Just go install it, play around with it. But I think the greatest benefit of Cerbos is what the Cerbos team brings to the table. So go to Slack, ask your questions. If you get an error, show the logs. You will get an answer typically within a day. And that makes your transition from whatever you are using right now to Cerbos so much easier. 

Q: Is there anything you would warn people about?

Je Sum: Yes. A lot of the discussions that I see in Slack from people who are starting the journey is trying to figure out where to put Cerbos. 

And what I mean by that is I've seen people come on and ask, “How do I insert Cerbos into my authorization framework?” or, “If I have a web server or a database, how can I control access to data in this column of this table?” 

So probably the warning that I'll tell them is go understand what Cerbos really does. Go to Slack, ask those questions, and then you will figure out where exactly you can put Cerbos.

A lot of conversations I've seen on Slack where people started talking about this, they had an assumption that Cerbos was like, you know, “I'll go get a database, install it in my backend, and then I'll integrate it into the web app because there's some vendor level integration that just works. I just need to configure a couple of things, push a few buttons, done.”

That's not the way Cerbos works. So once they understand that and they see the light, then they will be able to fully utilize Cerbos to its max. 

Thank you Je Sum for taking the time to share your experience with us! To read more about Human Managed and the way they’ve utilized Cerbos check out our Success Story page.