Docs & Resources
When a user or a machine entity logs into a system, it’s important that the system knows what resources the logged-in principal is permitted to have access to. Without an authorization mechanism in a system, anyone could have unrestricted access and permission to all resources in a system. Proper authorization improves the security of a system, whether it’s infrastructure or an application.
To improve the security of these systems, authorization mechanisms are built into them. However, infrastructure does have different authorization use cases than applications, given their different purposes—an application is a software package designed to perform specific functions for end users or other applications while infrastructure is the framework that supports that application. Infrastructure is hardware and software components, network components, operating systems, and data storage.
Infrastructure authorization is used by administrators to grant permission and privileges to other users in the team in order to access specific resources and perform specific actions on the infrastructure environment. Application authorization is developed into the app by creating privileges and permissions based on user roles in order to restrict or provide specific access to certain features in the application for end users.
Let’s dive a little deeper into the concepts of infrastructure and application authorization, so we can understand their similarities and differences.
Due to its cost-effectiveness, scaling, ability to store large data, and ease of management, cloud infrastructures are gaining favoritism to support applications and business solutions. The growth of cloud infrastructure has increased tremendously with more sophisticated tools; authorization is no longer a nice-to-have feature but a necessity.
Permissions for users must be carefully planned. You must ensure that sensitive permissions are not given to the wrong users, and that users are not being over-provisioned with permissions. If someone receives access to something they have insufficient knowledge about, or if they access it with malicious intentions, the result could be disastrous or irreversible.
So what scenarios should you be considering when it comes to determining permissions in your infrastructure?
Planning authorizations is an important aspect of your application development. An application without a well-planned authorization mechanism is opened to attack and abuse. There are several use cases for implementing authorization in your application.
While infrastructure and application authorization have some differences, such as their method of implementation and integration, they also share some similarities, such as providing security and their implementation of role-based access control. Let’s take a moment to learn a bit more about their similarities and differences.
They both protect important resources. The main goal of authorization is to protect data and actions from unauthorized and unwarranted entities.
They both have the ability to implement common patterns. Some common patterns like RBAC can be implemented for both infrastructure and application authorization because of the basic concepts authorization is built upon.
They improve the security of the system. As mentioned earlier, authorization prevents unauthorized access to system resources, so it improves the security of the system. Both infrastructure and application systems contain important resources and actions that require the right entity to have the right permissions in order to gain access to the resources.
One protects the infrastructure and the other protects the application. Infrastructure authorization ensures that the wrong entity doesn't have permission to perform sensitive actions on the infrastructure. You may perform more configurations on an infrastructure than any other action, so giving privilege to the wrong entity can cost your organization in numerous ways. On the other hand, application authorization prevents sensitive data access from the wrong user.
Infrastructure authorization is usually set in stone by the provider. Meanwhile, application authorization is up to the architects/engineers to choose and implement. You’re limited to the authorization mechanism provided by your infrastructure provider, but application authorization can be implemented based on the mechanism preferred by the architect or engineer.
For most providers, infrastructure authorization is implemented via an identity and access management (IAM) tool - be it AWS, GCP, Azure or any of the other big clouds. The IAM system tells the infrastructure how to control access to different resources of your infrastructure. You can manage access by creating permission policies for different resources and entities on your infrastructure. Some components like databases might have their own inbuilt authorization controls, but on the whole for infrastructure level access management, you generally use what is provided.
When it comes to application level authorization things are not so clear cut. Many libraries and frameworks exist with permissoning models built in such as Wordpress and Django but these are tied into those stacks and can’t easily be used outside of that ecosystem.
If your application is made up of a number of services - typical of a microservices architecture - then managing authorization is more painful and you likely would need to decuple the logic out of the app and into a standalone service which each part of the system can call upon when needed to make access management decisions. This is where a system like Cerbos can help and allow you to focus on the business value rather than foundational things such as authentication and authorization.
When developing an application, it’s important to choose the best authorization mechanism based on your application’s requirements. The same goes for infrastructure authorization—you must implement it based on the needs of your organization.
If you’re looking for an easy authorization solution for your application, check out Cerbos. A powerful authorization solution, Cerbos makes it easy to create custom RBAC and ABAC. It’s fast, scalable, and it saves your developers from wasting precious time creating authorization from scratch.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team