Taking the pain out of authorization and user permissions

The full article was first available on Tech.eu - read it here.

If you're looking for developer solutions, the best come from teams who saw a need for better software that could solve their own pain points but also drive commercial business value.

Take authorisation and user permissions. Emre Baran was the CTO of Qubit, where he worked with Charith Ellawala. Their team experienced the arduous frustrations of continuously rewriting their authorisation code. Baran recalled:

“We had to build this authorisation layer multiple times, sometimes very simply, sometimes very complex. And it's one of those things that you're asking yourself, why are we still building this?"

Qubit was acquired in 2021 by Coveo. Baran had a strong entrepreneurial background, having founded and sold Turkey's largest social network Yonja.com, in the early 2000s.

So the duo built a prototype, tested it on about 250 startups and enterprises, which included user interviews, and decided to turn their solution into a full-time company.

Startup Cerbos was born in 2021. I spoke to Emre Baran, CEO and co-founder at KubeCon + CloudNativeCon Europe, to learn more.

Cerbos makes life easier for developers with a free, open-source, scalable, extensible authorisation layer that makes authorisation simpler to implement and manage so developers can focus on building their core products.

Decoupling authorisation from core code

In software, there's a strong legacy of software decoupling. Baran explained:

"Databases and directories got decoupled, log processing got decoupled, the messaging layer got decoupled, cryptography got decoupled."

According to Baran:

"But before now, authorisation has never been successfully decoupled because it's always been part of the code base. Everybody starts writing this layer of code and inventing and reinventing. This is despite the fact that it essentially has nothing to do with your code base. It doesn't add any extra business value. It's not a selling point."

Cerbos decouples authorisation logic from the core application code, making the authorisation layers more scalable, more secure and easier to change as the complexity grows. This enables you to update roles and permissions rules without rewriting code.

Baran explained:

"We help developers be able to implement and create delineated roles and permissions, helping glue that last mile. 90 percent of the time, software developers don't want to be writing permissions.

They want to focus on their core business. Further, while it may be easy to start creating your own initial authorisation, “it gets more complex as a company's needs grow, and no regular developer wants to deal with it."

He noted: "Our internal joke is, 'How hard is it to look up a username and password from a database. Billions of dollars later, you have Okta?'”

Baked in security and business continuity

Cerbos also facilitates an audit trail that tracks every access decision request, essential for regulated industries such as insurtech and fintech where compliance with SOC2 and ISO27001 standards are critical.

Business continuity is a big priority for Cerbos, and Baran shared that the company is licenced under the Apache License 2.0:

"We want to give our customers peace of mind, and this means our tools are here to stay. You own it, you can take a look at it, and you can evolve it. We even have users contributing to the codebase."

And for those looking for a managed service, Cerbos launched Cerbos Cloud in private beta at KubeCon.

Cerbos Cloud offers a managed CI/CD pipeline that can test and build optimised policy bundles that are securely delivered to connected Cerbos instances instantly.

This enables a robust Git-ops workflow for distributing authorisation policy changes with high visibility while keeping developers in full control of their environment.

In addition to the launch, Cerbos recently closed a $7.5 million extended seed round led by OMERS Ventures with participation from notable angel investors.

The full article was first available on Tech.eu - read it here.