Techstrong TV: Decoupling in software development, Emre Baran | KubeCon + CloudNativeCon Europe 2023

Emre Baran, Co-founder and CEO of Cerbos, joined Alan Shimel, Founder and CEO of Techstrong, at KubeCon Amsterdam to discuss the growing trend of decoupling various aspects of software development, and the challenges developers face with authorization. 

During the conversation, Emre delved into his background, various projects he has worked on, and how his experiences in building roles and permissions within software products led to the creation of Cerbos, an open source solution for authorization.

Emre likewise shared insights about his company's open source offering, Cerbos, as well as the premium commercial product, Cerbos Cloud, which provides additional features for DevOps, product managers, and security teams.

Check out the full video and read the transcript below.

Full transcript of the chat

Alan: Let me introduce you to Emre Baran. Emre is with a company called Cerbos, and he's gonna tell us all about that. But first I want to hear his story a little bit. Emre, tell us about you.

Emre: I started studying economics and very quickly realized that banking isn't for me. Even in my bank internship job, I found myself writing Excel macros and I'm like, I gotta go get back to school and do computer science.

So after that I graduated, I was a software engineer. I worked in telecom products in the US, city government financial systems. And then after that I built a social network, which became Turkey's largest social network. And this was back in 2003 - 2007. And then after we exited that, I joined Google as a product manager.

I was a product manager on AdWords and AdSense at some point. I worked on all the AdSense backend products, and after leaving Google I moved to the UK. I started Qubit.com with my co-founders, large enterprise retailer, marketing technology, A/B testing, product recommendations. And then after that we started Cerbos.

And the story is actually, in every single one of these previous roles, I had to go build roles and permissions and authorization into software products. And every time we built it, we're like, why are we still building this? This is not adding any extra value, but it's a crucial thing to have. And with Cerbos we're trying to address that challenge of never having to build permissions again, so that we can provide that as off-the-shelf open source core for developers, so they can focus on their core business rather than infrastructure. 

Alan: Absolutely. I love that. So a trend that I'm seeing here, is... When DevOps first came out, in some ways it made life harder for developers, because it gave them more responsibilities they had to worry about than just coding. Security, Ops, testing, you know, all of these things. But now what we're seeing is, platform engineer, SRE, these kinds of functions, specializations. They're pulling back, saying, “Hey, dev, let me make this easier for you. Let me serve this to you on a platter…”

Emre: So you don't have to worry about it. 

Alan: So you do your thing. 

Emre: That's absolutely the same trend we're on. 

Alan: Yeah , that's what I see. 

Emre: We call this a decouple-ization, right? If you wrote software back in 1960s - you had to write your own database layer, you had to write your infrastructure, you had to write everything. But, you know, at 20 years at a time, when we look at this, databases got decoupled and then LDAP was the very first thing in security, the directory got decoupled. So nobody's building their own LDAP. Then authentication got decoupled, log processing and security got decoupled. But authorization is still, the way that we look at this is, like developers doing it themselves. Because there's a very fine line between your business logic and authorization logic, and not many people are thinking about what that API should be. 

So going back to what you were saying, a lot of developers find it much easier to do it in code than separating it out and actually making a thing on its own. However, by making it a thing on its own, you're enabling all the bells and whistles to be added to that authorization thing.

If you leave it to a developer, it's a very simple if-then-else statement - if manager, he can do this. If a read only user, they can only look at it, but they can't edit. However, all those requirements over time get very complex. They get much more complicated. 

Alan: Yes, they do.

Emre: All of a sudden, the developer is facing that same burden you mentioned, “Hey, it was easy, now it got complex. Oh, I wish there was a special software specialization that took this off my plate.”;

Alan: Yeah, I mean, here's the good news though - there is. What kind of feedback are you getting from people? 

Emre: We're getting great feedback. Of course this is a developer event, but it's very much Kubernetes, a lot of infrastructure. However, that being said, as you mentioned earlier, there are a lot of developers who are in between infrastructure and software. So, we get very great feedback. You know, 90% of the conversations we've had are always around, “Oh, we had to build it ourselves. Oh, we had to revamp that. Oh, we have to do it. We need to go enterprise ready.” So we're getting a lot of positive feedback into something that makes their life easier, especially when it's open source and it's free to put into our product. 

Alan: Absolutely. Let's talk about that. I can use the open source product, that's fine for me. What's the defining life for the commercial? 

Emre: So the commercial product we just launched, we announced it last week. It's a very fine line, right? How do you make a non-paid user into a paid user?

However, our principle is if you're a developer, your default go-to is, “I can code that and write three lines of code.” We wanna make sure that you never resort to that, because you're getting into a big mess. You're in the beginning, you probably are not seeing what's coming your way.

We wanna make sure our product is as simple and as developer friendly as possible to implement, so they can get their job done. However, when, as a developer, you need to implement roles and permissions, but at some point, your role now starts extending into a DevOps role, rather than just implementing roles and permissions. Now, if you have to do your CI/CD pipeline for your policies, if you have to build a deployment pipeline - we offer that as a premium product, so you don't have to actually handle that. 

Similarly, as a developer, it's free and open source to write your own permission policies in YAML, you can talk to your product manager and convert those. But if you wanna have empowered product managers managing their own policies, now we have a WYSIWYG interface for them. That's premium for them to actually point and click and change. 

Similarly, for security teams, for CISOs, CSOs, CIOs, if a developer says, “Don't worry, I have a great relationship with my CISO. I can listen to what they need and I can run a report on the logs and give them the output.” Great, that's free. However, if you want to give the CISO a tool so they can do an audit, they can run a blast radius impact analysis of a change, they can do an analysis of who's over permission, under their permission, on their own, without having to rely on developers - then, that's a premium product. 

So at the end of the day, core developers, software developer things are part of open source and the moment it starts jumping into other roles and empowering other roles, that's where we draw the line for premium, commercial. 

Alan: Makes a lot of sense. I think the dominant model we're seeing today is, oh yeah, you can take the open source model or we'll give you the hosted version. But quite frankly, the hosted version oftentimes doesn't have a lot more bells and whistles. It's just hosted. 

Emre: So with us, the core product is actually self-hosted. Because authorization, unlike many other cloud services, needs to happen in sub milliseconds because you're in a blocking pass of every API request, every interaction with the product.

Our cloud control panel is actually to manage all of your hosted instances. 

Alan: Love it. I think we covered a bunch here. Is there anything we left out? 

Emre: I would love to invite all the listeners, all the we viewers, to go check out our open source core product - Cerbos. And our new cloud offering - Cerbos Cloud, in private beta.

Relevant links

Are you looking to improve your application's authorization logic and security? Look no further than Cerbos! Discover how Cerbos works and explore its powerful features, including:

• Cerbos Cloud, a cloud-hosted control plane for Cerbos
• the Cerbos playground, where you can easily build and test policies in an online editor
• the Cerbos ecosystem and its seamless integrations with various SDKs, modern frameworks, and authentication providers
• how to unlock the full potential of Cerbos by learning about the conditions you can use in policies with Google's CEL
• understand how to build Derived Roles for contextual role decisions
• take advantage of Cerbos' unit testing and validating and testing policies in a CI/CD pipeline
• discover the various deployment patterns and learn how to deploy Cerbos as a sidecar.

Get started building your first policies with ease and join the companies that trust Cerbos in production for their authorization needs.