Authorization is a crucial pain point software developers inevitably encounter when designing software. As much as it needs to be custom to every application, it also needs to be easily scalable and secure.
For the uninitiated, authorization is the mechanism for checking what a user is allowed to do — anything from the pages you’re allowed to see, to the data that you are allowed interact with. Without proper authorization, an application can become vulnerable to unauthorized access, data breaches, and other security threats.
Typically, stateful authorization, a system where permissions are granted based on stored information about a user's past actions or status, is utilized by development teams. These are often built by hand, ad-hoc and don’t take into account future scalability.
Yet as the number of application users balloons, the possibility of state desynchronization increases. That could result in possible leaks of sensitive information, users denied access or access enabled based on incorrect data.
This is where stateless authorization comes into play. Companies like Cerbos provide an API for an authorization layer that relies on contextual information in a user request and is self-contained; meaning that any server can process them without drawing on stored user and application data. That makes it not only secure but also scalable, increasing application performance across the board.
That’s what staff engineer at youth culture ecommerce platform NTWRK Steve High found when he opted for Cerbos, commenting that “if you imagine 10,000 people trying to buy the same instance of a physical product on our platform at the same time, that's what we have to deal with. Using Cerbos as a sidecar, we’ve been able to get permissions-checking latency down to microseconds… in turn, NTWRK is able to provide a great user experience to our customers, both internal and external.”
In stateless authorization, each request is evaluated independently without having to interact with a database, bumping up performance in applications.
No longer bogged down by expensive database queries, stateless authorization can handle large volumes of requests, making it ideal for high-traffic applications like NTWRK where the speed of response time could be a deciding factor as to whether the user stays or goes with a competitor.
As any startup founder knows, flexibility is key in scaling a business and, with stateless authorization, policies can be easily changed and updated.
With requests now relying on context to make a decision on user access, policy modifications can be made that do not invalidate existing sessions. This makes it ideal for companies building in dynamic and fast-changing industries such as fintech, SaaS and ecommerce.
For B2B fintech platform Loop, which aims to streamline the financial operation of businesses, flexibility in authorization processes is of particular importance as it deals with financial transactions.
“Unless there's a change in customer requirements, or our internal requirements, in which we say that, we need to allow this person to do this — we just need to tweak some policies and deploy it,” says CTO Mohsin Kalam after implementing Cerbos’ stateless authorization, “And it hardly requires a core application code change on our end. We just deploy it and push the policies to the server and everything just works out of the box.”
If authorization isn’t built in keeping with the demands of a rapidly-changing startup, it can be a headache for the developer teams. As highlighted by both NTWRK and Loop, stateless authorization offers a lightweight, scalable and flexible approach to controlling access — it’s time that the industry caught onto that.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team