Decrease the Cost of Failure in Authorization

A few days ago we completed the beta phase of Cerbos Hub and officially entered general availability. The product and the company have come a long way since we first launched our open source policy decision point (PDP) three years ago. Our Cerbos user community has supported us with valuable feedback and enlightening questions the entire way. And their insight is what led us to the creation of Cerbos Hub, a central policy administration point for applications with many distributed PDPs.

During the beta phase of Cerbos Hub, we heard from users about how Cerbos helps them move faster, implement more granular authorization policies, be compliant with regulations, and improve customer experience. But there’s one benefit that we may have underappreciated a bit so, we wanted to give it some airtime: Reducing risk.

Seems like it should be an obvious one, right? Better authorization reduces the risk of security breaches. But what we mean here is a little different.

Reducing the risks associated with authorization failure

Many of our clients shared with us that before using Cerbos, they often worried that when they updated their authorization logic, they might only remember to update it in a few of the places it was deployed, leaving security vulnerabilities that no one was aware of. Others said that without any way of testing their authorization logic, deploying changes was an exercise in blind faith. You crossed your fingers and hoped nothing broke. Authorization failure in these cases meant anything from leaving a backdoor open to crashing the whole application. There’s both a material security risk, and a psychological risk for the engineers responsible.

“It used to be that somebody on the product team goes to change something, and we forgot to change it in 9 of 10 places. So it was always a disaster.” - Steve High, NTWRK

“We realized that our 200+ engineers were doing their own thing, we didn’t have a standard way of doing authorization, and we had no way of testing our pull requests. If we thought it looked right, we merged it and waited to see if it worked.” - Rob Crowe, Utility Warehouse

Cerbos Hub features like automatic testing, the CI/CD pipeline, and centralized management eliminated the potential cost of failure in authorization. If you change a policy and the logic leaves access loopholes in your application, Cerbos Hub will automatically detect it so you can fix it before deployment. There’s no risk of inconsistent or incomplete deployments because Cerbos Hub coordinates deployments to all PDPs at once.

“I categorized authorization as just one of those things I don't have to think about. And that's a very valuable thing.” - Chuck Hardy, Salesroom

Freeing engineers and product designers from the anxiety of authorization maintenance opens up so much bandwidth to think creatively about how authorization logic can be applied. And beyond authorization, less stress means more energy to innovate in all areas of the product.

One of the most interesting things a client shared with us is that just by reducing the mental weight associated with authorization, their whole mindset around user experience design was transformed.

“If you want to increase the rate of innovation, decrease the cost of failure. Our whole posture towards what we can do with our app has changed. You've materially changed the way we design on the front end. We operate quicker with less worry and with fewer errors.” - Cerbos Hub client.

Even more of our users have told us that using Cerbos has let them be much more judicious with the product design requests they entertain. Where before they needed to pick and choose which ideas got investment, Now they have time to explore and test at leisure, with the authorization step no longer being a choke point.

“It’s a good feeling being able to say yes to almost any request” - Joe Qureshi, 9fin.

Cerbos Hub is now generally available

Sign up for free and see for yourself how streamlining authorization can lead to increased innovation in your product.