PurePerformance podcast: Solving today’s authorization challenges

Although authorization is a cornerstone of modern application security, it often remains misunderstood. Which is why, in a recent episode of the PurePerformance podcast, Alex Olivier, co-founder and CPO of Cerbos, joined Andi and Brian for a deep dive into the topic.

Alex shared his insights into the nuances of authorization, the challenges it presents, and its role in scalable, secure application design. ABAC vs. RBAC, the difference between stateful and stateless authorization, and why Broken Access Control is in the OWASP Top 10 Security Vulnerabilities, are some of the other topics that were covered.

Read on to discover the key takeaways. If you want to explore specific parts of the discussion - check out the mentioned timestamps.

Authentication vs. authorization

[00:03:33]

Alex kicked off the discussion by clarifying the critical difference between authentication (AuthN) and authorization (AuthZ).

Authentication verifies who you are, typically through credentials like passwords or tokens. Whereas authorization determines what you are allowed to do, based on policies and access controls.

Growing complexity of authorization in modern systems

[00:15:24]

As systems evolve, authorization has shifted from simple Role-Based Access Control (RBAC) to Attribute-Based Access Control (ABAC) to meet current demands. While RBAC assigns permissions based on roles like "admin" or "viewer," ABAC evaluates multiple attributes:

• User attributes: E.g., department, role, or location.
• Resource attributes: E.g., creator ID or sensitivity level.
• Contextual data: E.g., time, region, or device.

For example, in a blogging platform, ABAC might enforce a rule like, "Only the author of a post can edit it, and only during work hours." This enables fine-grained access control but introduces challenges like dynamic policy evaluation, policy sprawl, and increased complexity.

Alex emphasized the value of externalized authorization to manage ABAC’s demands, centralizing policies for scalability, consistency, and performance across modern distributed systems.

Why authorization is critical for security

[00:06:46]

Alex emphasized that authorization is a leading cause of security vulnerabilities, ranking #1 in the OWASP Top 10 as “Broken Access Control.” Misconfigurations and hardcoded logic are common culprits, leaving systems exposed to privilege escalation and other attacks.

He also discussed how externalized authorization simplifies auditing and ensures compliance, especially in regulated industries.

Scaling authorization for performance and reliability

[00:19:00]

Modern applications often process thousands of authorization checks per second, requiring scalable solutions. Unlike hardcoded authorization logic, a PDP centralizes decision-making, ensuring consistency across distributed systems.

By externalizing authorization into a centralized service like Cerbos, developers can achieve:

• Reduced latency by colocating PDPs as sidecars or daemons near application services.
• Centralized policies in one place, which ensures consistent enforcement and reduces errors.
• Enhanced observability, through audit logs, which offer granular insights for debugging, compliance, and anomaly detection.

This architecture offloads authorization complexity, allowing developers to focus on building core features without sacrificing security or performance.

Observability in authorization

[00:38:09]

Alex shared how Cerbos integrates with OpenTelemetry to provide detailed traces, helping teams identify bottlenecks or misconfigurations. Metrics such as request latency, policy cache evictions, and decision times are key indicators for performance optimization.

Solving the "list filtering" problem

[00:42:33]

One challenge in authorization is listing only resources a user is permitted to see. Instead of making individual checks (which is inefficient), Cerbos generates query plans that translate policies into database filters. This approach optimizes data retrieval and avoids the costly N+1 query pattern.

Conclusion

Authorization is no longer a simple "yes" or "no" decision. As Alex highlighted, modern systems demand scalable, dynamic solutions that can handle complex, attribute-based policies while maintaining performance and reliability. Tools like Cerbos empower developers to externalize authorization, centralize policies, and ensure consistent enforcement across distributed architectures.

As applications grow more complex, tackling authorization effectively is essential to delivering secure, seamless user experiences. Developers and architects who prioritize scalable and externalized authorization will be better equipped to meet the demands of modern distributed systems while staying agile in the face of evolving requirements.