ShipTalk podcast: Why authorization should no longer be an afterthought

In the latest episode of the ShipTalk podcast, Alex Olivier, co-founder and CPO of Cerbos, delved into the complexities of modern authorization in a conversation with Dewan Ahmed. The discussion covered topics such the distinctions between authentication and authorization, all the way to emerging trends in DevOps and security. Read on to discover the key takeaways. If you want explore specific parts of the discussion - check out the mentioned timestamps.

The origin of Cerbos and its mission

[00:02:29]

Alex shared how his journey as a software engineer led to the founding of Cerbos. Frustrated by the repetitive task of building authorization systems from scratch, Alex and his team decided to create an open-source solution that simplifies this process for developers.

Understanding authorization in DevOps

[00:04:58]

Alex explained the role of authorization in the DevOps ecosystem, emphasizing the distinction between authentication (verifying identity) and authorization (defining what a user can do). In DevOps, this ensures secure, context-aware access at every layer.

Cerbos focuses on fine-grained, application-layer authorization, enabling dynamic policies like role-based access or resource ownership. This approach supports zero-trust security, operational efficiency, and compliance.

By integrating authorization early, teams prevent unauthorized actions, streamline permissions, and reduce risks, all without slowing down development.

Cerbos vs. Open Policy Agent (OPA)

[00:10:14]

When asked about the differences between Cerbos and OPA, Alex highlighted how Cerbos focuses on ease of use and application-level policies.

Both Cerbos and Open Policy Agent (OPA) offer policy-based authorization, but they cater to different use cases and audiences.

OPA, a CNCF project, is a versatile policy engine commonly used at the infrastructure level. It shines in environments like Kubernetes, where fine-grained control over infrastructure components is crucial. However, OPA's flexibility comes at the cost of complexity. Its policy language, Rego, has a steep learning curve, making it challenging for teams to adopt without significant training.

Cerbos, on the other hand, is designed specifically for application-layer authorization. It offers a simpler, more accessible policy language based on YAML, which most developers are already familiar with. This makes it easy for teams to implement and manage fine-grained permissions without diving into the intricacies of a new syntax.

“OPA is powerful but has a steep learning curve; Cerbos aims to simplify policy management with a developer-friendly approach.”

By using both tools together, organizations can implement comprehensive access control across both infrastructure and application layers.

Boosting developer productivity

[00:12:30]

Alex shared that one of the biggest challenges in modern software development is balancing speed with security. Developers want to ship features quickly, while security teams need to ensure robust access control. Cerbos bridges this gap by externalizing authorization, enabling developers to focus on building core functionality without getting bogged down in permission logic.

“You can integrate Cerbos in days, and your developers don’t have to think about authorization again.”

When to implement authorization solutions

[00:16:45]

The right time to adopt externalized authorization depends on your stage of development. Alex recommended starting either during early development or major re-architecture phases (e.g., migrating to microservices).

“If you’ve felt the pain of rebuilding permissions before, you’ll appreciate starting with a solution like Cerbos.”

The role of Cerbos Playground

[00:25:19]

Cerbos Playground allows developers to experiment with policy configurations without setting up a local instance. It’s designed to deliver instant feedback and help teams prototype authorization rules efficiently.

“It’s a real-time, browser-based IDE for testing and refining your policies.”

Future of authorization - standardization and centralization

[00:33:50]

Alex shared that the future of authorization lies in creating standardized interfaces, much like OpenID Connect did for authentication.

The OpenID Foundation AuthZEN Working Group, which Cerbos is a leading member of, is developing a unified protocol for integrating authorization across systems.

This standardization will allow businesses to centrally manage access policies and seamlessly integrate them into third-party SaaS tools. Imagine defining user roles and permissions once, then applying them consistently across your entire tech stack.

This shift promises greater security, simplified compliance, and reduced operational overhead for teams managing complex environments.

Conclusion

In this ShipTalk episode, Alex Olivier made a compelling case for why authorization should no longer be an afterthought. Tools like Cerbos enable teams to externalize access control, saving months of development effort and ensuring their systems remain secure and compliant. By adopting Cerbos, developers can focus on innovation while security teams gain the visibility and control they need.