Company Key Facts
|Web – https://www.aserto.com/ |
LinkedIn – https://www.linkedin.com/company/aserto-com/
Twitter – https://twitter.com/aserto_com
|Founders||Gert Drapers, Omri Gazitt|
|No. of Employees||~25|
|Total Funding||$5.1 million|
|In Their Own Words||“The fastest path to enterprise-grade authorization.”|
Aserto has had one publicly acknowledged funding round – a $5.1 million round in June 2021, led by Costanoa Ventures.
|Investor Name||Lead Investor||Funding Round||Partners|
|Costanoa Ventures||Yes||Seed Round – Aserto||Greg Sands|
|Heavybit||No||Seed Round – Aserto||Joseph Ruscio|
Technology Key Facts
|Go To Market Message||“Powerful authorization-as-a-service, built to evolve with your customer requirements.”|
|Solutions||Declarative Authorization / RBAC / ABAC / Fine Grained Access Control|
|Products / Platform||Control Plane / Edge Authorizer / Language Embeddability|
Case Studies / Target Customers
|Company||Region / Sector||Persona||Use Cases / Problem Being Solved|
|Spreetail – case study details.||US / ecommerce fulfillment platform with over $1 billion in revenue||VP Technology / Engineering Manager – looking to migrate away from a home grown authorization solution for a customer facing platform.||Fine grained authorizationUser and resource contextOkta integration as an IDPDynamic permissions based on user attributesSeparate permissions directoryPolicy as code|
|Metrikus – case study details.||UK / smart space management and analytics||Head of Technology – worked through a build-v-buy process to outsource authorization to a commercial product for consumer facing app.||Auth0 used as IDPLeverage Aserto API to manage authorization instead of native Open Policy Agent integrationsSidecar enforcement alongside protected application for speedRapid compromise responseReduced cost compared to build their own model|
Problems Being Solved
Aserto sit in the emerging declarative authorization sector, providing a range of capabilities to allow organizations to outsource their authorization definition and enforcement needs to a specialist supplier. Many organizations rely on identity provider (IDP) services to authenticate the end user for either the B2E (employee) or B2C (consumer) communities. The authentication aspect is well understood and defined with many different MFA and session management capabilities now mature and well deployed. However, what happens post-login, is now a burning issue for many organizations as they move towards an identity-first approach for security and data protection.
Authorization has often been a home grown, customized and siloed model, where each asset being protected was difficult to extend, isolated from the rest of the application ecosystem and tightly coupled to user stores. These highly customized authorization models end up being high-cost components of the technology infrastructure ecosystem and in the long term impact business agility and the ability to deliver modern applications that scale.
The likes of Aserto provide a specialist platform that can consume existing access control models and provide both a control plane for management and an enforcement mechanism to uphold policies and the declared access control logic.
Aserto capabilities can be split into a control plane aspect (think policy management) and enforcement. The Aserto directory acts as the main entry point for the ABAC (attribute based access control) components that tie neatly into existing identity sources of trust such as IDPs and on-premises user directories. Policies are then created that link the identities to their respective permission sets. These policies are essentially treated as code – in the sense they can be programmatically be updated and managed, be stored in a version control system and also be signed – to provide a level of integrity and change prevention.
The policy data is enforced by what Aserto calls “edge authorizers”. These authorizers are reference monitors that sit in between the inbound access request and the protected API. This authorizer can sit as a side car alongside the protected API or as an entirely separate microservice, hosted in the cloud. The authorizer is based on the Open Policy Agent project.
Policies are managed via a life cycle to give full control and versioning via a REST based API.
In addition to a command line interface, there is also the Aserto Console, that allows the central management of individual components.
Components are grouped via “Organizations” with connections acting like data flow nodes such as consumers of policy (edge authorizers) and contributors to policy decisions such as edge directories and identity providers.
Policies are essentially code blocks that contain the logic to help the authorizers come to an access control decision.
The declarative nature of the policy definition is essentially based on attributes derived from the user or resource context that is available at the time of the access request.
Authorizers can be either hosted or on the “edge” close to the protected resource. Headers or certificates (via MTLS) are used to validate inbound access requests into the authorizer before the access control decision process is started.
An access decision relies upon context relating to the identity, the resource being accessed and associated policy. The identity context is typically presented via a JWT.
The Cyber Hut Comment
Authorization is a growing market with a number of new vendors entering the space over the past 36 months. Many organizations have invested heavily in authentication technology, ranging from basic MFA capabilities to complex SSO and session management that integrates with a range of on-premise and cloud resources.
However, it is authorization that is leading the way from an application security perspective, allowing organizations to externalize access control logic into centralized control planes that provide a foundation for repeatable system development and extensibility.
Aserto provides a range of developer friendly components to help with both the definition of authorization logic via policy-as-code as well the enforcement of that policy logic via authorizers.
- A range of developer components to assist in the creation of authorization logic via APIs
- A range of enforcement capabilities
- The ability to handle authorization logic via policy-as-code
- Based on the popular Open Policy Agent project
- Founders of the Open Policy Register project for the management and exchange of standardized policy artefacts