Styra, the team behind “Cloud Native Authorization” recently announced a few feature called “Styra Run”. Their launch blog back in July described Run as being “a new holistic approach” to authorization. But what problem is Run trying to solve? Styra are behind the popular Open Policy Agent – a policy driven decision engine for authorization in cloud native environments. Whilst likely OPA is focused on the protection of infrastructure (think containerized ecosytems) it is also used for protecting APIs and custom applications. The developer-first angle sees a dedicated rule language and the storage of policy data in files. The OPA project on github has over 7000 stars.
What’s the Problem Being Solved?
It seems OPA’s popularity has created a secondary mini-problem. Whilst OPA has allowed application owners and developers to essentially “outsource” their authorization controls from the asset being protected (ie the dreaded embedded and often hard coded permission and subject relations), the developers now have to think about where to store that permission data. OPA is a decision engine, and whilst you can add persistent data to files that are read at access request runtime alongside the policy data, it seems more complex production ready systems will need access to a larger store of persistent permission data.
So the Styra launch blog describes Run as “…an application authorization service purpose-built for developers that combines streamlined OPA policy with a geographically distributed, horizontally scalable, highly-available data store.”
Another interesting aspect is the permission management part – associating users to groups or permissions. This is something that occurs daily as part of standard business as usual operational changes and should not be too tightly coupled to policy. Styra Run is also providing a GUI where these permissions management task can be completed – and they leverage the word “embed” which sounds like it can be deployed closer to where line managers, applications and other business leaders may be located to make those changes.
How is it Being Solved?
A cloud based globally replicated permissions management system that the popular OPA decision engine can leverage is the approach to this ever growing permissions management problem. This storage system contains templates that allows for support of common permission models such as RBAC, ABAC, groups, SoD controls and hierarchy based relationships. Another interesting aspect is the ability for Styra Run to respond to access requests at rapid speed – which is done by making sure the permissions service is zone co-located next to the assets needing the service.
Styra is chasing down the 109 million OPA instances that have been launched since the project went live – providing a range of productionization capabilities such as the DAS (Declarative Authorization Service) and now Run. Authorization is in huge demand from a range of existing and new assets such as infrastructure services, microservices, generic APIs, PII systems and consumer identity platforms. Many will have large, complex and embedded permissions stores that need to be externalised, streamlined and managed – and made accessible at speed to a distributed set of services.
Styra Run is currently in beta at the time of writing.
About the Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He has a Post Graduate Diploma in Information Security, is a Fellow of the Chartered Institute of Information Security and is a CISSP, CCSP, CEH and CISA. His 2022 research diary focuses upon “Next Generation Authorization Technology” and “Identity for The Hybrid Cloud”.