Cerbos Managed Authorization Service Leverages Wasm

Cerbos today at the KubeCon + CloudNativeCon conference announced that a managed service based on open source authorization software is now available in beta.

Previously known as Cerbos Cloud, the rechristened Cerbos Hub is based on Cerbos Policy Decision Point (PDP) software, formerly known as Cerbos, that makes use of the portable WebAssembly (Wasm) binary instruction format to enforce authorization policies.

Cerbos CEO Emre Baran said the Cerbos Hub service coordinates the rollout of changes to all the deployed Policy Decision Points to ensure the right level of access is provided at scale to any given service as part of a zero-trust initiative. That stateless approach also makes it possible for the service to dynamically scale as authorization logic complexity grows, he added.

The overall goal is to reduce the cognitive load otherwise required to enforce and update those policies without having to constantly rewrite code, said Baran.

Cerbos also provides access to a collaborative policy playground to enable IT teams to iterate policies, collect feedback and evaluate test suites directly from within their browser.

In addition, a continuous integration (CI) pipeline simplifies policy testing and distribution using a GitHub repository.

More organizations than ever are moving toward managing authorizations as code as part of a larger effort to reduce reliance on user names and passwords that are easily compromised. The challenge has been finding a way to manage all the code required to achieve that goal. Cerbos is now making a case for a managed service that reduces the cognitive load on development teams that would otherwise be required, said Baran.

It’s still early days as far as Wasm adoption is concerned, but the potential impact on applications and services that need to be deployed across a heterogeneous IT environment is likely to be profound. Wasm enables setup of memory-safe, sandboxed execution environments. The World Wide Web Consortium (W3C) drove the development of Wasm as part of an effort to create a common format for browsers executing JavaScript code. Wasm is now being extended beyond browsers and JavaScript to enable developers to create a set of universal binaries that could work on any platform without modification.

That approach, in essence, replaces the current predominant method for building software that relies on the aggregation of software components that tend to lack distinct boundaries between them. One of the issues with that approach is it becomes relatively simple for malware to infect all the components of an application. Wasm, in effect, isolates code in a sandbox environment to prevent malware from moving laterally.

It’s not clear whether ongoing cybersecurity concerns will accelerate the adoption of Wasm, but it’s apparent that as software becomes more secure, the amount of pressure on cybersecurity teams should decline. Most of the initial instances of Wasm will find its way into the enterprise via platforms such as Cerbos, but in time, developers will incorporate Wasm into custom applications.

In the meantime, it’s only a matter of time before implementing cybersecurity controls as code becomes a requirement in an era where legacy approaches to authorizing access are no longer viable.