Last week, Amazon announced the general availability of AWS Verified Permissions (AVP), an “authorization-as-a-service” offering to bring granular authorization control to apps deployed on the AWS platform. Built on the Cedar policy language, AVP demonstrates Amazon’s recognition that granular authorization capabilities will become standard for tomorrow’s apps as we move into the “Beyond IAM” era. Welcome to the party!
Going forward, any app that touches sensitive data in the cloud will have a Zero Trust mandate. For apps to support the Zero Trust framework, developers must architect least privilege access in from the start – trying to incorporate least privilege tools after-the-fact simply won’t work. That means that broad “off-the-rack” roles are out, and granular authorization at the resource level is in. In other words, access controls for tomorrow’s apps are likely to look more like AWS IAM and less like “user/editor/admin”. If AVP fulfills its promise, building applications with robust authorization controls will become faster and easier, and that’s a good thing.
But the ability to grant granular permissions only delivers one piece of the puzzle. AVP—by itself—doesn’t address the broader identity security challenge that customers face: managing thousands or millions of distinct permissions, users, groups, and roles across all their apps and data systems in a hybrid cloud world. That’s the real customer pain point, as they all embrace the reality of leading their organizations towards least privilege, securing access to data and apps everywhere, modernizing identity for the multi-cloud era, and driving efficiency, with manual and labor-intensive identity access and privilege access requirements.
But first, let’s take a high-level look at how AVP works.
A familiar framework
With AWS Verified Permissions, app developers have a standardized method for creating custom authorization controls, linking individual identities, or access groups, to individual data resources. In its basic form, an AWS Verified Permissions policy statement either permits or denies a principal (an identity, group, or role), to perform a specific action (create, read, update, delete), on a specific resource (like a file or folder). An example of a policy statement might look like: permit( principal == User::”alice”, action == Action::”update”, resource == Photo::”VacationPhoto94.jpg” );
If this looks familiar to you, maybe you’ve been paying attention to Veza, the identity security platform we built to help you understand “who can and should take what action on what data.” Our founders started Veza to fill the immediate need for organizations to secure their data from ransomware, credential theft and privilege abuse, and insider attacks. The advent of increasingly granular authorization controls in cloud IAM, coupled with an explosion in the number of systems, resources (apps, data systems, infra services, cloud services) and identities to manage, was rapidly overwhelming the capacity of legacy systems to manage. As more apps adopt granular authorization standards like AVP, the need for a corresponding security and compliance architecture that can handle the scale becomes more imperative.
More permissions, more complexity
As app developers begin to take advantage of AWS Verified Permissions, more apps will offer fine-grained control over user permissions. However, organizations can’t take full advantage of the ability to control authorization at the resource level if they don’t have a corresponding visibility into the permissions of users across all their apps and data systems.
Think about it: the more granular and detailed the access controls for an app are, the more potential permission decisions your IAM, Security Operations, Security Engineering, and GRC teams need to be able to manage. Veza already manages over 200 million permissions for our current customers, and as granular authorization becomes a standard across all apps, that number is only going to grow more rapidly. If any user can potentially be authorized to perform any action, on any resource, across all your apps and data systems, how can you expect to keep on top of who can do what?
While AVP—alongside other frameworks like Open Policy Agent—allows developers to speed up the creation of apps with native permission structures, organizations that use those apps still face the challenge of integrating them into their security and compliance workflows, alongside all of the existing authorization frameworks their cloud providers, data warehouses and SaaS apps already use. Seen this way, AVP only adds to the tangled mix of RBAC, ABAC, PBAC, ACL, IAM and other acronyms you’re already struggling to manage.
The solution: Privilege Automation
When adopting apps with the granular control that frameworks like AWS Verified Permissions provide, organizations must find new and better ways to manage and optimize the millions of potential identity access decisions. Problems at this scale cannot be tackled manually. To solve for identity security, and actually achieve the potential of least privilege that these new frameworks promise, you need:
- One platform to manage the access of identities across your whole enterprise stack: cloud infrastructure, data warehouses, on-premise systems and SaaS apps.
- A unified human-readable language that translates system-specific permission jargon into terms that everyone can understand: the effective permissions of users to data: create, read, update, and delete.
- Automated monitoring and remediation to constantly watch out for excess privilege, toxic privilege combinations (e.g. Separation of Duties violations), and misconfigurations.
- The ability to automatically compile, assign, and implement access reviews and certifications across teams with IAM, app owners, and data owners.
AVP is going to accelerate the proliferation of apps with sophisticated, bespoke access models (e.g. RBAC, ABAC), but enterprises still must understand and manage the real world impact of the policies defined in those models – the exact challenge that Vezas solves. Built for the cloud, on a powerful graph-based architecture, Veza’s Authorization Platform is the identity security solution that can help organizations address access review automation, privileged access monitoring, SaaS access security, and cloud access management at the scale required by modern organizations.
To learn more about how Veza can help you tackle the increasing demands of managing authorization across all of your apps and data, schedule a demo today.
