Most developers end up building authorization or access-control for their products multiple times - forced to refactor with new customer, product, or security demands coming in. To make our lives a little easier, let's go over the unique challenges that building cloud-native permissions poses before us and cover the five best practices for building them that can save you a lot of hassle.
Things Have Changed
We used to build authorization by using monolithic frameworks like Django or Spring that came with authorization or access-control baked-in, but these are no longer applicable when we create applications in the cloud-native space. There are a few reasons for that - Firstly, applications themselves are no longer monoliths - they're based on microservices and are becoming highly distributed. This becomes even more critical when you need to incorporate devices or instances that are deployed at the edge, which often need access control too. Second, cloud-native applications tend to require the integration of third-party services (Such as billing, authentication, databases, analytics, etc.) and the ability to control access to them in addition to your own application's microservices. Third, more dynamic and distributed applications require us to use a bunch of different authorization models (e.g., RBAC, ReBAC, ABAC) that are based on multiple data sources and increasingly complex rules. Lastly, security, privacy, and compliance demands are also rising (in the face of increasingly complex cyber threats) and becoming really complex. We find ourselves not only managing who should access the data but also how it is propagated between different services.