- Best Practices
BingBang - Why Authentication is no Longer Enough
The recent #BingBang vulnerability discovered by the Wiz team proves once again how crucial implementing proper authorization is.
In today's digital age, cybersecurity has become a critical aspect of every organization's operations. With increasing cyber-attacks, companies must ensure that their systems are secure and protected from unauthorized access. Authentication has long been the foundation of cybersecurity, but it is no longer enough. Authorization is equally and maybe even more important. To face the complexities of the software itself and the incoming attacks it has become essential to have an easy-to-use and accessible authorization mechanism that allows users to manage policies and audit authorization logs.
The BingBang incident, where security researchers from Wiz gained access to the back-office admin dashboard for the Bing search engine, is an excellent example of why authorization is critical. Although authentication was in place, authorization failed due to a wrong policy. This highlights the need for a robust authorization mechanism that complements authentication.
Policy As Code and Git-ops
One of the best ways to ensure that authorization is effective is by using policy as code. Policy as code involves writing policies in a machine-readable format and storing them in a version control system such as Git. This allows policies to be audited and reviewed, just like code. It also enables organizations to manage complex policies and make changes efficiently, reducing the risk of errors and inconsistencies.
Managing policies with Git-ops has several benefits. It provides a centralized location for managing policies, making it easy to track changes and maintain a history of modifications. It also enables organizations to define and enforce policies consistently across all their applications, reducing the risk of policy violations.
Audit logs and interfaces
In addition to policy as code, it is critical to have an audit trail of all authorization events. Audit logs provide an essential record of who accessed what and when, enabling organizations to detect and investigate any unauthorized access attempts. They also provide valuable insights into how policies are being used and can help identify areas where policies may need to be updated or improved.
You’re not alone - OSS and SaaS
Just like authentication, encryption, or billing, authorization and permissions are crucial aspects of modern cybersecurity that organizations cannot afford to overlook. Building an effective authorization mechanism can be a complex and time-consuming process. Fortunately, there are several open-source projects and SaaS services available that can help organizations to implement authorization easily and effectively. Open-source projects such as Open-Policy-Agent and Open-Policy-Administration-Layer provide pre-built policy enforcement capabilities that can be integrated with existing systems. These tools enable organizations to define and manage policies consistently across all their applications while also providing audit capabilities.
Additionally, SaaS services like Permit.io (😅) offer an end-to-end solution for managing authorization and permissions. These services provide an easy-to-use interface for defining and enforcing policies, as well as audit logs for tracking all authorization events. By leveraging these tools and services, organizations can avoid the complexity of building their authorization mechanism from scratch, freeing up time and resources to focus on other critical aspects of their business.
Authentication is no longer enough to ensure the security of an organization's systems. Authorization is equally important and must be complemented by an easy-to-use and accessible mechanism that allows users to manage policies and audit authorization logs. Using policy as code and Git-ops to manage complex policies and audit logs to track all authorization events is a winning combination that organizations can use to strengthen their security posture. By taking these steps, organizations can reduce the risk of cyber-attacks and protect their sensitive data from unauthorized access.
Fortunately, with the availability of open-source projects and SaaS services, building an effective authorization mechanism has never been easier. By leveraging these tools and services, organizations can implement authorization quickly, easily, and effectively, allowing them to focus on their core business objectives while keeping their systems and data secure.