In today's cloud-native world, managing permissions and access control has become a critical challenge for many organizations. As applications and microservices become more distributed, it's essential to ensure that only the right people and systems have access to the right resources. However, managing this complexity can be difficult, especially as teams and organizations grow. That's why the launch of Cedar, a new open-source project from AWS, is a tectonic shift in the IAM space, making it clear that the problem of in-app permissions has grown too big to ignore.
The problem of in-app permissions
Traditionally, organizations have relied on access control lists (ACLs) and role-based access control (RBAC) to manage permissions. However, as the number of resources and users grows, it becomes difficult to manage and scale these policies. This is where policy as code emerges as a de-facto standard. It enables developers to write policies as code, which can be versioned, tested, and deployed like any other code. This approach is more scalable, flexible, and auditable than traditional approaches.
The Advantages of Cedar
Aside from impressive performance, one of the most significant advantages of Cedar is its readability. The language is designed to be extremely readable, empowering even non-technical stakeholders to read it (if not write it) for auditing purposes. This is critical in today's world, where security and compliance are top priorities. Cedar policies are written in a declarative language, which means they can be easily understood and audited. Cedar also offers features like policy testing and simulation, which make it easier to ensure that policies are enforced correctly.
Polyglot Policy as Code
As developers, being polyglot is first nature, and as critical as using the right tool and language for each task. This is why Permit.io supports low-code / no-code interfaces that generate RBAC and attribute-based access control (ABAC) policy as code for you. Permit.io started by supporting Open Policy Agent (OPA)'s Rego, and now takes this a huge leap forward by supporting AWS' Cedar as well. Cedar is a wonderful language to learn, but with Permit's policy-editor you don't have to in order to get started, or to enjoy the benefits of the engine and framework itself.
Announcing Permit.io's new OSS: Cedar-Agent
Permit.io is proud to be the first to support AWS' Cedar, providing access to it as a SaaS service even before AWS itself, as well as via OPAL its open-source project. A key enabler for this, is a companion open-source project to Cedar: Cedar agent. Cedar-agent, an OSS project from Permit.io - provides the ability to run Cedar as a standalone agent (Similar to how one would use OPA) which can then be powered by OPAL. Cedar agent is the easiest way to deploy and run Cedar
OPAL - bridging the IAM permissions space
Permit.io's open-source project OPAL, the Open Policy Administration Layer, is a bridging component that creates a standard across the IAM space to consume and use policy as code. OPAL makes sure that agents like OPA, AVP (Amazon Verified Permissions), and Cedar-Agent are loaded with the policy and data they need in real-time. This ensures that policies are enforced consistently across different tools and systems.
The expanding OPAL ecosystem
As the OPAL ecosystem expands to support more and more use cases, it produces standards and best practices for everyone to use. This means that developers can use OPAL to write policies once and deploy them across different tools and systems. This reduces the cognitive load on developers and makes it easier to manage permissions at scale.
The launch of AWS' Cedar is a tectonic shift in the IAM space. It's clear that the problem of in-app permissions has grown too big to ignore. Policy as code has emerged as a de-facto standard, and tools like OPAL and Permit.io are making it easier for developers to write and manage policies at scale. Cedar's readability and testing features make it an attractive choice for many organizations looking to manage permissions in a scalable, auditable, and flexible way. And Cedar-agent becomes the easiest way to utilize Cedar, as well as connecting it to OPAL. As the OPAL ecosystem continues to expand, it's likely that we'll see more tools and systems adopting policy as code as the preferred approach to manage permissions and access control.
This article was originally published on TheNewStack