Authorization is a crucial pain point software developers inevitably encounter when designing software. As much as it needs to be custom to every application, it also needs to be easily scalable and secure. For the uninitiated, authorization is the mechanism for checking what a user is allowed to do — anything from the pages you’re allowed to see, to the data that you are allowed interact with. Without proper authorization, an application can become vulnerable to unauthorized access, data breaches, and other security threats. Typically, stateful authorization, a system where permissions are granted based on stored information about a user's past actions or status, is utilized by development teams. These are often built by hand, ad-hoc and don’t take into account future scalability. Stateless security Yet as the number of application users balloons, the possibility of state desynchronization increases. That could result in possible leaks of sensitive information, users denied access or access enabled based on incorrect data. This is where stateless authorization comes into play. Companies like Cerbos provide an API for an authorization layer that relies on contextual information in a user request and is self-contained; meaning that any server can process them without drawing on stored user and application data. That makes it not only secure but also scalable, increasing application performance across the board. That’s what staff engineer at youth culture ecommerce platform NTWRK Steve High found when he opted for Cerbos, commenting that “if you imagine 10,000 people trying to buy the same instance of a physical product on our platform at the same time, that's what we have to deal with. Using Cerbos as a sidecar, we’ve been able to get permissions-checking latency down to microseconds… in turn, NTWRK is able to provide a great user experience to our customers, both internal and external.” In stateless authorization, each request is evaluated independently without having to interact with a database, bumping up performance in applications. No longer bogged down by expensive database queries, stateless authorization can handle large volumes of requests, making it ideal for high-traffic applications like NTWRK where the speed of response time could be a deciding factor as to whether the user stays or goes with a competitor. Unlocking flexibility As any startup founder knows, flexibility is key in scaling a business and, with stateless authorization, policies can be easily changed and updated. With requests now relying on context to make a decision on user access, policy modifications can be made that do not invalidate existing sessions. This makes it ideal for companies building in dynamic and fast-changing industries such as fintech, SaaS and ecommerce. For B2B fintech platform Loop, which aims to streamline the financial operation of businesses, flexibility in authorization processes is of particular importance as it deals with financial transactions. “Unless there's a change in customer requirements, or our internal requirements, in which we say that, we need to allow this person to do this — we just need to tweak some policies and deploy it,” says CTO Mohsin Kalam after implementing Cerbos’ stateless authorization, “And it hardly requires a core application code change on our end. We just deploy it and push the policies to the server and everything just works out of the box.” If authorization isn’t built in keeping with the demands of a rapidly-changing startup, it can be a headache for the developer teams. As highlighted by both NTWRK and Loop, stateless authorization offers a lightweight, scalable and flexible approach to controlling access — it’s time that the industry caught onto that. Authorization is a crucial pain point software developers inevitably encounter when designing software. As much as it needs to be custom to every application, it also needs to be easily scalable and secure. For the uninitiated, authorization is the mechanism for checking what a user is allowed to do — anything from the pages you’re allowed to see, to the data that you are allowed interact with. Without proper authorization, an application can become vulnerable to unauthorized access, data breaches, and other security threats. security threats. Typically, stateful authorization, a system where permissions are granted based on stored information about a user's past actions or status, is utilized by development teams. These are often built by hand, ad-hoc and don’t take into account future scalability. Stateless security Stateless security Yet as the number of application users balloons, the possibility of state desynchronization increases. That could result in possible leaks of sensitive information, users denied access or access enabled based on incorrect data. This is where stateless authorization comes into play. Companies like Cerbos provide an API for an authorization layer that relies on contextual information in a user request and is self-contained; meaning that any server can process them without drawing on stored user and application data. That makes it not only secure but also scalable, increasing application performance across the board. stateless authorization That’s what staff engineer at youth culture ecommerce platform NTWRK Steve High found when he opted for Cerbos, commenting that “if you imagine 10,000 people trying to buy the same instance of a physical product on our platform at the same time, that's what we have to deal with. Using Cerbos as a sidecar, we’ve been able to get permissions-checking latency down to microseconds… in turn, NTWRK is able to provide a great user experience to our customers, both internal and external.” NTWRK Steve High In stateless authorization, each request is evaluated independently without having to interact with a database, bumping up performance in applications. No longer bogged down by expensive database queries, stateless authorization can handle large volumes of requests, making it ideal for high-traffic applications like NTWRK where the speed of response time could be a deciding factor as to whether the user stays or goes with a competitor. ideal for high-traffic applications Unlocking flexibility Unlocking flexibility As any startup founder knows, flexibility is key in scaling a business and, with stateless authorization, policies can be easily changed and updated. With requests now relying on context to make a decision on user access, policy modifications can be made that do not invalidate existing sessions. This makes it ideal for companies building in dynamic and fast-changing industries such as fintech, SaaS and ecommerce. For B2B fintech platform Loop , which aims to streamline the financial operation of businesses, flexibility in authorization processes is of particular importance as it deals with financial transactions. Loop “Unless there's a change in customer requirements, or our internal requirements, in which we say that, we need to allow this person to do this — we just need to tweak some policies and deploy it,” says CTO Mohsin Kalam after implementing Cerbos’ stateless authorization, “And it hardly requires a core application code change on our end. We just deploy it and push the policies to the server and everything just works out of the box.” If authorization isn’t built in keeping with the demands of a rapidly-changing startup, it can be a headache for the developer teams. As highlighted by both NTWRK and Loop, stateless authorization offers a lightweight, scalable and flexible approach to controlling access — it’s time that the industry caught onto that.

This writer has a vested interest be it monetary, business, or otherwise, with 1 or more of the products or companies mentioned within.

Are You Empowering Your Development Team Enough? 

The Role of Identity and Access Management in The Security of Your Business

The Future is Stateless: It’s Time To Ensure Your Security Is As Scalable as Your Business

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Are You Empowering Your Development Team Enough?

2023 Demonstrated How Critical Robust Authorization Really is

161 Stories To Learn About Authentication

A Deep Dive Into the JavaScript Some() Method

A Quick Guide to JSON Web Token [JWT]

The Rise of DID Authorization Mechanism in Client-Server Model

Are You Empowering Your Development Team Enough?

2023 Demonstrated How Critical Robust Authorization Really is

161 Stories To Learn About Authentication

A Deep Dive Into the JavaScript Some() Method

A Quick Guide to JSON Web Token [JWT]

The Rise of DID Authorization Mechanism in Client-Server Model

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps