Virtualization Technology News and Information
Article
RSS
VMblog Expert Interview: Permit.io Explores Permissions, Low Code and Its New Attribute Based Access Controls (ABAC)

interview-permitio-weis 

Permit.io helps companies manage permissions in the cloud at scale with low code.  VMblog recently caught up with Or Weis, CEO & Co-Founder of Permit.io, to find out more about the company and its recently announced, Attribute Based Access Controls (ABAC).

VMblog:  Some of my readers will already be familiar with Permit - but can you give a quick reminder of what you are all about and the main problem you are solving?

Or Weis:  Permit.io is built to address a persistent issue with access control that developers across industries face - namely, the need to continually build and rebuild permissions/access controls into their products as company needs change and evolve.

Throughout my career, I have personally experienced this pain multiple times while working on previous ventures - I ended up rebuilding access-control thousands of times. Recognizing how ridiculous this is, my co-founder and I set out to produce a developer-friendly solution that lets you build permissions once without having to rebuild them ever again. 

In addition, Permit makes it easier for other stakeholders, such as Product Managers and Security Engineers, to set and update permissions without requiring additional development work. By offering No Code and Low Code interfaces, we make this as easy as checking a box, then connect the result as policy-as-code to be managed in Git.

We've found that this problem is particularly severe in highly regulated and sensitive industries such as FinTech, Healthcare, and Insurance. For that reason, Permit and its powering OSS (OPAL) have been built with data security, privacy, and resilience in mind.

VMblog:  The rise of cloud and microservices has made managing all of this even more complex. Today you are announcing Attribute Based Access Controls (ABAC) - can you explain how this will help developers and organizations more broadly?

 

Weis:  Permit's low-code ABAC (Attribute Based Access Control) allows organizations to harness the power of complex attribute-based policy with ease for the first time and scale seamlessly from RBAC (Role Based Access Control) to ABAC as the need arises. 

For example, with ABAC, you can easily manage complex attributes such as location, billing status, usage quotes, and much more - support policies like these are becoming more common, yet RBAC does not cover them.

In the absence of Permit's ABAC solution, once the need to move from RBAC to ABAC arises, developers would have to rebuild their entire permission layer from scratch or use a non-scalable, unwieldy, "hacky" solution until such an upgrade could be prioritized.

Permit allows developers to start with RBAC, and seamlessly add ABAC conditions as needed. Furthermore, it allows other stakeholders, like Product Managers and Security Engineers, to maintain their familiar low code/no code interfaces without having to develop anything new.

VMblog:  How do you recommend a company evaluate whether to use something like Permit or just build access controls themselves?

Weis:  It's all a question of priorities and effort. Building permissions is a journey - you should understand you will be coming back to this challenge - it's never done, but the amount of effort you want to put into it at any point should be up to you. I, for one, am in favor of minimizing costs.

That said, access control is pretty much like cryptography and security: unless you're an expert, you really shouldn't roll your own. And if you decide to do so, I'd recommend sticking to the best practices and using open source tools (like OPAL) in order to avoid making critical mistakes or causing security incidents you might regret later.

VMblog:  Your website focuses quite a bit on low code. Do you feel like this will be a trend in security the way it's been with development?

Weis:  For sure. More than just for development, it's something that will permeate the entire space - whether we realize it or not, we are all becoming software developers . As software consumes the world, we all have to work with it.

The greater the complexity, the greater the need to simplify it and make it approachable. Permissions is a space where all stakeholders (dev, ops, product, sec, compliance, support, ...) need to chime in. We believe this should be done with tools that are, on one hand, easy to use and, on the other hand, enable best practices such as policy-as-code.

##

Published Thursday, September 29, 2022 9:01 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<September 2022>
SuMoTuWeThFrSa
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678