Access control: Cerbos brings open source to user permission software

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

A new company is setting out to streamline how software developers and engineers manage user permissions in their software, while also addressing the myriad access control compliance requirements driven by regulations and standards such as GDPR and ISO-27001.

Cerbos is applying a self-hosted, open source approach to the user permissions problem, one that works across languages and frameworks — and crucially, one that gives companies full visibility into how it’s handling user data.

To help build out its team and develop a commercial product on top of the open source platform, Cerbos today announced it has raised $3.5 million in a seed round of funding led by London-based VC firm Crane.

IAM what I am

It has been a bumper year in the identify and access management (IAM) realm, with Okta snapping up Auth0 for a cool $6.5 billion, One Identity buying rival OneLogin, and countless venture capital (VC) investments thrown into the identity management space. IAM, for the uninitiated, is chiefly concerned with authenticating and authorizing people, and controlling how, where, and when thy can access specific systems and applications.

At a time when every company is effectively a software company, managing user permissions becomes integral. Different users will often require different access rights based on their role and department, and companies need the infrastructure that enables their software to do this without having to create it all from scratch. For example, financial software might need to offer user permission functionality, so some employees can only submit expense reports, while others will be able to “approve” the expenses or mark them as “paid.” These various permissions might vary by team, department, and geographic location — and companies need to be able to set their own user permission rules.

This essentially is where Cerbos enters the mix — it is the “AM” in “IAM,” allowing developers to implement access management in their own applications without having to reinvent the wheel. “We don’t try to handle the ‘I’ part, because it’s practically a solved problem,” Cerbos cofounder and CEO Emre Baran told VentureBeat.

Above: Where Cerbos sits in the stack

Cerbos would typically be used in tandem with one of the many identity authentication solutions out there, such as Google’s Firebase, Microsoft’s Active Directory (AD), Auth0, and WorkOS. The step that follows authentication — authorizing identity and applying specific permissions — also has options, such as Open Policy Agent, Casbin, and CanCanCan, but these are somewhat “more limited,” according to Baran.

“There are many libraries and frameworks that developers can take, enhance, and build into their product for authorization,” he said. “However, they are all focused on specific programming languages or frameworks and usually implement authorization for a single, monolithic application and don’t cater for the business users to define permissions in a human readable way.”

This is particularly important as companies move away from monoliths toward microservices — that is, software built from smaller, function-based components.

“Being able to share your authorization logic across multiple different services — usually developed by different teams and potentially in different programming languages — and instantly update that logic across the board, without having to redeploy all of those services, is very powerful,” Baran added. “That’s what Cerbos provides.”

Baran is an ex-Googler who went on to found an ecommerce personalization technology company called Qubit, which was acquired by Coveo just last month. He launched Cerbos back in March alongside software engineer Charith Ellawala, who previously worked at various tech companies such as Ocado, Qubit, and Elastic. It was at Qubit where the duo encountered the problem that they are now trying to fix with Cerbos — every time a company builds a new piece of software, engineers have to develop the user permissions infrastructure from scratch.

“This is particularly true in large enterprises, where different departments or teams need to use the same software platform for distinctly different functions,” Baran explained. “It is a time-consuming and cost-inefficient way of working. We’re enabling companies to be more compliant, and making higher quality security available to every developer.”

Open for business

That Cerbos is open source will likely be central to its appeal, particularly at a time when companies need to treat their users’ data with kid gloves to cater to a growing array of privacy regulations. Being open source allows companies to inspect their source code and contribute new code themselves, while as a self-hosted solution it means that they don’t have to transfer data to third-party infrastructure. Visibility and auditability is the name of the game here.

“You know exactly what you are running in your system, and how it handles your data,” Baran said. “You also get to benefit from the community — the product is constantly improved and tested by people who are passionate about the problem. And even if the company [i.e. Cerbos] discontinues working on the product, you still have access to the source code and can continue to make use of it and improve it if it’s critical to your business.”

Much like companies usually don’t built their own databases from scratch, choosing an off-the-shelf solution instead, Baran sees Cerbos fulfilling a similar role for user permissions — and so its target customer size is really anything from small startups to billion-dollar companies. However, it’s worth noting that user permission requirements tend to get more complex the bigger a company gets, which positions Cerbos strongly for the enterprise segment.

“One thing they all have in common is that they all recognize that building permissions software is not their core business and they would rather implement an off-the-shelf, state-of-the-art solution than build it themselves,” Baran said. “We believe in a world where time isn’t wasted re-inventing the wheel — in that world, our mission is to make authorization a trusted ‘plug-and-play’ solution.”

For now, Cerbos is available in a pure open source incarnation, allowing any developer to leverage as they see fit. However, the company is also working on various premium offerings, which will include a fully-managed version replete with graphical user interface (GUI) for managing permissions and roles. Additionally, Cerbos will offer tools for auditing, monitoring, and analysis, alongside features for chief information and security officers such as “predictive unauthorized access prevention” smarts.

Cerbos’s two founders are based in London, though as with most young startups these days, the company has adopted a globally distributed approach to its hiring, with seven employees spread across the U.K., New Zealand, Turkey, and Spain.

In addition to lead backer Crane, Cerbos attracted a slew of institutional investors for its seed round of funding, including OSS Capital, Seedcamp, Earlybird Digital East, 8-Bit Capital, Connect Ventures, Acequia Capital, HelloWorld, Tiny, and a host of angel investors.