How can we protect our users data with appropriate access control mechanisms?

Broken access controls still top the OWASP top 10 list of security issues. Its 2024, surely our software engineers have figured out a way to solve this by now? As it turns out, building a scalable and secure authorization system is a difficult problem to solve. Increasingly our systems are becoming larger and more complex. So, how can we put appropriate access controls in place to secure our companies data?

Spike squad assisted the replacement of a permissions system for a communities-based social media platform. What sounded like a simple job on paper quickly turned into an authorization nightmare. Communities in the application supported several levels of visibility. When combined with different levels of membership this resulted in a combinatorial explosion of roles that wasn't solvable with a typical role-based access control system.

The client quickly realised that failure to address this challenge could result in a security issue down the line. Primarily they wanted a secure permissions service to power their community's platform. But they also wanted something that was maintainable in the long run, adaptable to change, and importantly was scalable enough to reach their growth targets.

After a 2-week PoC, Spike Squad was able to identify a solution based on an open-source relationship-based access control system. By leveraging open-source, the team were able to focus their efforts on working directly with the client to model their existing platform within the new solution. Not only this, but the team identified and unlocked opportunities that were previously unattainable in the existing solution such as temporary (time-based) permissions, public resources, user-bans, and IP allow-listing.

Whilst the team was satisfied the proposed solution would meet their permissions needs, crucial questions remained on whether it would scale to meet their growth demands. A round of load-testing later and they were able to produce a recommendation for the infrastructure that would be needed to support their current and target user base. Not only did the team deliver a scalable, secure, and flexible permission system but by embracing modern open-source tooling they empowered the client to make security decisions that aligned to their business needs instead of the other way round.

Why the Business loved it

• 'Future-proof' solution designed to grow with the rest of their product.
• Iterative relationship with Spike Squad that grew alongside their needs.
• Security assurance!

Why the Engineers loved it

• An extensible solution ensures future functionality will only require minor tweaks to secure
• Working with open-source brings with it a large amount of community support and frequent updates
• Decoupling the permissions service as its own microservice reduces bandwidth on the core application