Why you need to think about both your security and your users when implementing authorization

Published by Alex Olivier on December 10, 2023
Why you need to think about both your security and your users when implementing authorization

In my professional journey across various industries, I've come to appreciate the importance of a finely tuned authorization system, especially as it intersects with cybersecurity needs. It's essential not just for safeguarding but for seamlessly tailoring permissions to suit both your internal team and the broader user base. In the complex landscape of global markets and regulatory rules like GDPR and CCPA, a well-crafted authorization framework is not just a mechanism of defense but a strategic tool integral to your product, shaping the user journey while respecting the intricate web of data security laws.

How can you balance security and user experience in an authorization system?

One of the critical aspects of a robust authorization system is its ability to cater to the diverse needs of enterprise customers. Often, enterprises face the challenge of fitting a large number of employees into limited roles, leading to inefficiencies. I recall working with a big box retailer and an airline, each with tens of thousands of employees, struggling with a rudimentary permission system. This experience highlighted the importance of designing an authorization system that mirrors an organization's structure, encompassing teams, groups, and geographic locations.

A well-implemented system also provides comprehensive audit logs for breach analysis and preventive measures alongside user-friendly role assignments and permission settings. This includes integrating these features into the application's admin panel to avoid external site redirections and ensuring users have clear paths to understand and request permissions.

Smooth integration of role-based permissions is crucial, as is self-service permission management within the application. Working with identity providers like Auth0, Okta, or cloud platforms such as AWS or Azure should facilitate easy management of user profile information within the application.

For new customer setups, using multiple admin accounts can ensure continuity. Additionally, embracing attribute-based control, which considers both the user's role and the context of access, leads to smarter authorization decisions.

Many businesses, especially those early in their maturity curve, may not have a full understanding of their current or future authorization requirements. They might initially opt for simple rule sets, only to find these inadequate as their user base grows and diversifies. Hence, it’s crucial to have a forward-thinking approach, anticipating future needs based on the company's trajectory and potential regulatory requirements.

The role of trust in customer experience

Sometimes, it’s not a trade-off between security and the user journey. In my experience, security measures significantly impact customer trust, which translates to business success. Although security might not be the top feature customers seek when evaluating services or applications, demonstrating that your solution can handle complex requirements, especially in user permissions, is crucial for winning deals and ensuring success. Strong security measures, including robust authorization systems and single sign-on capabilities, are vital. The ability to enforce data locality rules based on user or business location is also increasingly important, often being a critical part of an RFP checklist.

The security tech stack

Building a tech stack requires understanding the roles of authentication, authorization, and identity providers. Using proven solutions like Auth0 or AWS Cognito for authentication is advisable. These tools efficiently handle a critical component of authorization. Role management and the persistence of directory-type information, such as ownership and role assignments, are another vital component of the security stack, effectively managed by solutions like Azure AD, Cognito or traditional tools like Active Directory and LDAP servers.

Once identity and authentication are established, focus on authorization. Select an authorization solution that leverages the context provided by the authentication and identity layers for informed decisions. Effective stacks typically consist of an authentication provider, a directory system, and a separate authorization component.

Architecting these as distinct components in your tech stack offers greater flexibility, scalability, and the ability to evolve over time. This modular approach also benefits the user experience, allowing more effective permission management by users.

The case for KPIs

In my various roles as a tech lead, KPIs and key metrics have always played a part in measuring the impact of authorization systems on user experience and security. Here are a few that you can use:

  • Mean Time to Detection (MTTD): Measures the speed of detecting security issues, with a lower MTTD indicating a more effective system.
  • Mean Time to Identification (MTTI): Times how quickly the cause of a security issue is pinpointed, reflecting security responsiveness.
  • Mean Time to Resolution (MTTR): Evaluates the time taken to resolve and rectify security issues, including preventive measures in authorization logic.
  • Audit Log Accessibility and Clarity: Checks how easily audit logs can be accessed and understood, which is essential for effective authorization systems.
  • Support Ticket Volume Related to Permissions: Tracks support tickets for access control issues, indicating user experience with the system.
  • Self-Service Accessibility: Measures the ability of users to manage their permissions independently, aiming to enhance experience and reduce support load.

These metrics provide a holistic view of an authorization system's balance between security and user experience, giving you actionable feedback to fine-tune the model and tweak that tech stack.

Offering personalized authorization without sacrificing security

Personalization in authorization should not compromise security. When users request custom permissions or roles, it's essential to ensure these align with fundamental security principles. A hybrid approach often works best, where ground truth rules are always in place, and a limited level of customization is allowed within a strict framework.

Using static authorization logic with dynamic user attributes and roles ensures consistent, testable policies. For example, roles with specific attributes can grant additional system features. This model balances personalization with control, maintaining the fundamental authorization logic unchanged while offering users a tailored experience.

Authorization is constantly changing; I’ve seen a notable shift towards front-end integration to boost efficiency and user experience. This involves embedding policy decision points in the client-side, while maintaining server-side checks for solid security. This approach not only improves scalability but also enhances the overall user experience, marking a shift towards a more distributed authorization method. Yet, the core objectives of authorization remain constant: aligning with your business goals. Embedding policy decision points on the client side, complemented by server-side checks, not only improves scalability but also enhances the overall user experience.

Crafting a robust authorization system that respects both the user journey and the stringent demands of cybersecurity needs to be a priority in your security architecture. We've seen how a finely-tuned authorization framework can be a strategic asset, enhancing user trust while maintaining compliance with global data security laws.

The key takeaway? Authorization systems must evolve to accommodate the dynamic needs of businesses and their users. Integrating self-service management, adopting a modular tech stack, and adhering to a hybrid approach for personalized permissions are pivotal steps. Employ KPIs to offer a quantitative lens to balance and refine these systems.

As we move forward, remember that your authorization system is a cornerstone of your business strategy. It's not about choosing between security and user experience; it's about harmonizing them. So, think strategically, embrace flexibility, and always anticipate future needs. Your commitment to this balance will not only safeguard your enterprise but also enhance the journey for every user who interacts with your product.


Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team