An Interview With Emre Baran
Hiya,
This is another in my series of interviews about the future of CIAM from experts in the space. CIAM isn’t just authentication, it’s also authorization, and I’m glad to have another interview with an expert in that space.
With over 20 years in tech, Emre co-founded Yonja.com, Turkey’s largest social network, was the CTO and led product development at Qubit, contributed to $1B+ in revenue at Google, and is now the CEO and co-founder of Cerbos. Emre is an expert in building and scaling B2B and B2C products.
I’m excited to hear Emre’s views on CIAM, identity, authorization and more.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Emre: Cerbos solves the permissions headache; the AM (access management) part of CIAM. Most authentication providers assign a role to a user, however the implementation of that role and enforcement of authorization needs to be done by software developers. Making permissions secure, scalable, reliable and auditable is no easy feat. When done in-house it takes a software development team of four anywhere between 3 months to a year.
Cerbos does not handle the I(dentity) of the IAM. Instead, it integrates with identity providers and uses the identity details and roles passed from the authentication provider in order to make access control decisions of what a user can and cannot do once they are logged in.
CIAM platforms mostly solve the first part of the puzzle, where Cerbos solves the latter challenge.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Emre: We are only at the beginning of deeper access management for CIAM. Currently, 99% of development is built in-house with custom code, which is error-prone, hard to maintain, and challenging to scale. When the tech debt of patching your old system gets too much, it leads to a major re-architecture.
That point of re-architecture and rebuild is when the biggest challenge occurs. Many developers still are not aware that authorization is now a solved challenge no matter what platform, framework and language you are using.
Dan: What excites you about the future of CIAM? Any predictions?
Emre: Security is a true horizontal that any application regardless of their industry needs it. Authorization is an essential layer for all software.
As the space evolves, we will see broader adoption of externalized authorization solutions like Cerbos. Externalized authorization refers to separating your service's authorization routines from your main application code. This allows users to keep authorization logic separate from their application, making it more testable and easier to iterate upon in isolation. It also centralizes the implementation of authorization policies, ensuring all their services apply the same restrictions. Any new services they develop, can reuse the externalized authorization component without duplicating its logic.
This isn't possible when authorization is tightly coupled to specific codebases.
We are shaping the future of software security. That excites me.
Thanks again to Emre for sharing his perspective, and thanks to you for reading!
Dan