Webinar Transcripts

How Amazon Verified Permissions fits into the Identity and Policy Orchestration landscape [webinar transcript]

On demand webinar: “How Amazon Verified Permissions fits into the Identity and Policy Orchestration landscape
Be ready for AWS’ newest Access Control product with Strata Identity.


[00:00:00] Mark Callahan: Welcome everybody. We’ll be getting started with our session in just a moment. Gonna give folks just a moment more to join us.

All right. Let’s get started. Thank you all for joining us today on our webinar, we are going to be talking about how Amazon Verified Permissions fits into the identity and policy orchestration landscape at large. And we’ve got some really interesting stuff to share with you all today. We’re excited to, to get going.

I’d like to introduce myself. My name’s Mark Callahan. I am the head of product marketing here at Strata Identity.

And joining me is Gerry Geble, our head of standards. Hi Gerry.

[00:01:10] Gerry Gebel: Hello, Mark.

[00:01:12] Mark Callahan: Let’s let’s go ahead and dig in. We got a lot of stuff to cover and excited to have this conversation with you as we think about Amazon Verified Permissions and what it means for us and others in the identity space.

So, as we look at our agenda, we’re gonna be covering three different topics today.

First and foremost is of course, what is Amazon Verified Permissions. We all learned about this for the first time in early December when the announcement was made at re:Invent and so you and I have been watching this really closely and digging into the public docs, and we’ve got a perspective that we’d love to share about, what we’ve learned from the documentation as shared by the Amazon team.

More importantly as it relates to today’s conversation. You and I in a group of other identity professionals have been on a working group where w for the last almost two years now, where we actually have been creating a new policy orchestration language, IDQL and the reference software for Hexa, which is now an open source project within the CNCF is a sandbox project.

The second part of our session is gonna be talking about how does IDQL and Hexa interact and relate to AVP.

And then the third part of our session we’ll be putting on our Strata hats and talking about how Strata’s core product, the Maverics’s Identity Orchestration platform can actually be used to extend somebody’s investment and resources and time and effort into AVP so that you can not only add AVP to existing applications, but also extend the policies that you create in AVP to other cloud platforms.

Lots to cover. Let’s just go ahead and dive into the first topic. So give us the overview. So as we think about what AVP is, what we’ve learned, what is at its core, Amazon Verified Permissions, and how does it relate to other systems that we’re familiar with?

[00:03:06] Gerry Gebel: Yeah, we’ll do Mark and I’m as excited as you are to talk about this topic today.

It seems like there’s a lot of investment and a lot of activity in the whole fine green authorization space these days, both from a commercial product perspective, which Amazon Verified Permissions is plus in the open source world. So as you mentioned previously, AVP as we’ll shorten it was announced at re:Invent last month.

So it is another fine grain authorization service or product that customers can use. And it’s separate from the Amazon IAM roles that they use in their platform and other parts of AWS right? So this is for developers. It’s targeted toward developers who are building custom applications so that they can have a system.

Access rules and policies are defined. And then there’s this runtime engine that does the evaluations of requests against those policies so that you can separate that security function from the logic of your business application. And then there’ll be a number of, there’d be libraries, for example, of how you can connect to Amazon Verified Permissions from a Lambda function or from other Amazon services, for example.

And then what’s interesting too that’s really core to what we’re doing with IDQL and Hexa is the fact that Amazon announced a new policy language associated with verified permiss. Which they call Cedar, like the tree. And so that’s really interesting and we’ll talk a little bit more about that.

So the other thing is that when you, when AVP is generally available today, it’s only in, in a preview mode you’ll be able to define policies either with their user interface with an API call, or as well with a command line interface. So there’ll be a number of ways , yeah. Author and maintain those those policies within Cedar.

And then, so your run, your runtime apps will be able to call this service, can Mark do this function and you’ll get back the, the classic permit or deny response from that. And then the other thing is, what’s really interesting about Verified Permissions and Cedar is that Amazon includes a built-in auditing capability so that you can analyze and report on.

The policies that have been written and that’s, somewhat unusual in the, the authorization product space.

[00:05:30] Mark Callahan: Absolutely. Pre pretty critical. And you and I were talking about, you said, it is in another authorization service and you and I have been talking when we were saw the original announcement, why another primary and authorization service, and there’s one of the answers right there, is that audit capability that’s gonna be so critical moving forward with custom apps.

[00:05:48] Gerry Gebel: That’s right. And when we think about other authorization products or services that are out there, we’re thinking of things like Open Policy Agent, OPA things that are based on the XACML standard, X A C M L. There’s even, systems based on the Google Zanzibar White paper that came out some time ago, and they’re of course our proprietary products for, for fine green authorization out there as well.

[00:06:11] Mark Callahan: Gotcha. Gotcha.

Okay. So that gives us the lay of the land, what we’ve learned that AVP is and how it functions and why it was. A little bit of information about how it, relates to those other authorization services that we’re all quite familiar with. So let’s talk about Cedar.

You mentioned Cedar, of course, like the trade. So we have a new language. And so as we’re thinking about Cedar, how does, what is it and how does it relate to, the work that we’ve done with IDQL? I know I crib a slide from the presentation at re:Invent setting the stage a little bit here as we think.

[00:06:43] Gerry Gebel: The other way to think about this is how does Cedar compare to other products that are out there that we mentioned? OPA, open policy agent, has its policy language called Rego, and XACML, the XACML standard has policy language in there. So you might be wondering why does Cedar exist?

Why did Amazon build Cedar anew? If you this clip here is from their presentation of the announcement at re:Invent, and what they explained was they looked at a number of existing languages and what they wanted to address were three main requirements.

One is the expressiveness of the language. The second is performance, and the third was that audit team function that I mentioned previously. So these were the reasons why they built Cedar the way they did. Does that make sense so far?

[00:07:35] Mark Callahan: Totally follow. Yeah, absolutely. And that was, as we were thinking around the whys and hows of where we created IDQL can definitely see, the parallel.

[00:07:46] Gerry Gebel: Absolutely. And furthermore, some of the parallels, Cedar is a tuple based language, with a subject, action, resource, and context. And, it’s a declarative language. It combines both a role-based as well as attribute based concepts.

And then when we look at Cedar I’m sorry. When we look at IDQL, we can see that IDQL is also a declarative language, and it’s also based on a tuple model in our case, a five, five tules, subject action, object, scope, and condition. But what’s different though is IDQL is not meant to be it’s not a, it’s not an authorization service, not some, not a runtime service.

We defined IDQL in a generic and declarative format so that it could be translated into the format of a target system in this case Amazon Verified Permissions and Cedar. So we, we don’t have a system that does the runtime evaluation or enforcement that’s totally done by the target system.

So we’re really a policy management service on the front end.

[00:08:54] Mark Callahan: And we saw in the notes that they a the Amazon team has actually even said that, right? That this how this is being structured. And so as we’re thinking about. Where is there interoperability?

That was our big thing that we set out to do. Like multi-cloud policy orchestration simply wasn’t possible until we worked on the IDQL effort and the initiative. And so as we’re thinking about interoperability, Cedar and AVP are obviously Amazon products, but as we think about the standard business, chances are they’re using multiple clouds. They’re using gcp, they’re using Azure as well, and they’re gonna be doing a lot of work with AVP and Cedar. And you’re thinking about, what is the interoperability with other clouds? And where does IDQL fit into that? And I grabbed our slide from the IDQL overview, how do we fit in here?

Yeah. This is just another

[00:09:40] Gerry Gebel: target system that we would support, if you go left to right here and, IDQL is the format that we were just talking about, so it’s a common way that enterprise customers can author and manage access policies and then using the Hexa open source.

Policy orchestration capability, that’s where we can connect to those target systems, do policy translation, and then orchestrate or activate the, the, to the translated policies into those runtime environments. Amazon Verified Permissions in Cedar will be, another one that we support in our growing list of supported target environments.

[00:10:19] Mark Callahan: Got it. Got it. And speaks to, of course, the fact that it, since it is a runtime system, that’s why the performance aspect of Cedar was so critical is that you couldn’t have any delays, you couldn’t introduce anything that, that causes latency in the authorization process for an app. And so very much following you through the process.

[00:10:36] Gerry Gebel: And also it just gives us a clean demarcation. We oper we’re, again, to be clear, we’re operating as a policy management or administrative function. Not, we’re not part of the runtime. Execution side.

[00:10:49] Mark Callahan: Sure. And, thinking about another reason, that we kicked off the IDQL and Hex initiative was the idea that there, there are a lot of these different protocols out there in, in different systems and trying to find that unicorn hire who’s an expert in every single one is getting increasingly difficult.

And the idea that you might be able to use IDQL and Hexa to become this universal translator of sorts across all those takes some of the stress out of that for businesses who are trying to find those, that single expert, you don’t need that.

[00:11:20] Gerry Gebel: You don’t need as many, it’s not yeah.

Just to be clear, it’s not like you would, we would be able to eliminate all of the expertise.

[00:11:26] Mark Callahan: You’re saying, I can’t do it myself, is what we’re getting there. Yes. my follow up? Yes.

[00:11:30] Gerry Gebel: That’s fair enough. But I would say you would need fewer experts in the individual target systems.

But you certainly need some of that expertise available. But then you have you can really leverage the capability of IDQL and Hexa and use that as a real leverage point to cover more systems and do it in a consistent.

[00:11:50] Mark Callahan: Gotcha. Gotcha. So this of course begs the question, everyone wants to see.

Okay, so I’ve heard the story. We’ve learned a little bit about AVP, we’ve learned about Cedar. We’ve seen the intersection of IDQL and Hexa with them. As we look towards a demo, let’s go ahead and throw caution to the wind and see if we can actually get one together. And I know in talking through the process, we wanted to show there, there was no smoke or mirrors here.

This is fully functioning prototype code. What what can we expect?

[00:12:19] Gerry Gebel: Yeah. Emphasis on prototype. As we mentioned the Cedar and policy language was just announced last month. So the crew here and a big shout out to Phil Hunt on the working group team here for putting together a prototype mapping capability.

So what you’ll see here in a moment is I’ll show you some IDQL. A simple IDQL example policy in JSON. We’ll put that through the Hexa mapper as we’re calling it at the moment. It’s a command line interface. I’ll copy that output, which will be a Cedar compliant policy.

And go to the Cedar Playground, which is publicly available right now, and we’ll paste that. That policy in there will do some evaluation tests. As you’ll see. We’ll make a change to the policy. Pull that from the playground go back into the Hexa command line interface and convert that changed Cedar policy into compliant IDQL. So we’ll do a round trip here if all things go well.

[00:13:24] Mark Callahan: I love it. And that’s, always important because you wanna make sure you can undo what you’ve done, but also that it goes both ways that, this isn’t just a one way function, that this works both ways.

, let’s go ahead and do it. Let’s jump into the demo. I’m gonna let you, you grab the screen here and walk us and the audience through what the demo looks like.

[00:13:41] Gerry Gebel: All right. And hopefully the demo demons will be kept at bay today.

[00:13:44] Mark Callahan: Yes. We always qualify it as a prototype.

And so we, yes, but nevertheless, we’re this, this’ll be great.

[00:13:49] Gerry Gebel: Yeah. So you’ll see most of the prototype action here in, in my terminal window. But ultimately we’ll add the functionality. The Hexa policy user interface that’ll render here in a moment. So this is where we connect to different cloud platforms and do discovery managed application policies, and then do orchestration between those systems.

And then we’ll als this is the Cedar Playground that I mentioned, and there will be a link in the reference list here at the end of the session as well. So this is where I’ll paste. Converted policy into this window, and we’ll do some testing with it. . So back to my terminal window here.

So I’ve got already in a file this basic IDQL policy it basically says that, and we’re doing a twist on the photo sharing app that’s already in the in the Cedar Playground. So what this policy says is that vacation photo judges can view any photos in the album of Alice’s vacation.

So that’s what we’re going to be doing.

[00:14:55] Mark Callahan: Okay.

[00:14:57] Gerry Gebel: So let’s get out of this and then what we do is, , I’ll get my right command here.

[00:15:09] Mark Callahan: And one thing I was gonna point out you mentioned the link to the Cedar playground will be at the end, we’ll also be sharing the Hexa link so you can get to the, that, that software as well.

So everything that you’re gonna be sharing so people can actually go out and experiment with themselves.

[00:15:20] Gerry Gebel: That’s right. That’s right. Okay. So here I’m executing the hex and mapper minus t as to the target is Amazon Cedar. And then this is the input file down here and it’ll give the output right on the screen here.

It’s pretty quick, just waiting for that to completely render. So this is the Cedar policy, so we’ve converted that IDQL to Cedar, and we’re just gonna copy that. , go to the playground, paste it here, and the first thing you see when you paste something into the playground is whether it’s synt, tactically correct or not.

So for example, if I erase that semicolon, it tells me that there is an error on that line.

[00:16:08] Mark Callahan: Gotcha.

[00:16:09] Gerry Gebel: All right. And then over here on the right, there’s a form you can fill in to actually execute a query against the policy. And down in the window below here is some entity data that the engine needs to know about.

So we needs to know about things like Alice and Bob. Of course, they’re in here. Stacey and Giuseppe are other users in here. There’s a couple, there’s a role that we’ll use in a moment or we’ll see it in action. The photo judges’ role. We’re also going to use this a V t team group. And then we see this is the resource, the album of Alice’s vacation.

And here’s the resource we’re actually going to try to view. This is the photo and it’s in this particular album. . And so first we’re gonna ask, okay, can Bob view this vacation photo? And we hit enter. Great. Bob can view it just to see that it’s live and working. We’ll try, Stacy, if I can type

Stacy cannot, she’s not authorized. , what about Giuseppe? So he’s on the AVT team. Maybe we would like some of the AV folks to take a look at these photos as well. He can’t see it at the moment, so to fix that let’s create a new policy. So I’m just copying that existing one. And since he’s on the AV team, let’s give the AV team access.

But this is not a role, it’s a user group.

[00:17:45] Mark Callahan: Okay.

[00:17:47] Gerry Gebel: So let’s just change that. I can see I didn’t change the syntax. I’m just changing some of the terms though. There was no issues with that. Now if I see if Giuseppe can access this photo, yes he can. Perfect. Let’s just make sure Bob can still access it as well.

Yes, he can also. Great, so that’s what we’ve done so far. Just to recap, we’ve taken IDQL, translated to Cedar, put it in the Cedar playground, and ran some tests. That worked fine and then we changed the policy, ran some more tests. So we’re happy with this now and maybe we want to convert this back to IDQL because we wanna use this in some other system, for example.

So I can copy from this window, go back to. To our UI here, and I’ve got this already in a file.

[00:18:47] Mark Callahan: Great. And actually we do have a question that’s a proposed you’ll address this, I’m sure in the demo but was around how does the Cedar specific notation in IDQL mapped to other targets.

So as we’re going through the demo, just thinking out loud about that.

[00:18:58] Gerry Gebel: Okay. Sure. Alright. So this is the change file that I just copied over from from the playground. And now what I want to do is use that as input to translate back to back to IDQL So here’s again, the Hexa mapper.

The target is AWS Cedar. The minus P is an indicator that I want to parse it back into IDQL. And then the changed C file is the, the one we just worked on in the playground. And it just writes to the screen here as we can. . You can also put it to a file. But here is now the Cedar that’s translated back to IDQL.

And so this was the original policy where photo judges can view the. , the vacation album, but now we down here, we can see that the AV team also has access. So that’s a full round trip. And now we could, translate this or, deploy this policy in a OPA server. Maybe I have other apps that are, that need to use the same policy or they’re diff, deployed on a different cloud system.

Or maybe I want to translate this to Google’s common expression language and use the policies over on GCP. So that’s the power.

For the question that came in that’s, the power here of being able to use IDQL as the standard format because we can now translate that into, other target systems.

[00:20:24] Mark Callahan: Very cool.

[00:20:26] Gerry Gebel: We’re, we’re super, super excited about that, about this demo, especially to be able to bring it to the audience here so quickly after the Amazon re:Invent announcement.

[00:20:36] Mark Callahan: That’s awesome. That is. And the demo, God certainly played well with us today. So that was always, yes.

[00:20:42] Gerry Gebel: That’s always a relief.

[00:20:43] Mark Callahan: It is, right? So we, we’ve covered the first part of what we just said we were discussing, which was the open source side of this. So how does it relate to IDQL and Hexa. And now, you and I both obviously work here at Strata and we’re thinking forward to some of the commercial side of this.

And we’re thinking about, from our perspective we have an Identity Orchestration platform. And as we’re looking at how we can use that platform to project AVP policies elsewhere. What were some of the things that we learned about AVP just from the doc so far that we think we can actually help immediately right out the door.

[00:21:20] Gerry Gebel: . One thing is, they focused that this is Really targeted toward building new or building custom applications. And to your point, what about all the, the legacy inventory we have of existing applications? And so just like what we do in with Strata Maverics for other customers, we can put the Maverics system in front of existing applications and do lots of things to modernize identity authentication and access to them.

So I think, for us at Strata on the commercial product side, it’s, a another way we can enhance and modernize those existing apps to take advantage of, the advanced policy capabilities within Amazon Verified Permissions when it becomes available.

Because we know there’s, there’s so many customers using Amazon Web Services, it’s our expectation that’s going to, get a good amount of adoption pretty quickly.

[00:22:13] Mark Callahan: That’s great. The as we’re looking at the core capabilities of the Maverics platform, I think another thing that comes to mind that I didn’t actually document here, but I, we’ve been, you and I have been talking about this and other members of our team, is you talked about modernization of an app and being able to do this in a no code way while not part of AVP specifically as we think about somebody moving to Amazon Identity from a legacy identity system such as SiteMinder, maybe wanting go Cognito, we have a path forward for that as well.

[00:22:44] Gerry Gebel: That’s right. And I think we’re gonna be talking about that in a future webinar, but that’s, a typ one of those typical examples that I mentioned.

Moving from a legacy identity platform, to a more modern one like Cognito.

[00:22:56] Mark Callahan: Watch this space. We’re gonna be back with more as we talk about other aspects of Amazon identity.

[00:23:02] Gerry Gebel: That’s right.

[00:23:03] Mark Callahan: Great. Great. Let me get us to a place of summary cause I know that we’d like to grab a couple of questions.

I’ve got a couple more over here that I wanna run by you as we get into it. But if you were to give us some parting words, some words of wisdom as we think about, the open source side of this, the intersection of IDQL and Hexa with AVP and Cedar and also that commercial side of the Maverics Identity Orchestration platform final thoughts?

[00:23:25] Gerry Gebel: Yeah, I I think the, one of the reasons we’re so excited about hearing this announcement of Amazon Verified Permissions because it really plays into the whole reason for the existing existence of IDQL and Hexa, that is to manage, the disparate and proprietary policies that are scattered across the multi-cloud environment.

That’s really the mission of IDQL and Hexa is to bring some normalization to that world and to unify these systems. So that, the re the idea here is use IDQL as the, the cornerstone, the translative translatable declarative model for access policies. And then we can see how Hexa the orchestration open source software can be extended to so quickly, to adopt to a new model here that Amazon has announced.

We’re really excited to be part of this and be able to show this today and also invite you to, go to our project website, hexaorchestration.org, learn more about it and, hopefully join in cause it, it’s a lot of fun. It’s really exciting work that we’re doing right now.

[00:24:30] Mark Callahan: Awesome. Let’s maybe jump into some questions then, because obviously we covered a lot of ground here and we may have already touched on this a little bit, but it bears repeating to go a little bit deeper cause the question came up around how does our solution differentiate with or from other IAM solutions?

And let’s focus on the Cedar AVP and IDQL.

[00:24:50] Gerry Gebel: Yeah. IDQL and Hexa, as we’ve mentioned, they’re administrative functions, right? It’s managing the policies, defining them, orchestrating them into the target environments and keeping them consistent across those environments.

So it’s a policy administrative functionality. Today it’s an open source project that you can find on Github, a link to the project is also at heoorchestration.org website. So it’s, it’s separate from that runtime environment of Amazon Verified Permissions and Cedar right. They also have management capabilities or will have when it’s generally available, management capabilities for defining the policies.

But we can leverage IDQL at Central Point and or is that translation point, even if you are writing all your policies within AVP and Cedar, we can now check take them and make them useful in other clouds as well. Extending what you can do in AWS.

[00:25:53] Mark Callahan: So you mentioned, we do know from all the Amazon documentation right now that it’s.

It’s AVP is still in a private preview mode. I think this is more of an opinion question. Just getting your personal take on it is there was the question of how quickly do you think AVP adoption will scale once outta the private preview?

[00:26:09] Gerry Gebel: I think, again, given the number of customers that Amazon has for Amazon Web services, I, I expect there to be many enterprises working with AVP and Cedar, as it becomes GA.

To put it through its paces and see if it works in their environments. For those that have, centered on Amazon as the primary cloud platform, it might be the, the right thing to do. . But we’re certainly will be eagerly watching that as it unfolds over here.

I expect within, the next several months, they have not announced any kind of target date specifically for general availability. But, we’ll be here watching and observing for sure.

[00:26:46] Mark Callahan: Got it. Last question, I’m just watching the thread here was, so you mentioned extending AVP policies to apps and other clouds, are there limitations in doing that? Maybe it’s from a mapping perspective or are there limitations I don’t wanna infer here.

[00:27:02] Gerry Gebel: Oh yeah, there, there’s definitely going to be limitations. One is to the target system that we’re mapping to, does it have a publicly available API for managing policies? Is, would be. one thing, one basic requirement that we have.

And the second is there a way to map IDQL to that target policy format. There will be some cases where not that it’s impossible, but it could be extremely difficult to do that and take a lot of, developer time to do it.

We’re looking today to target systems that are, have publicly available APIs for policy administration and a policy format that we can map to readily like you, we demonstrated today. We can map pretty quickly to the Cedar format.

[00:27:47] Mark Callahan: Gotcha. Gotcha. I think that actually covers all of our questions.

[00:27:51] Gerry Gebel: Awesome. This has been fun, Mark.

[00:27:53] Mark Callahan: It has. And I want to make sure that, from a inviting people to go experience, what you and I have learned every, everything that we talked about today, all those resources are publicly available documents. You can go see the re:Invent announcement and learn all about the intent behind why AWS has built Cedar and AVP and also that Cedar playground that you mentioned.

I was even able to get in there and tinker a little bit myself. So that was really really helpful to be able to do.

And then of course you mentioned hexaorchestration.org as people are interested in working with the software that you and I have been working on as well as joining the working group.

And so one last bit of information a final resource that we’ll share with everybody is we mentioned Identity Orchestration several times in this, especially as we were talking about the commercial way that Maverics can be used to extend AVP to existing apps and then also to extend those policies to other clouds.

We’ll be sharing a report about why Identity Orchestration plays such a key role in people’s multi-cloud strategies and multi-service strategies. So at the shortly after this webinar, we’ll send everyone an email with that.

And finally, any final questions that the audience has for you and you’re the expert on this one, so might go more your direction, but never the less please feel free to reach out to, of course, either of us to hear more.

And we talked about that, AWS to Cognito modernization story. Watch this space. I, we have another webinar in the works that we definitely wanna share with y’all and as we dig deeper into Amazon identity.

Gerry, thank you for joining me. It was a fun conversation and we hope everyone found it as enjoyable as we did, and with that, we’ll bid everyone to do.

[00:29:35] Gerry Gebel: Awesome. Always a pleasure, Mark.

[00:29:37] Mark Callahan: As well.

[00:29:37] Gerry Gebel: Talk everyone soon. Bye now.

[00:29:38] Mark Callahan: Take care.


Protect your sensitive data in the cloud

We’re in a multi-cloud world that presents new opportunities as well as new security risks to your sensitive data. Consistent identities and policies are the key to protecting your cloud-resident data. And that’s where Strata’s Identity Orchestration platform comes into play.

Modernize any app with any IDP in minutes. Join the 'Orchestration Kitchen' workshops.