How Google Built a Consistent, Global Authorization System with Zanzibar: Sohan Maheshwar
Broken Authorization now tops OWASP’s Top 10 Security Risks for Web Apps. In order to build resilient systems at scale, one must fix broken access control. This talk describes the internal workings of Google Zanzibar is the singular authorization service that powers permissions and sharing across all Google properties, including Docs, YouTube, and Cloud IAM. Creating a consistent, global-scale authorization system that can process “more than 10 million client queries per second” is not a trivial task. The talk will cover how the paper lays out an engineer-friendly blueprint for building a highly scalable distributed system with flexible consistency guarantees. This talk will start with foundational knowledge of Relationship Based Access Control (ReBAC) and then cover the technical implementations behind Zanzibar – How Google solved for correctness, scale and speed. The presentation will cover the different APIs for interacting with the system and also a deep-dive into how the “New Enemy” problem was solved. The talk will conclude with how you an use open source tools to build authZ into your application.
