Access control: Cerbos brings open source to user permission software

Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

Let OSS Enterprise Newsletter Guide yourself Open Source Travel! Sign up here,

While addressing numerous access control compliance requirements governed by rules and standards such as GDPR and ISO-27001, software developers and engineers are setting up a new company to streamline how users manage user permissions in their software.

Cerbos is implementing a self-hosted, open source approach to the issue of user permissions, which works across languages ​​and frameworks – and, crucially, one that gives companies a full view of how they handle user data.

To help build its team at the top of the open source platform and develop commercial product, Cerbos announced today that it has raised $ 3.5 million in a seed round of funding led by London-based VC firm Crane.

I am who I am

It has been a bumper year in the field of identity and access management (IAM), with Okta buying Auth0 for 6. 6.5 billion, One Identity buying rival OneLogin, and numerous venture capital (VC) investments thrown into the identity management space. IAM, for beginners, is primarily concerned with certifying and authorizing people and controlling how, where and when you can access certain systems and applications.

At a time when every company is effectively a software company, managing user permissions becomes integral. Different users need different access rights depending on their role and department and companies need infrastructure that enables them to do this without having to build their software from scratch. For example, financial software may need to offer user permission functionality, so some employees may simply submit expense reports, while others may be able to “approve” expenses or mark them as “paid.” These different permissions can vary by team, department, and geographic location – and companies need to be able to set their own user permission rules.

This is essentially where Cerbos enters the mix – it’s “AM” in “IAM”, which allows developers to implement access management in their own application without having to rediscover the wheel. “We’re not trying to handle the ‘I’ part, because that’s a problem that’s practically solved,” Emer Barne, co-founder and CEO of Serbos, told VentureBeat.

Above: Where the Cerbos sit in the stack

Cerbos will typically be used in conjunction with one of the many identity authentication solutions out there, such as Google’s Firebase, Microsoft’s Active Directory (AD), Auth0 and WorkOS. The step towards authentication – authorizing identities and enforcing certain permissions – also includes options like Open Policy Agent, Casbin and Cancanken, but according to Baron this is somewhat “more limited”.

“There are many libraries and frameworks that developers can take, enhance and create in their product for authentication,” he said. “However, they all focus on specific programming languages ​​or frameworks and generally apply authorization to a single, monotonous application and do not provide for business users to define permissions in a human readable way.”

This is especially important as companies move away from monoliths to microservices – that is, software made from smaller, function-based components.

“Being able to share the logic of your authorization on multiple different services – usually developed by different teams and possibly in different programming languages ​​- and without having to reconfigure all of those services, immediately update that logic on board, that’s a lot. Is powerful, “added Darwin. “That’s what Cerbos offers.”

Baran is a former Googler who discovered an ecommerce personalization technology company called Qubit, which was acquired by Coveo just last month. It launched Cerbos in March with software engineer Charith Elavalani, who previously worked at various tech companies such as Ocado, Qubit and Elastic. It was at Qubit where the two had a problem that they are now trying to fix with Cerbos – every time a company builds a new piece of software, engineers have to develop the infrastructure of user permissions from scratch.

“This is especially true in large enterprises, where different departments or teams need to use the same software platform for different tasks,” Barr explained. “It’s a time-consuming and cost-effective way to work. We enable companies to be more consistent and provide high quality security to every developer. “

Open for business

That Cerbos is open source will likely be central to its appeal, especially at a time when companies need to treat their users’ data with kid gloves to meet a growing range of privacy rules. Being open source allows companies to monitor their source code and contribute new code, while as a self-hosted solution it means they do not need to transfer data to third-party infrastructure. Visibility and audibility is the name of the game here.

“You know exactly what you’re running into your system, and how it handles your data,” Barr said. “You also benefit from the community – the product is constantly being improved and the problem is being tested by enthusiasts.” And even company [i.e. Cerbos] Stop working on the product, you still have access to the source code and you can continue to use it and modify it if it is important to your business. “

As companies generally do not build their own databases from scratch, opting for an off-the-shelf solution instead, Baron sees Serbos playing a similar role for user permissions – and so his target customer size is anything from really small startups to billions. Dollar companies. However, it is worth noting that the larger the company acquires the user’s permission requirements, the more complex it becomes, which strongly serves Serbo for the enterprise segment.

“One thing they all have in common is that they all recognize that building permission software is not their core business and they will implement an off-the-shelf, advanced solution instead of building it themselves,” Barne said. “We believe in a world where rediscovering the wheel doesn’t take time – in that world, our goal is to make authentication a reliable ‘plug-and-play’ solution.”

For now, Cerbos is available in a pure open source incarnation, allowing any developer to take advantage of it as it sees fit. However, the company is also working on a variety of premium offerings, including a full-powered version with a graphical user interface (GUI) for managing permissions and roles. In addition, Cerbos will offer tools for auditing, monitoring and analysis with key information and security executives, including features for “predictable unauthorized access prevention” smarts.

The two founders of Cerbos are based in London, although like most young startups these days, the company has adopted a globally distributed approach to its recruitment, with seven employees spread across the UK, New Zealand, Turkey and Spain.

In addition to Lead Baker Crane, Cerbos attracted OSS Capital, SeedCamp, Earlybird Digital East, 8-Bit Capital, Connect Ventures, Essex Capital, Hallowerland, Tiny and many more institutional investors for its seed round funding. Angel investors.


VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technologies and strategies so you can lead your organizations. We invite you to access, to become a member of our community:

  • Up-to-date information on topics of interest to you
  • Our newsletters
  • Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
  • Networking features and more

Become a member

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *