Airbnb's product engineering team recently discussed their implementation of a self-serving, centralized access control platform. Built on the principle of least privilege, the team designed a five-stage architecture, providing benefits from security, usability, and developer experience aspects.
Paul Bramsen, staff software engineer at Airbnb, provided a glimpse of Airbnb’s journey with access management in a blog post. Bramsen mentioned that Airbnb needed a single place to manage employee access to their systems. The needs of employees were to reduce unnecessary access and provide required permissions to Airbnb systems.
The system envisioned had two goals: manage the entire access permission lifecycle and build a system that is easily integrated with other permission stores (e.g. AWS IAM, LDAP, Apache Ranger, etc.). To accomplish these goals, the team at Airbnb evaluated different products in the market, but none of them served these goals.
The product engineering team built the below five-stage architecture. The updates flow from left to right. For instance, the platform can query Employee Data Systems, or it can be queried by Connectors, but it never communicates directly with Permission Stores.
Source: Airbnb’s Approach to Access Management at Scale
Employee Data Systems are HR systems containing employee data, owned by the IT team. Access Control Platform (stage 2) is the fundamental system, that includes all the business logic to manage permissions as well as a User Interface for employees. Connectors (stage 3) inform the platform about the available permissions and synchronize permissions with the appropriate permission store. Permission Stores preserve the permission and answer permission queries. Clients are the systems that the end user needs - e.g. SSH, Apache Superset, MySQL, internal customer support tools, Salesforce, etc.
The Product Engineering Team implemented the Access Control Platform two years ago. Bramsen mentioned usage-based expiration as one of the platform's benefits - where permissions that have not been used for a certain period are automatically revoked. The platform notified impacted employees about the upcoming change in permissions and then provides instructions for keeping the permissions. The chart below shows the change in user access to System X, as usage-based expiration was implemented at the end of April.
Source: Airbnb’s Approach to Access Management at Scale
As a side, Alcor, a cloud services organization, announced the new release of AccessFlow Identity Governance and Administration (IGA). With this release, AccessFlow allows businesses to build and automate the identity lifecycle on ServiceNow. To learn more about AccessFlow, readers can visit AccessFlow here or download the application from ServiceNow App Store.
When it comes to usability, due to the self-serving nature of the Access Control Platform, employees can request permissions without needing a support engineer. There is less operational overhead as the platform allows approvers to delegate permissions, and employees can self-revoke their permissions or permissions for the systems they manage. Promoting a seamless developer experience, the platform notifies connectors about changes via an asynchronous message queue. When a permission state changes, the Access Control Platform sends a message to the queue.
The Airbnb team reiterates that there is still more to do in the Access Management space, and with approaches like the above, they are committed to keeping their community’s data safe.