Neon Authorize: Granular access controls at the database layer


Neon, the serverless Postgres database built for developers, launched Neon Authorize. It enables developers to manage permissions and access controls with ease.

This new offering leverages Postgres RLS (Row-Level Security) – a Postgres primitive that protects data from malicious actors even when accessed through third-party tooling – and makes it much simpler to use via new deployment models for application developers.

“It makes perfect sense to set up authorization policies at the database layer – but it can be a cumbersome task especially at scale,” said Bryan Clark, VP of Product at Neon. “By using Neon Authorize, it’s easier than ever to leverage the power of Postgres RLS to manage authorization policies and improve security.”

According to the latest research from the Open Web Application Security Project (OWASP), broken access control remains the most serious web application security risk. Failures typically lead to unauthorized information disclosure, modification, destruction of data, or performing a business function outside the user’s limits. The report states that “94% of applications were tested for some form of broken access control.” This locks developers in a loop of repetitive operational tasks instead of working on core features while companies require more engineering resources just to deal with permissions.

Postgres RLS is a powerful security feature that allows database administrators to control which rows of data a user can access and edit in a PostgreSQL database. It works by applying a filter to a table before other filtering or query criteria; the filter narrows or rejects data based on the security policy. RLS is commonly used to limit access based on the database user connecting, and can also be used to ensure data safety for multi-tenant applications.

With Neon Authorize, it’s easier than ever to adopt Postgres RLS by allowing developers to integrate their existing authentication provider directly with Neon. After doing so, calls to the database can be authenticated with a JSON Web Token (JWT) generated by the authentication provider. Now developers can build applications that are entirely client-side, without needing a server or backend.

“Replacing a previous home-grown approach with Neon Authorize has simplified application code, provided better security via the use of asymmetric key encryption, and has improved performance by eliminating the use of additional SQL commands and unnecessary transactions previously required when implementing RLS directly in Postgres,” said Andy Young at Lockdown Ventures. “The migration took less than a day, and because Neon Authorize is based on standard JWTs it’s easily extensible to implement powerful security rules encompassing concepts such as multiple tenants, users, groups and workspaces.”



Source link