How Stedi uses automated reasoning for access control policy verification

By carefully separating the resources that Stedi needs to make our systems function from customer-owned resources, such as stored data, we can craft access policies that allow us to operate the platform securely while having no access to customer data. IAM independently enforces these access policies – its mechanisms cannot be circumvented. However, this raises a question: how do we know that we have crafted the access control policies correctly? And further, how can we provably demonstrate this not just to ourselves, but also to our customers?

With a clear separation of roles built on top of a security-first, battle-tested system like IAM, the key concern becomes ensuring that the underlying IAM policies for those roles are written as intended – in other words, ensuring that the role assigned to Stedi employees does not inadvertently include an IAM policy that can potentially allow access to customer data. While we carefully peer-review all software configuration changes with particular attention paid to security policies, we wanted to achieve a higher level of certainty. We wanted to prove definitively to ourselves that we hadn’t made an error, and put in place a mechanism that provides ongoing assurance that our access controls match our intent.

Concrete and complete proof is difficult to come by – especially for the sort of complex systems that Stedi builds – but, given a well-enough defined problem, automated reasoning makes it possible.

Leave a Comment