Anthony Cristiano, Staff Software Engineer at Headway
Oso Bear of the Month is a series of interviews with developers in our community to connect and learn more about their authorization journey. For this months feature, we sat down with Anthony Cristiano, Staff Software Engineer at Headway.
What is your authorization story? Share a bit on how you used Oso to solve for it.
As a company in the health care space, Headway stores patient health information. We take this responsibility extremely seriously, and invest considerably as a company in data privacy and security. It is vital for us to have strong and effective rules for how access is granted and effective visibility into who is accessing this data and why.
When assessing options for a third-party tool to bolster our capabilities, we prioritized a few things:
- The decoupling of our business logic and authorization code.
- The ability to write policies that were easy to understand and audit.
- The ability to use this new policy engine to enforce authorization from any part of our code base.
In our analysis of competitors, Oso matched closely with what we were looking for while also offering a “batteries included” experience by providing hosting of facts, rules, and robust APIs.
In addition, writing policies in Polar has allowed for us to model complex permissioning relationships flexibly enough that they can be understood and used as building blocks by other engineers within Headway building new policies. This allows us to ask seemingly simple questions (”Does user X have access to entity Y”), get back simple answers (”yes”), and letting Oso handle the complex “how” that we define with policies.
What is one recommendation you would offer to someone doing authorization for the first time?
The earlier you introduce strong, codified privacy controls, the easier it is to implement.
Defining helpful abstractions to make privacy the default will go a long way in ensuring that privacy stays the default.
Since using Oso, what's a new thing you have been able to accomplish?
With Oso, we’re able to deeply audit access patterns with non-technical folks more easily than when our authorization policies were manually hand-coded.
How do you think you have most benefited by using Oso?
Being able to clearly and succinctly express “this is how you can perform this action on a resource” is a HUGE win for us.
Anything additional you want to share about Oso, authorization, your experience?
Our partnership with the Oso squad has been fantastic. Any small or large question is always promptly answered and incredibly informative.
They’ve been incredible in helping us to establish patterns to ensure that we’re setting ourselves up for success. I rate the Oso crew a 10/10!
If you had a magic wand, what is one thing you would add or change in Oso?
We would love a plain-text explanation for a point-in-time decision. e.g. “At 11:03am PST, Anthony was granted access to Patient X’s information because Anthony is Patient X’s provider”.
Having this level of plain-text auditing would make Oso feel like magic and (I suspect) elevate it to the top of the evaluation list for other companies with sensitive data handling requirements.
Thank you so much!
If you enjoyed this interview we encourage you to share it, tag @osohq. We'd also love to hear from you on how your authorization journey is going, join us and thousands of developers on slack!
