Merou: A Decentralized, Audited Authorization Service

Tuesday, May 23, 2017 - 3:55pm4:20pm

Luke Faraone, Dropbox


Every organization has a system for access control be it spreadsheet, LDAP, IAM, something home grown, or all of the above. Most of these approaches suffer from some combination of hard to use interfaces, incomplete coverage, lack of audit/compliance functionality, and bottlenecks for permission grants.

Merou is Dropbox's homegrown, open source authorization service. It manages a wide range of environments--from the corporate network, to production data centers, and cloud providers like AWS. And it is a transparent system of record that is managed in a decentralized manner by the individuals and teams that own applications and services Merou provides authorization for.

We will present a general overview of our approach, highlight the features that make this system unique, sample some of our current use cases, and present some lessons learned.

Luke Faraone, Dropbox

Luke is a security engineer on Dropbox's Infrastructure Security team, which works to accelerate the secure deployment of internal systems. He is also Dropbox's representative to the TODO Group, an open group of companies who collaborate on running successful and effective open source projects and programs.

In his spare time, Luke contributes to the Debian project as a developer and as a member of the ftpmaster team, which oversees and maintains the well-being of Debian's official package repositories.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {202735,
author = {Luke Faraone},
title = {Merou: A Decentralized, Audited Authorization Service},
year = {2017},
publisher = {USENIX Association},
month = may,

Presentation Video 

Presentation Audio