SlideShare a Scribd company logo
Security: Trusting Identities
Introductions 
Alberto Bellotti 
github: abellotti 
Keenan Brock 
github: kbrock 
twitter: @kbrock
Overview 
● Definition 
● Mechanics 
● Components of the system 
● Goals 
● Demo 
● Future
Definition: Identity and Trust 
● Authentication 
○ What is your identity? 
● Authorization 
○ What do I trust you to do? 
● Auditing 
○ What did you actually do?
Goals: Identity and Trust 
● Fewer copies 
● Simpler definitions 
● Leverage existing definitions 
○ identity stores 
○ trust profiles
Goals: Desired Results 
● Simplify appliance configuration 
● Simplify access for users (SSO) 
● More secure system
Accessing Auth* sources 
Postgres 
Vmdb 
Amazon 
ReST 
UI/WS 
Workers 
IdM/Ldap 
Kerberos LDAP 
Apache 
kerberos sssd/pam 
Ldap 
LDAP 
AD 
Appliance 
Console 
/etc/passwd 
Terminal 
Aws 
Client 
KDC 
Appliance 
IdM
Mechanics? 
● Client 
○ Provides identity 
● Server 
○ Has a copy of identity 
○ Fetch stored identity 
○ grant trust
What is a Client and Server 
a system or component that calls another 
● User 
● Computer 
● Component
Mechanics: Client’s Identity 
● Password 
● Kerberos ticket (keytab) 
● IP Address 
● Client side certificates* 
● Saml (SSO)* 
* future
Mechanics - Copy of Identity 
● plaintext 
● md5 
● aes - symmetric cipher (v2_key) 
● id_rsa.pub 
Goal: protect the identity
Mechanics - Fetch Identity 
● Postgres table (e.g.: pg_shadow, users) 
● host based (firewall) 
● Filesystem (e.g.: /etc/passwd) 
● LDAP (AD, IdM) 
● Kerberos (IdM)* 
● Amazon (IAM) 
● Certificate Authority* 
* generated remotely, stored locally
Accessing Auth* sources 
Postgres 
Vmdb 
Amazon 
ReST 
UI/WS 
Workers 
IdM/Ldap 
Kerberos LDAP 
Apache 
kerberos sssd/pam 
Ldap 
LDAP 
AD 
Appliance 
Console 
/etc/passwd 
Terminal 
Aws 
Client 
KDC 
Appliance 
IdM
Mechanics - Grant Trust 
● same password or md5 
● correct ip / user 
● ticket has correct origin
IdM/Kerberos SSO Demo 
● External Authentication 
● Web-UI Login 
● ReST API access 
● Web-UI SSO Login 
All using IPA credentials
Going forward 
● Tighter Authorization of components 
● Moving LDAP/AD configuration to 
console/Apache 
● Leveraging Apache/IdM 
○ AD 
○ SAML 
○ 2-Factor Authentication

More Related Content

What's hot

OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
Stuart
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Dries Elliott
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135
 
Kerberos
KerberosKerberos
Yii2 by Peter Jack Kambey
Yii2 by Peter Jack KambeyYii2 by Peter Jack Kambey
Yii2 by Peter Jack Kambey
k4ndar
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
Claudia Rosu
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Jackio Kwok
 
Entity framework 6
Entity framework 6Entity framework 6
Entity framework 6
Ken Tucker
 
Single sign on across drupal 8
Single sign on across drupal 8Single sign on across drupal 8
Single sign on across drupal 8
Iwantha Lekamge
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Scaling Yii2 Application
Scaling Yii2 ApplicationScaling Yii2 Application
Scaling Yii2 Application
Petra Barus
 
2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured
Eing Ong
 
WebSocketson WildFly
WebSocketson WildFly WebSocketson WildFly
WebSocketson WildFly
JBUG London
 
Ng init | EPI Sousse
Ng init | EPI SousseNg init | EPI Sousse
Ng init | EPI Sousse
Hamdi Hmidi
 
Fine Uploader S3
Fine Uploader S3Fine Uploader S3
Fine Uploader S3
Ray Nicholus
 
Kerberos
KerberosKerberos
Kerberos
Sparkbit
 
18 .NET Objects in PowerShell
18 .NET Objects in PowerShell18 .NET Objects in PowerShell
18 .NET Objects in PowerShell
Ashish Raj
 

What's hot (20)

OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
 
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
Xplore Group - Flashtalk (Fabric8, Neo4j, GraphQL, OpenID Connect)
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Kerberos
KerberosKerberos
Kerberos
 
Yii2 by Peter Jack Kambey
Yii2 by Peter Jack KambeyYii2 by Peter Jack Kambey
Yii2 by Peter Jack Kambey
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
 
Entity framework 6
Entity framework 6Entity framework 6
Entity framework 6
 
Single sign on across drupal 8
Single sign on across drupal 8Single sign on across drupal 8
Single sign on across drupal 8
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Scaling Yii2 Application
Scaling Yii2 ApplicationScaling Yii2 Application
Scaling Yii2 Application
 
2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured2015-StarWest presentation on REST-assured
2015-StarWest presentation on REST-assured
 
WebSocketson WildFly
WebSocketson WildFly WebSocketson WildFly
WebSocketson WildFly
 
Ng init | EPI Sousse
Ng init | EPI SousseNg init | EPI Sousse
Ng init | EPI Sousse
 
Fine Uploader S3
Fine Uploader S3Fine Uploader S3
Fine Uploader S3
 
Kerberos
KerberosKerberos
Kerberos
 
18 .NET Objects in PowerShell
18 .NET Objects in PowerShell18 .NET Objects in PowerShell
18 .NET Objects in PowerShell
 

Similar to Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti

Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
Ishan A B Ambanwela
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)
JISC.AM
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
defconmoscow
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
wesley chun
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
J.D. Wade
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
J.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
Andrey Devyatkin
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morePower your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
wesley chun
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
Timothy Bollefer
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security
Mydbops
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
Gigi Sayfan
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 

Similar to Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti (20)

Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
 
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
MongoDB Europe 2016 - Who’s Helping Themselves To Your Data? Demystifying Mon...
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morePower your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & more
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 

More from ManageIQ

ManageIQ - Sprint 237 Review - Slide Deck
ManageIQ - Sprint 237 Review - Slide DeckManageIQ - Sprint 237 Review - Slide Deck
ManageIQ - Sprint 237 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 235 Review - Slide Deck
ManageIQ - Sprint 235 Review - Slide DeckManageIQ - Sprint 235 Review - Slide Deck
ManageIQ - Sprint 235 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 234 Review - Slide Deck
ManageIQ - Sprint 234 Review - Slide DeckManageIQ - Sprint 234 Review - Slide Deck
ManageIQ - Sprint 234 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 233 Review - Slide Deck
ManageIQ - Sprint 233 Review - Slide DeckManageIQ - Sprint 233 Review - Slide Deck
ManageIQ - Sprint 233 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 232 Review - Slide Deck
ManageIQ - Sprint 232 Review - Slide DeckManageIQ - Sprint 232 Review - Slide Deck
ManageIQ - Sprint 232 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 231 Review - Slide Deck
ManageIQ - Sprint 231 Review - Slide DeckManageIQ - Sprint 231 Review - Slide Deck
ManageIQ - Sprint 231 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 230 Review - Slide Deck
ManageIQ - Sprint 230 Review - Slide DeckManageIQ - Sprint 230 Review - Slide Deck
ManageIQ - Sprint 230 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 229 Review - Slide Deck
ManageIQ - Sprint 229 Review - Slide DeckManageIQ - Sprint 229 Review - Slide Deck
ManageIQ - Sprint 229 Review - Slide Deck
ManageIQ
 
ManageIQ - Sprint 228 Review - Slide Deck
ManageIQ - Sprint 228 Review - Slide DeckManageIQ - Sprint 228 Review - Slide Deck
ManageIQ - Sprint 228 Review - Slide Deck
ManageIQ
 
Sprint 227
Sprint 227Sprint 227
Sprint 227
ManageIQ
 
Sprint 226
Sprint 226Sprint 226
Sprint 226
ManageIQ
 
Sprint 225
Sprint 225Sprint 225
Sprint 225
ManageIQ
 
Sprint 224
Sprint 224Sprint 224
Sprint 224
ManageIQ
 
Sprint 223
Sprint 223Sprint 223
Sprint 223
ManageIQ
 
Sprint 222
Sprint 222Sprint 222
Sprint 222
ManageIQ
 
Sprint 221
Sprint 221Sprint 221
Sprint 221
ManageIQ
 
Sprint 220
Sprint 220Sprint 220
Sprint 220
ManageIQ
 
Sprint 219
Sprint 219Sprint 219
Sprint 219
ManageIQ
 
Sprint 218
Sprint 218Sprint 218
Sprint 218
ManageIQ
 

More from ManageIQ (20)

ManageIQ - Sprint 237 Review - Slide Deck
ManageIQ - Sprint 237 Review - Slide DeckManageIQ - Sprint 237 Review - Slide Deck
ManageIQ - Sprint 237 Review - Slide Deck
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
ManageIQ - Sprint 235 Review - Slide Deck
ManageIQ - Sprint 235 Review - Slide DeckManageIQ - Sprint 235 Review - Slide Deck
ManageIQ - Sprint 235 Review - Slide Deck
 
ManageIQ - Sprint 234 Review - Slide Deck
ManageIQ - Sprint 234 Review - Slide DeckManageIQ - Sprint 234 Review - Slide Deck
ManageIQ - Sprint 234 Review - Slide Deck
 
ManageIQ - Sprint 233 Review - Slide Deck
ManageIQ - Sprint 233 Review - Slide DeckManageIQ - Sprint 233 Review - Slide Deck
ManageIQ - Sprint 233 Review - Slide Deck
 
ManageIQ - Sprint 232 Review - Slide Deck
ManageIQ - Sprint 232 Review - Slide DeckManageIQ - Sprint 232 Review - Slide Deck
ManageIQ - Sprint 232 Review - Slide Deck
 
ManageIQ - Sprint 231 Review - Slide Deck
ManageIQ - Sprint 231 Review - Slide DeckManageIQ - Sprint 231 Review - Slide Deck
ManageIQ - Sprint 231 Review - Slide Deck
 
ManageIQ - Sprint 230 Review - Slide Deck
ManageIQ - Sprint 230 Review - Slide DeckManageIQ - Sprint 230 Review - Slide Deck
ManageIQ - Sprint 230 Review - Slide Deck
 
ManageIQ - Sprint 229 Review - Slide Deck
ManageIQ - Sprint 229 Review - Slide DeckManageIQ - Sprint 229 Review - Slide Deck
ManageIQ - Sprint 229 Review - Slide Deck
 
ManageIQ - Sprint 228 Review - Slide Deck
ManageIQ - Sprint 228 Review - Slide DeckManageIQ - Sprint 228 Review - Slide Deck
ManageIQ - Sprint 228 Review - Slide Deck
 
Sprint 227
Sprint 227Sprint 227
Sprint 227
 
Sprint 226
Sprint 226Sprint 226
Sprint 226
 
Sprint 225
Sprint 225Sprint 225
Sprint 225
 
Sprint 224
Sprint 224Sprint 224
Sprint 224
 
Sprint 223
Sprint 223Sprint 223
Sprint 223
 
Sprint 222
Sprint 222Sprint 222
Sprint 222
 
Sprint 221
Sprint 221Sprint 221
Sprint 221
 
Sprint 220
Sprint 220Sprint 220
Sprint 220
 
Sprint 219
Sprint 219Sprint 219
Sprint 219
 
Sprint 218
Sprint 218Sprint 218
Sprint 218
 

Recently uploaded

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStrDeep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
saastr
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 

Recently uploaded (20)

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStrDeep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 

Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti

  • 2. Introductions Alberto Bellotti github: abellotti Keenan Brock github: kbrock twitter: @kbrock
  • 3. Overview ● Definition ● Mechanics ● Components of the system ● Goals ● Demo ● Future
  • 4. Definition: Identity and Trust ● Authentication ○ What is your identity? ● Authorization ○ What do I trust you to do? ● Auditing ○ What did you actually do?
  • 5. Goals: Identity and Trust ● Fewer copies ● Simpler definitions ● Leverage existing definitions ○ identity stores ○ trust profiles
  • 6. Goals: Desired Results ● Simplify appliance configuration ● Simplify access for users (SSO) ● More secure system
  • 7. Accessing Auth* sources Postgres Vmdb Amazon ReST UI/WS Workers IdM/Ldap Kerberos LDAP Apache kerberos sssd/pam Ldap LDAP AD Appliance Console /etc/passwd Terminal Aws Client KDC Appliance IdM
  • 8. Mechanics? ● Client ○ Provides identity ● Server ○ Has a copy of identity ○ Fetch stored identity ○ grant trust
  • 9. What is a Client and Server a system or component that calls another ● User ● Computer ● Component
  • 10. Mechanics: Client’s Identity ● Password ● Kerberos ticket (keytab) ● IP Address ● Client side certificates* ● Saml (SSO)* * future
  • 11. Mechanics - Copy of Identity ● plaintext ● md5 ● aes - symmetric cipher (v2_key) ● id_rsa.pub Goal: protect the identity
  • 12. Mechanics - Fetch Identity ● Postgres table (e.g.: pg_shadow, users) ● host based (firewall) ● Filesystem (e.g.: /etc/passwd) ● LDAP (AD, IdM) ● Kerberos (IdM)* ● Amazon (IAM) ● Certificate Authority* * generated remotely, stored locally
  • 13. Accessing Auth* sources Postgres Vmdb Amazon ReST UI/WS Workers IdM/Ldap Kerberos LDAP Apache kerberos sssd/pam Ldap LDAP AD Appliance Console /etc/passwd Terminal Aws Client KDC Appliance IdM
  • 14. Mechanics - Grant Trust ● same password or md5 ● correct ip / user ● ticket has correct origin
  • 15. IdM/Kerberos SSO Demo ● External Authentication ● Web-UI Login ● ReST API access ● Web-UI SSO Login All using IPA credentials
  • 16. Going forward ● Tighter Authorization of components ● Moving LDAP/AD configuration to console/Apache ● Leveraging Apache/IdM ○ AD ○ SAML ○ 2-Factor Authentication