Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Native Identity Management


Published on

KubeCon + CloudNativeCon Europe 2018, Copenhagen (Denmark): Talk by Andrew Jessup (@whenfalse, co-founder of & Head of Product at Skytale) and Andreas Zitzelsberger (@andreasz82, Principal Software Architect at QAware)

Identity Management (IDM) incorporates a definition of identity, authentication and authorization. Cloud native workload IDM is necessary to protect against an untrusted network and compromised or rogue workloads. As organisations start to take advantage of elastic scaling and dynamic scheduling IDM becomes more important, and more challenging.
This talk will examine how we are working to solve these challenges in a large cloud project at a major insurance company. We’ll describe a real world architecture, built on the SPIFFE standard, open-source software including SPIRE and Vault and a sprinkle of custom code to provide workload authentication and authorization, zero-trust networking and rotating secrets.
And finally we’ll discuss how this solution can also serve as the foundation for more security policy and traffic management capabilities based on technologies like Envoy and Istio.

Watch the video of this talk:

Published in: Software
  • Be the first to comment

Cloud Native Identity Management

  1. 1. Cloud Native Identity Management Andreas Zitzelsberger, QAware Andrew Jessup,
  2. 2. Once upon a time... Large cloud project for a major company • Hundreds of apps in the cloud • Many more on-prem • Little centralized control • Strict legal requirements • Strict security requirements The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications to Kubernetes, Josef Adersberger, KubeCon 2017
  3. 3. Where did we start? • Classic approach: 0-trust with TLS / X.509 • Secure • But: Decomposition of applications leads to an explosion of trust relations • Hard to manage at scale • Complex and error-prone • Also, no secret rotation
  4. 4. Let’s take a step back and look at the problem... App A App B Id(A) Trust(A) = {...} Id(B) Trust(B) = {Id(A)} ● Secure Authentication and Authorization ● Scale ● Dynamicity ● Manageability ● Secret rotation ● Interoperability ● Hybrid cloud
  5. 5. GlueCon 2016 Joe Beda proposes SPIFFE KubeCon NA 2017 SPIFFE & SPIRE 0.1 are released April 2018 SPIFFE & SPIRE accepted into the CNCF Circa 2005 Google develops the Low Overhead Authentication Service 11th USENIX Security Symposium (2002) Plan9 security design published
  6. 6. SPIFFE Workload API Workload “Who am I?” “You are spiffe:// And here is your short-lived key to prove it to others.”
  7. 7. SPIRE Workload Attestor Plug-ins Node Attestor Plug-ins Workload API Secure Introduction to other services mTLS JWTs Identity for proxy services Linux Windows OS X YubiKey HSM providersAzure GCP Kubernetes Mesosphere Join Token AWS Kerberos Simplify deployment of distributed systems CoreWorkloadPlatform gRPC
  8. 8. Building on top of SPIFFE and SPIRE
  9. 9. SPIRE provides identity, Vault trust App Identity Trust spiffe://trust-domain/app Trusted CAs: ... + Rotating credentials for Databases, RabbitMQ, … + Secrets spiffe://.../app-1 -> spiffe://.../app-2 spiffe://.../app-1 -> spiffe://.../app-3 spiffe://.../app-2 -> spiffe://.../app-3 ... Trusted CAs
  10. 10. Proper secret rotation is surprisingly hard • Assumption: Keys and certificates are (a) static and (b) provided via files • Python (with Flask) 'cert.pem', 'key.pem')) • Go (GRPC with TLS) credentials.NewServerTLSFromFile(crt, key) • Also Envoy, Nginx, … • Java • But Java has the API • Certificates and keys can be rotated online (if the API is used properly)
  11. 11. Integrating Vault and SPIRE Transport (TLS) Authentication • Unfriendly to certificate rotation due to unseal process • Solution: Put Vault alongside SPIRE in the same PKI App Authentication • Previously unable to validate URI SANs because Go up to 1.9 lacked support • Works from Vault 0.10.2 on (PR #4231) • Solution: Sidecar regularly updates the trusted auth certificate with the SPIRE CA
  12. 12. TLS App CloudId Lib Java SPIRE Agent Workload API Vault Piecing it all together TLS ● SVID as Server Certificate ● Client cryptographically checked against trusted bundles ● Client Ids checked against ACL ● SVID as Client Certificate ● Servers cryptographically checked against trusted bundles ● Server Ids checked against ACL Integration at application level. Alternative: Use an ambassador proxy See for examples with Envoy and Ghosttunnel
  13. 13. time
  14. 14. Our next steps...
  15. 15. Further exploration • Use the SPIFFE Id for tracing and correlating logs • Interaction with other service meshes • Connect workload and user identities • Federation and hybrid cloud
  16. 16. SPIRE Server SPIRE Server Peering Cloud Region 1 Cloud Region 2
  17. 17. Summary
  18. 18. There’s a lot of infrastructure...
  19. 19. … exposed with a single line of code.
  20. 20. The configuration effort is reduced to the actual business problem ● Specify who is who ● Specify who is allowed to talk to whom
  21. 21. | | May 2 (Today) May 3 (Tomorrow) May 4 (Friday) TheNewStack Pancake Breakfast talks SPIFFE 7.30am SPIFFE Project Intro 4.25pm SPIFFE Deep Dive (Scytale) 2pm Panel: App Security Requires Containers 4.25pm
  22. 22. Thank You! @andreasz82 Andreas Zitzelsberger @whenfalse Andrew Jessup Special thanks to Christian Fritz QAware Roman Buchholz QAware Evan Gilman Nic Jackson Hashicorp