Successfully reported this slideshow.
Your SlideShare is downloading. ×

Cloud Native Identity Management

May. 02, 2018
1 like 959 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
ROSIK Stammtisch „Clean Architecture“
ROSIK Stammtisch „Clean Architecture“
Loading in …3
×

Check these out next

Anwendungsübergreifende Authentifizierung: Integrations-Pattern für OpenID Co...
QAware GmbH
Wie baue ich eine Spring Boot Library
QAware GmbH
Anwendungsübergreifende Authentifizierung: Integrations-Pattern für OpenID Co...
QAware GmbH
The Path to Green Enterprise Applications
QAware GmbH
Time to Shift Left - Unkomplizierte Security Tools und Technologien für den E...
QAware GmbH
Quadratisch. Praktisch. Gut. K8s-native Quality Assurance mit Testkube
QAware GmbH
Observability: Der Schlüssel für Threat Detection, Mitigation und Analyse
QAware GmbH
Quadratisch. Praktisch. Gut. K8s-native Quality Assurance mit Testkube @ JCON22
QAware GmbH
1 of 23 Ad

Cloud Native Identity Management

May. 02, 2018
1 like 959 views

Download to read offline

Software

KubeCon + CloudNativeCon Europe 2018, Copenhagen (Denmark): Talk by Andrew Jessup (@whenfalse, co-founder of & Head of Product at Skytale) and Andreas Zitzelsberger (@andreasz82, Principal Software Architect at QAware)

Abstract:
Identity Management (IDM) incorporates a definition of identity, authentication and authorization. Cloud native workload IDM is necessary to protect against an untrusted network and compromised or rogue workloads. As organisations start to take advantage of elastic scaling and dynamic scheduling IDM becomes more important, and more challenging.
This talk will examine how we are working to solve these challenges in a large cloud project at a major insurance company. We’ll describe a real world architecture, built on the SPIFFE standard, open-source software including SPIRE and Vault and a sprinkle of custom code to provide workload authentication and authorization, zero-trust networking and rotating secrets.
And finally we’ll discuss how this solution can also serve as the foundation for more security policy and traffic management capabilities based on technologies like Envoy and Istio.

============================================
Watch the video of this talk: https://youtu.be/eCLTdSp4JzE

KubeCon + CloudNativeCon Europe 2018, Copenhagen (Denmark): Talk by Andrew Jessup (@whenfalse, co-founder of & Head of Product at Skytale) and Andreas Zitzelsberger (@andreasz82, Principal Software Architect at QAware)

Abstract:
Identity Management (IDM) incorporates a definition of identity, authentication and authorization. Cloud native workload IDM is necessary to protect against an untrusted network and compromised or rogue workloads. As organisations start to take advantage of elastic scaling and dynamic scheduling IDM becomes more important, and more challenging.
This talk will examine how we are working to solve these challenges in a large cloud project at a major insurance company. We’ll describe a real world architecture, built on the SPIFFE standard, open-source software including SPIRE and Vault and a sprinkle of custom code to provide workload authentication and authorization, zero-trust networking and rotating secrets.
And finally we’ll discuss how this solution can also serve as the foundation for more security policy and traffic management capabilities based on technologies like Envoy and Istio.

============================================
Watch the video of this talk: https://youtu.be/eCLTdSp4JzE

Software
Advertisement

Recommended

ROSIK Stammtisch „Clean Architecture“
QAware GmbH
22 views
24 slides
Terraform Everything
QAware GmbH
27 views
22 slides
Continuous OpenAPI Security Tests on K8s with Testkube and ZAP
QAware GmbH
21 views
14 slides
Clean Architecture
QAware GmbH
22 views
42 slides
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
QAware GmbH
22 views
27 slides
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.
QAware GmbH
23 views
26 slides
Cluster-as-code. The Many Ways towards Kubernetes
QAware GmbH
23 views
20 slides
Quadratisch. Praktisch. Gut. K8s-native Quality Assurance mit Testkube
QAware GmbH
19 views
19 slides
Advertisement

More Related Content

More from QAware GmbH (20)

Anwendungsübergreifende Authentifizierung: Integrations-Pattern für OpenID Co...
QAware GmbH
25 views
Wie baue ich eine Spring Boot Library
QAware GmbH
24 views
Anwendungsübergreifende Authentifizierung: Integrations-Pattern für OpenID Co...
QAware GmbH
32 views
The Path to Green Enterprise Applications
QAware GmbH
20 views
Time to Shift Left - Unkomplizierte Security Tools und Technologien für den E...
QAware GmbH
15 views
Quadratisch. Praktisch. Gut. K8s-native Quality Assurance mit Testkube
QAware GmbH
28 views
Observability: Der Schlüssel für Threat Detection, Mitigation und Analyse
QAware GmbH
18 views
Quadratisch. Praktisch. Gut. K8s-native Quality Assurance mit Testkube @ JCON22
QAware GmbH
19 views
Caching mit Spring Boot - Pain & Gain @ JCON22
QAware GmbH
18 views
Cloud native IPC for Microservices Workshop @ Containerdays 2022
QAware GmbH
11 views
K8s-native Daten-Pipelines mit Argo Workflows und Events
QAware GmbH
19 views
K8s-native Infrastructure as Code: einfach, deklarativ, produktiv
QAware GmbH
59 views
Cloud Observability mit Loki, Prometheus, Tempo und Grafana
QAware GmbH
128 views
Cluster-as-code. The Many Ways towards Kubernetes
QAware GmbH
38 views
Integrations-Pattern für OpenID Connect
QAware GmbH
26 views
Cloud Infrastructure with Crossplane
QAware GmbH
64 views
REST in Peace. Long live gRPC!
QAware GmbH
207 views
Micro Frontends mit Web Components.pdf
QAware GmbH
199 views
REST in Peace. Long live gRPC!
QAware GmbH
202 views
REST in Peace. Long live gRPC!
QAware GmbH
145 views
Anwendungsübergreifende Authentifizierung: Integrations-Pattern für OpenID Co...
QAware GmbH
25 views
38 slides
Wie baue ich eine Spring Boot Library
QAware GmbH
24 views
15 slides
Anwendungsübergreifende Authentifizierung: Integrations-Pattern für OpenID Co...
QAware GmbH
32 views
38 slides
The Path to Green Enterprise Applications
QAware GmbH
20 views
44 slides
Time to Shift Left - Unkomplizierte Security Tools und Technologien für den E...
QAware GmbH
15 views
24 slides
Quadratisch. Praktisch. Gut. K8s-native Quality Assurance mit Testkube
QAware GmbH
28 views
18 slides

Recently uploaded (20)

Robotics technical Presentation
klepsydratechnologie
4 views
DRHA KPLIFE BOOTCAMP.pptx
Kinetic Potential
13 views
Re-engineering Technology to break barriers with Business
XPDays
8 views
quickbooks quickbase integration.pdf
johnclintonn
0 views
ADCSS 2022
klepsydratechnologie
4 views
Cpp Study Jam
MuhammadHaseeb53015
0 views
salesforce services cloud
Ashapura Softech INC
3 views
GRID TECH..pptx
ANANT SONI
0 views
Agile Estimation Techniques.pptx
Priyanka Gurnani
0 views
FOR CENTOS.pptx
Taseen Ali
0 views
complete web service1.ppt
Dr.Saranya K.G
2 views
Masako Katsura Age 7.pdf
News Recoder
4 views
11 Accounting Events.ppt
SaleemAhmed20707
0 views
SQA.ppt
Dr.Saranya K.G
1 view
l3bw_internet&web.ppt
SharaafNazeer
0 views
operating system ppt..pptx
Ajaykumar839005
3 views
RISC V in Spacer
klepsydratechnologie
3 views
Maximizing Business Efficiency and Reducing Waste with Data Integration
Safe Software
102 views
DBMS2_topic2.pptx
MelanieRodas6
1 view
Introducing the Carbon Intensity API
RickButterfield5
8 views
Robotics technical Presentation
klepsydratechnologie
4 views
35 slides
DRHA KPLIFE BOOTCAMP.pptx
Kinetic Potential
13 views
37 slides
Re-engineering Technology to break barriers with Business
XPDays
8 views
26 slides
quickbooks quickbase integration.pdf
johnclintonn
0 views
3 slides
ADCSS 2022
klepsydratechnologie
4 views
42 slides
Cpp Study Jam
MuhammadHaseeb53015
0 views
13 slides
Advertisement

Cloud Native Identity Management

  1. 1. Cloud Native Identity Management Andreas Zitzelsberger, QAware Andrew Jessup, Scytale.io
  2. 2. Once upon a time... Large cloud project for a major company • Hundreds of apps in the cloud • Many more on-prem • Little centralized control • Strict legal requirements • Strict security requirements The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications to Kubernetes, Josef Adersberger, KubeCon 2017 https://bit.ly/2JZNRHw
  3. 3. Where did we start? • Classic approach: 0-trust with TLS / X.509 • Secure • But: Decomposition of applications leads to an explosion of trust relations • Hard to manage at scale • Complex and error-prone • Also, no secret rotation
  4. 4. Let’s take a step back and look at the problem... App A App B Id(A) Trust(A) = {...} Id(B) Trust(B) = {Id(A)} ● Secure Authentication and Authorization ● Scale ● Dynamicity ● Manageability ● Secret rotation ● Interoperability ● Hybrid cloud
  5. 5. GlueCon 2016 Joe Beda proposes SPIFFE KubeCon NA 2017 SPIFFE & SPIRE 0.1 are released April 2018 SPIFFE & SPIRE accepted into the CNCF Circa 2005 Google develops the Low Overhead Authentication Service 11th USENIX Security Symposium (2002) Plan9 security design published
  6. 6. SPIFFE Workload API Workload “Who am I?” “You are spiffe://acme.com/fe And here is your short-lived key to prove it to others.”
  7. 7. SPIRE Workload Attestor Plug-ins Node Attestor Plug-ins Workload API Secure Introduction to other services mTLS JWTs Identity for proxy services Linux Windows OS X YubiKey HSM providersAzure GCP Kubernetes Mesosphere Join Token AWS Kerberos Simplify deployment of distributed systems CoreWorkloadPlatform gRPC
  8. 8. Building on top of SPIFFE and SPIRE
  9. 9. SPIRE provides identity, Vault trust App Identity Trust spiffe://trust-domain/app Trusted CAs: ... + Rotating credentials for Databases, RabbitMQ, … + Secrets spiffe://.../app-1 -> spiffe://.../app-2 spiffe://.../app-1 -> spiffe://.../app-3 spiffe://.../app-2 -> spiffe://.../app-3 ... Trusted CAs
  10. 10. Proper secret rotation is surprisingly hard • Assumption: Keys and certificates are (a) static and (b) provided via files • Python (with Flask) app.run(ssl_context=( 'cert.pem', 'key.pem')) • Go (GRPC with TLS) credentials.NewServerTLSFromFile(crt, key) • Also Envoy, Nginx, … • Java -Djavax.net.ssl.trustStore=... -Djavax.net.ssl.keyStore=... • But Java has the java.security API • Certificates and keys can be rotated online (if the API is used properly)
  11. 11. Integrating Vault and SPIRE Transport (TLS) Authentication • Unfriendly to certificate rotation due to unseal process • Solution: Put Vault alongside SPIRE in the same PKI App Authentication • Previously unable to validate URI SANs because Go up to 1.9 lacked support • Works from Vault 0.10.2 on (PR #4231) • Solution: Sidecar regularly updates the trusted auth certificate with the SPIRE CA
  12. 12. TLS App CloudId Lib Java SPIRE Agent java.security Workload API Vault Piecing it all together TLS ● SVID as Server Certificate ● Client cryptographically checked against trusted bundles ● Client Ids checked against ACL ● SVID as Client Certificate ● Servers cryptographically checked against trusted bundles ● Server Ids checked against ACL Integration at application level. Alternative: Use an ambassador proxy See https://github.com/spiffe/spiffe-example for examples with Envoy and Ghosttunnel
  13. 13. https://github.com/qaware/cloudid-showcaseDemo time
  14. 14. Our next steps...
  15. 15. Further exploration • Use the SPIFFE Id for tracing and correlating logs • Interaction with other service meshes • Connect workload and user identities • Federation and hybrid cloud
  16. 16. SPIRE Server SPIRE Server Peering Cloud Region 1 Cloud Region 2
  17. 17. Summary
  18. 18. There’s a lot of infrastructure...
  19. 19. … exposed with a single line of code.
  20. 20. The configuration effort is reduced to the actual business problem ● Specify who is who ● Specify who is allowed to talk to whom
  21. 21. spiffe.io | github.com/spiffe | slack.spiffe.io May 2 (Today) May 3 (Tomorrow) May 4 (Friday) TheNewStack Pancake Breakfast talks SPIFFE 7.30am SPIFFE Project Intro 4.25pm SPIFFE Deep Dive (Scytale) 2pm Panel: App Security Requires Containers 4.25pm
  22. 22. Thank You! @andreasz82 Andreas Zitzelsberger @whenfalse Andrew Jessup Special thanks to Christian Fritz QAware Roman Buchholz QAware Evan Gilman Syctale.io Nic Jackson Hashicorp

×