Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cloud Native Identity Management Andreas Zitzelsberger, QAware Andrew Jessup, Scytale.io
Once upon a time... Large cloud project for a major company • Hundreds of apps in the cloud • Many more on-prem • Little c...
Where did we start? • Classic approach: 0-trust with TLS / X.509 • Secure • But: Decomposition of applications leads to an...
Let’s take a step back and look at the problem... App A App B Id(A) Trust(A) = {...} Id(B) Trust(B) = {Id(A)} ● Secure Aut...
GlueCon 2016 Joe Beda proposes SPIFFE KubeCon NA 2017 SPIFFE & SPIRE 0.1 are released April 2018 SPIFFE & SPIRE accepted i...
SPIFFE Workload API Workload “Who am I?” “You are spiffe://acme.com/fe And here is your short-lived key to prove it to oth...
SPIRE Workload Attestor Plug-ins Node Attestor Plug-ins Workload API Secure Introduction to other services mTLS JWTs Ident...
Building on top of SPIFFE and SPIRE
SPIRE provides identity, Vault trust App Identity Trust spiffe://trust-domain/app Trusted CAs: ... + Rotating credentials ...
Proper secret rotation is surprisingly hard • Assumption: Keys and certificates are (a) static and (b) provided via files ...
Integrating Vault and SPIRE Transport (TLS) Authentication • Unfriendly to certificate rotation due to unseal process • So...
TLS App CloudId Lib Java SPIRE Agent java.security Workload API Vault Piecing it all together TLS ● SVID as Server Certifi...
https://github.com/qaware/cloudid-showcaseDemo time
Our next steps...
Further exploration • Use the SPIFFE Id for tracing and correlating logs • Interaction with other service meshes • Connect...
SPIRE Server SPIRE Server Peering Cloud Region 1 Cloud Region 2
Summary
There’s a lot of infrastructure...
… exposed with a single line of code.
The configuration effort is reduced to the actual business problem ● Specify who is who ● Specify who is allowed to talk t...
spiffe.io | github.com/spiffe | slack.spiffe.io May 2 (Today) May 3 (Tomorrow) May 4 (Friday) TheNewStack Pancake Breakfas...
Thank You! @andreasz82 Andreas Zitzelsberger @whenfalse Andrew Jessup Special thanks to Christian Fritz QAware Roman Buchh...
Cloud Native Identity Management
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.
Software
May. 02, 2018
871 views

1

Share

Download to read offline

Cloud Native Identity Management

Download to read offline

Software
May. 02, 2018
871 views

KubeCon + CloudNativeCon Europe 2018, Copenhagen (Denmark): Talk by Andrew Jessup (@whenfalse, co-founder of & Head of Product at Skytale) and Andreas Zitzelsberger (@andreasz82, Principal Software Architect at QAware)

Abstract:
Identity Management (IDM) incorporates a definition of identity, authentication and authorization. Cloud native workload IDM is necessary to protect against an untrusted network and compromised or rogue workloads. As organisations start to take advantage of elastic scaling and dynamic scheduling IDM becomes more important, and more challenging.
This talk will examine how we are working to solve these challenges in a large cloud project at a major insurance company. We’ll describe a real world architecture, built on the SPIFFE standard, open-source software including SPIRE and Vault and a sprinkle of custom code to provide workload authentication and authorization, zero-trust networking and rotating secrets.
And finally we’ll discuss how this solution can also serve as the foundation for more security policy and traffic management capabilities based on technologies like Envoy and Istio.

============================================
Watch the video of this talk: https://youtu.be/eCLTdSp4JzE

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(3/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
From Counterculture to Cyberculture: Stewart Brand, the Whole Earth Network, and the Rise of Digital Utopianism Fred Turner
(2.5/5)
Free
101 Awesome Builds: Minecraft®™ Secrets from the World's Greatest Crafters Triumph Books
(4/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
The New New Thing: A Silicon Valley Story Bruce Reizen
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community that Will Listen Kristen Meinzer
(4.5/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(3.5/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(3.5/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
Kill All Normies: Online Culture Wars From 4Chan And Tumblr To Trump And The Alt-Right Angela Nagle
(4/5)
Free
The Art of Social Media: Power Tips for Power Users Guy Kawasaki
(4/5)
Free
Algorithms to Live By: The Computer Science of Human Decisions Tom Griffiths
(4.5/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
The History of the Future: Oculus, Facebook, and the Revolution That Swept Virtual Reality Blake J. Harris
(4.5/5)
Free

Cloud Native Identity Management

  1. 1. Cloud Native Identity Management Andreas Zitzelsberger, QAware Andrew Jessup, Scytale.io
  2. 2. Once upon a time... Large cloud project for a major company • Hundreds of apps in the cloud • Many more on-prem • Little centralized control • Strict legal requirements • Strict security requirements The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications to Kubernetes, Josef Adersberger, KubeCon 2017 https://bit.ly/2JZNRHw
  3. 3. Where did we start? • Classic approach: 0-trust with TLS / X.509 • Secure • But: Decomposition of applications leads to an explosion of trust relations • Hard to manage at scale • Complex and error-prone • Also, no secret rotation
  4. 4. Let’s take a step back and look at the problem... App A App B Id(A) Trust(A) = {...} Id(B) Trust(B) = {Id(A)} ● Secure Authentication and Authorization ● Scale ● Dynamicity ● Manageability ● Secret rotation ● Interoperability ● Hybrid cloud
  5. 5. GlueCon 2016 Joe Beda proposes SPIFFE KubeCon NA 2017 SPIFFE & SPIRE 0.1 are released April 2018 SPIFFE & SPIRE accepted into the CNCF Circa 2005 Google develops the Low Overhead Authentication Service 11th USENIX Security Symposium (2002) Plan9 security design published
  6. 6. SPIFFE Workload API Workload “Who am I?” “You are spiffe://acme.com/fe And here is your short-lived key to prove it to others.”
  7. 7. SPIRE Workload Attestor Plug-ins Node Attestor Plug-ins Workload API Secure Introduction to other services mTLS JWTs Identity for proxy services Linux Windows OS X YubiKey HSM providersAzure GCP Kubernetes Mesosphere Join Token AWS Kerberos Simplify deployment of distributed systems CoreWorkloadPlatform gRPC
  8. 8. Building on top of SPIFFE and SPIRE
  9. 9. SPIRE provides identity, Vault trust App Identity Trust spiffe://trust-domain/app Trusted CAs: ... + Rotating credentials for Databases, RabbitMQ, … + Secrets spiffe://.../app-1 -> spiffe://.../app-2 spiffe://.../app-1 -> spiffe://.../app-3 spiffe://.../app-2 -> spiffe://.../app-3 ... Trusted CAs
  10. 10. Proper secret rotation is surprisingly hard • Assumption: Keys and certificates are (a) static and (b) provided via files • Python (with Flask) app.run(ssl_context=( 'cert.pem', 'key.pem')) • Go (GRPC with TLS) credentials.NewServerTLSFromFile(crt, key) • Also Envoy, Nginx, … • Java -Djavax.net.ssl.trustStore=... -Djavax.net.ssl.keyStore=... • But Java has the java.security API • Certificates and keys can be rotated online (if the API is used properly)
  11. 11. Integrating Vault and SPIRE Transport (TLS) Authentication • Unfriendly to certificate rotation due to unseal process • Solution: Put Vault alongside SPIRE in the same PKI App Authentication • Previously unable to validate URI SANs because Go up to 1.9 lacked support • Works from Vault 0.10.2 on (PR #4231) • Solution: Sidecar regularly updates the trusted auth certificate with the SPIRE CA
  12. 12. TLS App CloudId Lib Java SPIRE Agent java.security Workload API Vault Piecing it all together TLS ● SVID as Server Certificate ● Client cryptographically checked against trusted bundles ● Client Ids checked against ACL ● SVID as Client Certificate ● Servers cryptographically checked against trusted bundles ● Server Ids checked against ACL Integration at application level. Alternative: Use an ambassador proxy See https://github.com/spiffe/spiffe-example for examples with Envoy and Ghosttunnel
  13. 13. https://github.com/qaware/cloudid-showcaseDemo time
  14. 14. Our next steps...
  15. 15. Further exploration • Use the SPIFFE Id for tracing and correlating logs • Interaction with other service meshes • Connect workload and user identities • Federation and hybrid cloud
  16. 16. SPIRE Server SPIRE Server Peering Cloud Region 1 Cloud Region 2
  17. 17. Summary
  18. 18. There’s a lot of infrastructure...
  19. 19. … exposed with a single line of code.
  20. 20. The configuration effort is reduced to the actual business problem ● Specify who is who ● Specify who is allowed to talk to whom
  21. 21. spiffe.io | github.com/spiffe | slack.spiffe.io May 2 (Today) May 3 (Tomorrow) May 4 (Friday) TheNewStack Pancake Breakfast talks SPIFFE 7.30am SPIFFE Project Intro 4.25pm SPIFFE Deep Dive (Scytale) 2pm Panel: App Security Requires Containers 4.25pm
  22. 22. Thank You! @andreasz82 Andreas Zitzelsberger @whenfalse Andrew Jessup Special thanks to Christian Fritz QAware Roman Buchholz QAware Evan Gilman Syctale.io Nic Jackson Hashicorp

  • az82

    Jan. 11, 2020

KubeCon + CloudNativeCon Europe 2018, Copenhagen (Denmark): Talk by Andrew Jessup (@whenfalse, co-founder of & Head of Product at Skytale) and Andreas Zitzelsberger (@andreasz82, Principal Software Architect at QAware) Abstract: Identity Management (IDM) incorporates a definition of identity, authentication and authorization. Cloud native workload IDM is necessary to protect against an untrusted network and compromised or rogue workloads. As organisations start to take advantage of elastic scaling and dynamic scheduling IDM becomes more important, and more challenging. This talk will examine how we are working to solve these challenges in a large cloud project at a major insurance company. We’ll describe a real world architecture, built on the SPIFFE standard, open-source software including SPIRE and Vault and a sprinkle of custom code to provide workload authentication and authorization, zero-trust networking and rotating secrets. And finally we’ll discuss how this solution can also serve as the foundation for more security policy and traffic management capabilities based on technologies like Envoy and Istio. ============================================ Watch the video of this talk: https://youtu.be/eCLTdSp4JzE

Views

Total views

871

On Slideshare

0

From embeds

0

Number of embeds

1

Actions

Downloads

16

Shares

0

Comments

0

Likes

1

×