SlideShare a Scribd company logo

Decentralized Authorization

Download as PPTX, PDF
S
Sitaraman Lakshminarayanan

How to push authorization decisions closer to service but still centrally create authorization policies using Open Policy Agent.

Software
1 of 23
Seattle | September 16-17, 2019 Decentralized Authorization SITARAMAN LAKSHMINARAYANAN
Seattle | September 16-17, 2019 Am I Authorized to speak about this topic? OR whoami ? • Subject – Sitaraman ( Ram) Lakshminarayanan • Resources – I work for Pure Storage as Sr Security Architect • Actions – Author-Web Services Security, Co-Author ASP.NET Security • Other Attributes: Twitter: @Lsitaraman , Exp : 20 Years, Can speak Role Based and Fine Grained Authorization semantics among other things.
Seattle | September 16-17, 2019 Why talk about Authorization here? • Security Teams are always in the mix between – Developers / Operations / Customers/ PM’s. • Let’s not just ask questions, provide solutions. • Just pointing in the right direction is a big favor to developers.
Seattle | September 16-17, 2019 What is Authorization? Subject – User / Application Resource – Web App, API, or any feature of your App Action – Read , Write, Delete, Approve, Deny, etc. Is the User (Subject) allowed to Perform the said action on a Resource?
Seattle | September 16-17, 2019 Role Based Access Control – one form of AuthZ Role Resources Actions Group
Seattle | September 16-17, 2019 Developer’s view of Implementing RBAC If Role == “Manager|Admin” { return True; } Something along those lines.. - Rules are hard coded in the code. - Implementation varies between Teams / Stack
Seattle | September 16-17, 2019 Dev-Sec-Ops Developer- Implements AuthZ logic Security – wants to verify if you can enforce “need to know” basis / Least privilege. Ops – wants to make sure everything is running / deployment doesn’t take hours, etc.
Seattle | September 16-17, 2019 When Security Team reviews the code/deployment? Security: Can I change what this Role- Manager or Admin can do ? Developer : ?? Why?? Security: 1. Our Policy 2. Its too high of privileges for Role- XYZ ( e.g. Manager) 3. Separation of Duties
Seattle | September 16-17, 2019 How would a Developer Re-design RBAC? Role Permission Group Permission Resource+Action
Seattle | September 16-17, 2019 Back to Security Security – Super Excited !!.. At least I was when I did this in 2004
Seattle | September 16-17, 2019 Operations – How to deploy this in Production? On Call person who has to deploy/ debug Apps permissions have to 1. Add Resources / Permissions 2. Create new Roles 3. Map Roles to Permissions Its usually 10’s of pages of doc per Application.  Listen to talk about Security & Dev Ops by @IanColdwalter BSidesNOVA 2019 https://www.youtube.com/watch?time_continue=2&v=OlAFuiDCqbM
Seattle | September 16-17, 2019 Operations Person? Imagine managing/configuring Roles, Permissions, Resources for multiple apps
Seattle | September 16-17, 2019 Did Centralized AuthZ model work? 1. Hard coded apps to centralized authorization services 2. App developers have to understand AuthZ Service to better take advantage of centralized service. 3. Changing permissions/policies is not easy 4. It actually slows down time to deploy.
Seattle | September 16-17, 2019 What If? 1. We externalize authorization from code 2. Provide developers full control of how they want to write their AuthZ Rules 3. Give Security Teams option to customize the authZ rules/policies 4. Does not Involve too much operational overhead 5. Reduces time to deploy? 6. Consistent way to enforce policies across various languages/stack
Seattle | September 16-17, 2019 Intro to Open Policy Agent Client/App- makes REST API call to get Decisions from OPA OPA – makes Policy Decision – Evaluating Input Data against Policies OPA Policies are written in Rego outside of Code
Seattle | September 16-17, 2019 OPA and Rego 1. Rego is a query language 2. OPA Policies are written in Rego 3. SQL for Authorization – You write your AuthZ rules in a consistent manner.
Seattle | September 16-17, 2019 OPA - Example Policy package httpapi.authz subordinates = {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]} import input as http_api allow { http_api.method = "GET" http_api.path = ["finance", “salary", username] username = http_api.user }
Seattle | September 16-17, 2019 OPA – Other benefits • Provides an Interface to get Decision Logs through API / Web Hooks • Provides an option to get Telemetry about OPA itself ( up /down) • Policies can be distributed as Bundles ( Bundles = Rego file, Data file)
Seattle | September 16-17, 2019 OPA – Interactions from Developer Point of View
Seattle | September 16-17, 2019 Externalized Policy
Seattle | September 16-17, 2019 Kubernetes AuthZ model
Seattle | September 16-17, 2019 Key takeaways • Externalize Authorization from your code – As product / Service • During Security Reviews – ask If Authorization can be externalized from code • Use Open Policy Agent to standardize on how to write AuthZ rules. • Integrate with SIEM for decisions- allow/deny. • Establish a pattern across your Product/Service for consistent authZ. Authorization does not happen without a proper Authentication. Check out– SPIFFE /SPIRE for Secure Introduction of Identities
Seattle | September 16-17, 2019 Thank You. @Lsitaraman

Recommended

Leweb Ignite Talk on APIs
Leweb Ignite Talk on APIsLeweb Ignite Talk on APIs
Leweb Ignite Talk on APIs3scale
 
Copyright, Open Source and APIs (towards an Interface Commons)
Copyright, Open Source and APIs (towards an Interface Commons)Copyright, Open Source and APIs (towards an Interface Commons)
Copyright, Open Source and APIs (towards an Interface Commons)3scale
 
Why apis
Why apisWhy apis
Why apisjavier ramirez
 
Apis power-mvc-for-the-web
Apis power-mvc-for-the-webApis power-mvc-for-the-web
Apis power-mvc-for-the-webSteven Willmott
 
Api types
Api typesApi types
Api typesSarah Maddox
 
Building Successful API Programs in Higher Education
Building Successful API Programs in Higher EducationBuilding Successful API Programs in Higher Education
Building Successful API Programs in Higher Education3scale
 
What is a Data Liberator
What is a Data LiberatorWhat is a Data Liberator
What is a Data LiberatorMenSagam Technologies
 
Unleash the Power of your API
Unleash the Power of your APIUnleash the Power of your API
Unleash the Power of your API3scale
 

Recommended

Leweb Ignite Talk on APIs
Leweb Ignite Talk on APIsLeweb Ignite Talk on APIs
Leweb Ignite Talk on APIs3scale
 
Copyright, Open Source and APIs (towards an Interface Commons)
Copyright, Open Source and APIs (towards an Interface Commons)Copyright, Open Source and APIs (towards an Interface Commons)
Copyright, Open Source and APIs (towards an Interface Commons)3scale
 
Why apis
Why apisWhy apis
Why apisjavier ramirez
 
Apis power-mvc-for-the-web
Apis power-mvc-for-the-webApis power-mvc-for-the-web
Apis power-mvc-for-the-webSteven Willmott
 
Api types
Api typesApi types
Api typesSarah Maddox
 
Building Successful API Programs in Higher Education
Building Successful API Programs in Higher EducationBuilding Successful API Programs in Higher Education
Building Successful API Programs in Higher Education3scale
 
What is a Data Liberator
What is a Data LiberatorWhat is a Data Liberator
What is a Data LiberatorMenSagam Technologies
 
Unleash the Power of your API
Unleash the Power of your APIUnleash the Power of your API
Unleash the Power of your API3scale
 
Api Testing
Api TestingApi Testing
Api TestingVishwanath KC
 
Api Testing
Api TestingApi Testing
Api TestingVishwanath KC
 
Power bi and azure ml
Power bi and azure mlPower bi and azure ml
Power bi and azure mlBerkovich Consulting
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
AI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning InitiativesAI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning InitiativesNicholas Walsh
 
Architect's Guide to Building an API Program
Architect's Guide to Building an API ProgramArchitect's Guide to Building an API Program
Architect's Guide to Building an API Programclatimer
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
 
Principles of REST API Design
Principles of REST API DesignPrinciples of REST API Design
Principles of REST API DesignTwo Sigma
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)3scale
 
Services, Apps and the API Powered Web
Services, Apps and the API Powered WebServices, Apps and the API Powered Web
Services, Apps and the API Powered WebSteven Willmott
 
Advanced Web Development
Advanced Web DevelopmentAdvanced Web Development
Advanced Web DevelopmentRobert J. Stein
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
01 introduction to course
01 introduction to course01 introduction to course
01 introduction to coursexavier john
 
API and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local MarketsAPI and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local MarketsAxway
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APIDavid Keener
 
IBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To HeroIBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To HeroLetsConnect
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Aduci
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-APIPatrick Emmons
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...VMware Tanzu
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...Neo4j
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 

More Related Content

Similar to Decentralized Authorization

Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
AI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning InitiativesAI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning InitiativesNicholas Walsh
 
Architect's Guide to Building an API Program
Architect's Guide to Building an API ProgramArchitect's Guide to Building an API Program
Architect's Guide to Building an API Programclatimer
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
 
Principles of REST API Design
Principles of REST API DesignPrinciples of REST API Design
Principles of REST API DesignTwo Sigma
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)3scale
 
Services, Apps and the API Powered Web
Services, Apps and the API Powered WebServices, Apps and the API Powered Web
Services, Apps and the API Powered WebSteven Willmott
 
Advanced Web Development
Advanced Web DevelopmentAdvanced Web Development
Advanced Web DevelopmentRobert J. Stein
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
01 introduction to course
01 introduction to course01 introduction to course
01 introduction to coursexavier john
 
API and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local MarketsAPI and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local MarketsAxway
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APIDavid Keener
 
IBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To HeroIBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To HeroLetsConnect
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Aduci
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...VMware Tanzu
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 

Similar to Decentralized Authorization (20)

Api Testing
Api TestingApi Testing
Api Testing
 
Api Testing
Api TestingApi Testing
Api Testing
 
Power bi and azure ml
Power bi and azure mlPower bi and azure ml
Power bi and azure ml
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
AI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning InitiativesAI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning Initiatives
 
Architect's Guide to Building an API Program
Architect's Guide to Building an API ProgramArchitect's Guide to Building an API Program
Architect's Guide to Building an API Program
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach
 
Principles of REST API Design
Principles of REST API DesignPrinciples of REST API Design
Principles of REST API Design
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)
 
Services, Apps and the API Powered Web
Services, Apps and the API Powered WebServices, Apps and the API Powered Web
Services, Apps and the API Powered Web
 
Advanced Web Development
Advanced Web DevelopmentAdvanced Web Development
Advanced Web Development
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
01 introduction to course
01 introduction to course01 introduction to course
01 introduction to course
 
API and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local MarketsAPI and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local Markets
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
 
IBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To HeroIBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To Hero
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-API
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 

Recently uploaded

CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...Neo4j
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanNeo4j
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphNeo4j
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypseTomasz Kowalczewski
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Conceptsthomashtkim
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insightsrapidoform
 

Recently uploaded (20)

CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
Abortion Clinic In Pongola ](+27832195400*)[ 🏥 Safe Abortion Pills In Pongola...
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insights
 

Decentralized Authorization

  • 1. Seattle | September 16-17, 2019 Decentralized Authorization SITARAMAN LAKSHMINARAYANAN
  • 2. Seattle | September 16-17, 2019 Am I Authorized to speak about this topic? OR whoami ? • Subject – Sitaraman ( Ram) Lakshminarayanan • Resources – I work for Pure Storage as Sr Security Architect • Actions – Author-Web Services Security, Co-Author ASP.NET Security • Other Attributes: Twitter: @Lsitaraman , Exp : 20 Years, Can speak Role Based and Fine Grained Authorization semantics among other things.
  • 3. Seattle | September 16-17, 2019 Why talk about Authorization here? • Security Teams are always in the mix between – Developers / Operations / Customers/ PM’s. • Let’s not just ask questions, provide solutions. • Just pointing in the right direction is a big favor to developers.
  • 4. Seattle | September 16-17, 2019 What is Authorization? Subject – User / Application Resource – Web App, API, or any feature of your App Action – Read , Write, Delete, Approve, Deny, etc. Is the User (Subject) allowed to Perform the said action on a Resource?
  • 5. Seattle | September 16-17, 2019 Role Based Access Control – one form of AuthZ Role Resources Actions Group
  • 6. Seattle | September 16-17, 2019 Developer’s view of Implementing RBAC If Role == “Manager|Admin” { return True; } Something along those lines.. - Rules are hard coded in the code. - Implementation varies between Teams / Stack
  • 7. Seattle | September 16-17, 2019 Dev-Sec-Ops Developer- Implements AuthZ logic Security – wants to verify if you can enforce “need to know” basis / Least privilege. Ops – wants to make sure everything is running / deployment doesn’t take hours, etc.
  • 8. Seattle | September 16-17, 2019 When Security Team reviews the code/deployment? Security: Can I change what this Role- Manager or Admin can do ? Developer : ?? Why?? Security: 1. Our Policy 2. Its too high of privileges for Role- XYZ ( e.g. Manager) 3. Separation of Duties
  • 9. Seattle | September 16-17, 2019 How would a Developer Re-design RBAC? Role Permission Group Permission Resource+Action
  • 10. Seattle | September 16-17, 2019 Back to Security Security – Super Excited !!.. At least I was when I did this in 2004
  • 11. Seattle | September 16-17, 2019 Operations – How to deploy this in Production? On Call person who has to deploy/ debug Apps permissions have to 1. Add Resources / Permissions 2. Create new Roles 3. Map Roles to Permissions Its usually 10’s of pages of doc per Application.  Listen to talk about Security & Dev Ops by @IanColdwalter BSidesNOVA 2019 https://www.youtube.com/watch?time_continue=2&v=OlAFuiDCqbM
  • 12. Seattle | September 16-17, 2019 Operations Person? Imagine managing/configuring Roles, Permissions, Resources for multiple apps
  • 13. Seattle | September 16-17, 2019 Did Centralized AuthZ model work? 1. Hard coded apps to centralized authorization services 2. App developers have to understand AuthZ Service to better take advantage of centralized service. 3. Changing permissions/policies is not easy 4. It actually slows down time to deploy.
  • 14. Seattle | September 16-17, 2019 What If? 1. We externalize authorization from code 2. Provide developers full control of how they want to write their AuthZ Rules 3. Give Security Teams option to customize the authZ rules/policies 4. Does not Involve too much operational overhead 5. Reduces time to deploy? 6. Consistent way to enforce policies across various languages/stack
  • 15. Seattle | September 16-17, 2019 Intro to Open Policy Agent Client/App- makes REST API call to get Decisions from OPA OPA – makes Policy Decision – Evaluating Input Data against Policies OPA Policies are written in Rego outside of Code
  • 16. Seattle | September 16-17, 2019 OPA and Rego 1. Rego is a query language 2. OPA Policies are written in Rego 3. SQL for Authorization – You write your AuthZ rules in a consistent manner.
  • 17. Seattle | September 16-17, 2019 OPA - Example Policy package httpapi.authz subordinates = {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]} import input as http_api allow { http_api.method = "GET" http_api.path = ["finance", “salary", username] username = http_api.user }
  • 18. Seattle | September 16-17, 2019 OPA – Other benefits • Provides an Interface to get Decision Logs through API / Web Hooks • Provides an option to get Telemetry about OPA itself ( up /down) • Policies can be distributed as Bundles ( Bundles = Rego file, Data file)
  • 19. Seattle | September 16-17, 2019 OPA – Interactions from Developer Point of View
  • 20. Seattle | September 16-17, 2019 Externalized Policy
  • 21. Seattle | September 16-17, 2019 Kubernetes AuthZ model
  • 22. Seattle | September 16-17, 2019 Key takeaways • Externalize Authorization from your code – As product / Service • During Security Reviews – ask If Authorization can be externalized from code • Use Open Policy Agent to standardize on how to write AuthZ rules. • Integrate with SIEM for decisions- allow/deny. • Establish a pattern across your Product/Service for consistent authZ. Authorization does not happen without a proper Authentication. Check out– SPIFFE /SPIRE for Secure Introduction of Identities
  • 23. Seattle | September 16-17, 2019 Thank You. @Lsitaraman