Yahoo Developer Network, profile picture
Uploaded byYahoo Developer Network
PDF, PPTX581 views

Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

The document discusses Athenz, an open-source system for service authentication and authorization created by Yahoo, that provides secure identity via short-lived x.509 certificates and fine-grained role-based access control. It explains how Athenz integrates with Istio to enhance multi-cloud service management, offering benefits like automatic load balancing, secure service-to-service communication, and centralized access control. Future plans include productionizing Athenz's x.509 certificate provisioning and developing Docker images and Helm charts for easier setup.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
Athenz with Istio: Single Access Control Model in Cloud Infrastructures
Agenda • What is Athenz? • Service Authentication • Authorization • Multi-cloud in Yahoo Japan • How do we integrate with Istio? • Why Istio? • Benefit of using Athenz with Istio
About • Tatsuya Yano • Platform Developer, Yahoo Japan Corporation • Contributor to Athenz • Open Source Summit Japan (https://sched.co/FDjp)
Athenz: Open Source System Created by Yahoo Inc. • Service Authentication • Provide secure identity in the form short lived x.509 certificate to every workload / service in modern environments • Authorization • Provides fine-grained Role Based Access Control (RBAC)
Service Authentication
Authentication • User Authentication • AD / LDAP / Kerberos / etc • Service Authentication • Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Headless/Automation users • Shared secrets • Mutual TLS with x.509 certificates
Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Zero-trust security • Short Lived Certificates
Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callback-based verification model. Providers OpenStack Kubernetes Screwdriver Amazon EC2 AWS ECS AWS Lambda
Bootstrapping Athenz Identity
Authorization
Athenz Data Model
Domain data example (YAML)
Authorization - Centralized Access Control
Authorization - Decentralized Access Control
Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.
Athenz in Yahoo Japan
How do we integrate with Istio?
Why use Istio? • Automatic load balancing. • Fine-grained control of traffic behavior. • A pluggable policy layer and configuration API. • Automatic metrics, logs, and traces for all traffic. • Secure service-to-service communication. Referred from: https://istio.io/docs/concepts/what-is-istio/
Benefits of using Athenz with Istio • Istio is in CNCF landscape. • Service mesh strongly supports microservices architecture. + • Athenz enables single access control model in multi cloud.
Basics of Istio Mixer
Example integration: Athenz Istio Mixer adapter Referred from: https://istio.io/blog/2017/adapter-model/
Example integration: Athenz Istio Mixer adapter
Other use-case: Simplified mTLS authN/Z using Istio/Athenz
Simplified mTLS authN/Z using Istio/Athenz Athenz Istio Auth Controller Kubernetes API Fetch role/policy information from Athenz Setup a watch on namespaces Create/update/delete Istio CRs - ServiceRole and ServiceRolebinding based on fetched Athenz data Athenz Istio Auth Controller translates Athenz defined roles/policies into Istio CRs - ServiceRole and ServiceRolebinding Watch ServiceRole and ServiceRoleBinding https://github.com/yahoo/k8s-athenz-istio-auth
Prototype Demo
Future plans •Currently • On Premises and AWS Provisioning •Planned • Provide Athenz servers with Docker images • Helm charts • Productionize Athenz x509 certificate provisioning • Productionize the authorization flow using Istio Envoy
Resources • Website : http://www.athenz.io • Github: https://github.com/yahoo/athenz • Slack Channel: https://athenz.slack.com/ • Discussion Group: • Google Group: Athenz-Users • Questions or Comments: • Tatsuya Yano: tatyano@yahoo-corp.jp
Join Ushttp://www.athenz.io
Thank you
Q & A
Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

More Related Content

PDF
Athenz - The Open-Source Solution to Provide Access Control in Dynamic Infras...
byYahoo Developer Network
 
PPTX
Best Practices to Secure Your Kubernetes Cluster
byStefano Tempesta
 
PPTX
Azure network and infrastructure
byPhi Huynh
 
PPTX
Cloud Native London - 2019: What is a Service Mesh, and if I Get One Will it ...
byElton Stoneman
 
PPTX
Cybera Summit
byEverett Toews
 
PPTX
JECRC iWeekend Cloud Day
byjecrciweekend
 
PPTX
Azure Operational Insight Preview
byIgor Puhalo
 
PPTX
Advanced development with Windows Azure
byThomas Robbins
 
Athenz - The Open-Source Solution to Provide Access Control in Dynamic Infras...
byYahoo Developer Network
 
Best Practices to Secure Your Kubernetes Cluster
byStefano Tempesta
 
Azure network and infrastructure
byPhi Huynh
 
Cloud Native London - 2019: What is a Service Mesh, and if I Get One Will it ...
byElton Stoneman
 
Cybera Summit
byEverett Toews
 
JECRC iWeekend Cloud Day
byjecrciweekend
 
Azure Operational Insight Preview
byIgor Puhalo
 
Advanced development with Windows Azure
byThomas Robbins
 

What's hot

PPTX
Azure Service Bus Overview
byBizTalk360
 
PPTX
Webservice security considerations and measures
byMaarten Smeets
 
PPTX
Meetup CNCF Torino - Amazon EKS March 29th 2019
byMassimo Ferre'
 
PPTX
Azure Service Bus
byBizTalk360
 
PDF
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
byDevClub_lv
 
PPTX
Azure virtual network
byLalit Rawat
 
PPTX
An Intro to AS4, the Successor of AS2
byBizTalk360
 
PPTX
Manage and Operate Azure Stack Hub Stamps at Scale
byRavi C Kolandaiswamy
 
PPTX
Azure IAAS architecture with High Availability for beginners and developers -...
byMalleswar Reddy
 
PPTX
Microsoft DirectAccess Remote Access (VPN) with Windows 10 and Server 2012
byKemp
 
PPTX
Azure Microservices in Practice - Radu Vunvulea ITCamp Community Timisoara 07...
byRadu Vunvulea
 
PPTX
MicroService Architecture
byMd. Hasan Basri (Angel)
 
PPTX
Windows Azure
byNour Khouja
 
PPTX
Techniques for scaling application with security and visibility in cloud
byAkshay Mathur
 
PDF
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
byDevClub_lv
 
PPTX
Deployment options for Kentico CMS on Windows Azure
byThomas Robbins
 
PPTX
Cloud Bursting with A10 Lightning ADS
byAkshay Mathur
 
PPT
24 Hours Of Exchange Server 2007 ( Part 15 Of 24)
byHarold Wong
 
PPT
Windows Server 2008
byLuis Quiroz
 
PDF
Docker + App Container = ocp
byApcera
 
Azure Service Bus Overview
byBizTalk360
 
Webservice security considerations and measures
byMaarten Smeets
 
Meetup CNCF Torino - Amazon EKS March 29th 2019
byMassimo Ferre'
 
Azure Service Bus
byBizTalk360
 
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
byDevClub_lv
 
Azure virtual network
byLalit Rawat
 
An Intro to AS4, the Successor of AS2
byBizTalk360
 
Manage and Operate Azure Stack Hub Stamps at Scale
byRavi C Kolandaiswamy
 
Azure IAAS architecture with High Availability for beginners and developers -...
byMalleswar Reddy
 
Microsoft DirectAccess Remote Access (VPN) with Windows 10 and Server 2012
byKemp
 
Azure Microservices in Practice - Radu Vunvulea ITCamp Community Timisoara 07...
byRadu Vunvulea
 
MicroService Architecture
byMd. Hasan Basri (Angel)
 
Windows Azure
byNour Khouja
 
Techniques for scaling application with security and visibility in cloud
byAkshay Mathur
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
byDevClub_lv
 
Deployment options for Kentico CMS on Windows Azure
byThomas Robbins
 
Cloud Bursting with A10 Lightning ADS
byAkshay Mathur
 
24 Hours Of Exchange Server 2007 ( Part 15 Of 24)
byHarold Wong
 
Windows Server 2008
byLuis Quiroz
 
Docker + App Container = ocp
byApcera
 

Similar to Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

PDF
Athenz introduction
byDũng Lê
 
PDF
Istio: Using nginMesh as the service proxy
byLee Calcote
 
PDF
Stop reinventing the wheel with Istio by Mete Atamel (Google)
byCodemotion
 
PPTX
Istio Mesh – Managing Container Deployments at Scale
byMofizur Rahman
 
PPTX
Manging Container Deployments at Scale
byMofizur Rahman
 
PDF
Securing Microservices with Istio
byDaniel Berg
 
Athenz introduction
byDũng Lê
 
Istio: Using nginMesh as the service proxy
byLee Calcote
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
byCodemotion
 
Istio Mesh – Managing Container Deployments at Scale
byMofizur Rahman
 
Manging Container Deployments at Scale
byMofizur Rahman
 
Securing Microservices with Istio
byDaniel Berg
 

More from Yahoo Developer Network

PDF
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
byYahoo Developer Network
 
PPTX
Containerized Services on Apache Hadoop YARN: Past, Present, and Future, Shan...
byYahoo Developer Network
 
PDF
Big Data Serving with Vespa - Jon Bratseth, Distinguished Architect, Oath
byYahoo Developer Network
 
PPTX
How @TwitterHadoop Chose Google Cloud, Joep Rottinghuis, Lohit VijayaRenu
byYahoo Developer Network
 
PDF
CICD at Oath using Screwdriver
byYahoo Developer Network
 
PPTX
February 2017 HUG: Exactly-once end-to-end processing with Apache Apex
byYahoo Developer Network
 
PDF
Athenz & SPIFFE, Tatsuya Yano, Yahoo Japan
byYahoo Developer Network
 
PPTX
February 2017 HUG: Slow, Stuck, or Runaway Apps? Learn How to Quickly Fix Pro...
byYahoo Developer Network
 
PPTX
February 2017 HUG: Data Sketches: A required toolkit for Big Data Analytics
byYahoo Developer Network
 
PDF
Developing Mobile Apps for Performance - Swapnil Patel, Verizon Media
byYahoo Developer Network
 
PDF
Architecting Petabyte Scale AI Applications
byYahoo Developer Network
 
PDF
HDFS Scalability and Security, Daryn Sharp, Senior Engineer, Oath
byYahoo Developer Network
 
PPTX
October 2016 HUG: Architecture of an Open Source RDBMS powered by HBase and ...
byYahoo Developer Network
 
PDF
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
byYahoo Developer Network
 
PPTX
Apache YARN Federation and Tez at Microsoft, Anupam Upadhyay, Adrian Nicoara,...
byYahoo Developer Network
 
PPTX
Hadoop {Submarine} Project: Running deep learning workloads on YARN, Wangda T...
byYahoo Developer Network
 
PPTX
Jun 2017 HUG: YARN Scheduling – A Step Beyond
byYahoo Developer Network
 
PDF
Jun 2017 HUG: Large-Scale Machine Learning: Use Cases and Technologies
byYahoo Developer Network
 
PDF
Moving the Oath Grid to Docker, Eric Badger, Oath
byYahoo Developer Network
 
PDF
The Future of Hadoop in an AI World, Milind Bhandarkar, CEO, Ampool
byYahoo Developer Network
 
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
byYahoo Developer Network
 
Containerized Services on Apache Hadoop YARN: Past, Present, and Future, Shan...
byYahoo Developer Network
 
Big Data Serving with Vespa - Jon Bratseth, Distinguished Architect, Oath
byYahoo Developer Network
 
How @TwitterHadoop Chose Google Cloud, Joep Rottinghuis, Lohit VijayaRenu
byYahoo Developer Network
 
CICD at Oath using Screwdriver
byYahoo Developer Network
 
February 2017 HUG: Exactly-once end-to-end processing with Apache Apex
byYahoo Developer Network
 
Athenz & SPIFFE, Tatsuya Yano, Yahoo Japan
byYahoo Developer Network
 
February 2017 HUG: Slow, Stuck, or Runaway Apps? Learn How to Quickly Fix Pro...
byYahoo Developer Network
 
February 2017 HUG: Data Sketches: A required toolkit for Big Data Analytics
byYahoo Developer Network
 
Developing Mobile Apps for Performance - Swapnil Patel, Verizon Media
byYahoo Developer Network
 
Architecting Petabyte Scale AI Applications
byYahoo Developer Network
 
HDFS Scalability and Security, Daryn Sharp, Senior Engineer, Oath
byYahoo Developer Network
 
October 2016 HUG: Architecture of an Open Source RDBMS powered by HBase and ...
byYahoo Developer Network
 
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
byYahoo Developer Network
 
Apache YARN Federation and Tez at Microsoft, Anupam Upadhyay, Adrian Nicoara,...
byYahoo Developer Network
 
Hadoop {Submarine} Project: Running deep learning workloads on YARN, Wangda T...
byYahoo Developer Network
 
Jun 2017 HUG: YARN Scheduling – A Step Beyond
byYahoo Developer Network
 
Jun 2017 HUG: Large-Scale Machine Learning: Use Cases and Technologies
byYahoo Developer Network
 
Moving the Oath Grid to Docker, Eric Badger, Oath
byYahoo Developer Network
 
The Future of Hadoop in an AI World, Milind Bhandarkar, CEO, Ampool
byYahoo Developer Network
 

Recently uploaded

PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The year in review - MarvelClient in 2025
bypanagenda
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 

Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

  • 1.
    Athenz with Istio: SingleAccess Control Model in Cloud Infrastructures
  • 2.
    Agenda • What isAthenz? • Service Authentication • Authorization • Multi-cloud in Yahoo Japan • How do we integrate with Istio? • Why Istio? • Benefit of using Athenz with Istio
  • 3.
    About • Tatsuya Yano •Platform Developer, Yahoo Japan Corporation • Contributor to Athenz • Open Source Summit Japan (https://sched.co/FDjp)
  • 4.
    Athenz: Open SourceSystem Created by Yahoo Inc. • Service Authentication • Provide secure identity in the form short lived x.509 certificate to every workload / service in modern environments • Authorization • Provides fine-grained Role Based Access Control (RBAC)
  • 5.
  • 6.
    Authentication • User Authentication •AD / LDAP / Kerberos / etc • Service Authentication • Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Headless/Automation users • Shared secrets • Mutual TLS with x.509 certificates
  • 7.
    Certificate Based Authentication •Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Zero-trust security • Short Lived Certificates
  • 8.
    Copper Argos • Generalizedmodel for authorized service providers to launch other service identities in an authorized way through a callback-based verification model. Providers OpenStack Kubernetes Screwdriver Amazon EC2 AWS ECS AWS Lambda
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
    Advantages of Athenz •To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.
  • 16.
  • 17.
    How do weintegrate with Istio?
  • 18.
    Why use Istio? •Automatic load balancing. • Fine-grained control of traffic behavior. • A pluggable policy layer and configuration API. • Automatic metrics, logs, and traces for all traffic. • Secure service-to-service communication. Referred from: https://istio.io/docs/concepts/what-is-istio/
  • 19.
    Benefits of usingAthenz with Istio • Istio is in CNCF landscape. • Service mesh strongly supports microservices architecture. + • Athenz enables single access control model in multi cloud.
  • 20.
  • 21.
    Example integration: Athenz IstioMixer adapter Referred from: https://istio.io/blog/2017/adapter-model/
  • 22.
  • 23.
    Other use-case: Simplified mTLSauthN/Z using Istio/Athenz
  • 24.
    Simplified mTLS authN/Zusing Istio/Athenz Athenz Istio Auth Controller Kubernetes API Fetch role/policy information from Athenz Setup a watch on namespaces Create/update/delete Istio CRs - ServiceRole and ServiceRolebinding based on fetched Athenz data Athenz Istio Auth Controller translates Athenz defined roles/policies into Istio CRs - ServiceRole and ServiceRolebinding Watch ServiceRole and ServiceRoleBinding https://github.com/yahoo/k8s-athenz-istio-auth
  • 25.
  • 26.
    Future plans •Currently • OnPremises and AWS Provisioning •Planned • Provide Athenz servers with Docker images • Helm charts • Productionize Athenz x509 certificate provisioning • Productionize the authorization flow using Istio Envoy
  • 27.
    Resources • Website :http://www.athenz.io • Github: https://github.com/yahoo/athenz • Slack Channel: https://athenz.slack.com/ • Discussion Group: • Google Group: Athenz-Users • Questions or Comments: • Tatsuya Yano: tatyano@yahoo-corp.jp
  • 28.
  • 29.
  • 30.