The document discusses identity and access management (IAM) in OpenStack, focusing on the Keystone service. It provides an overview of Keystone and describes how it handles authentication, authorization, and identity management. It also discusses the different identity sources that Keystone supports, such as SQL, LDAP, and multiple backends. Authentication methods covered include password, token, and federated identity. Large scale deployments of Keystone are also described.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (liberty)
❖ Installation and first configuration of Keystone
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (kilo)
❖ Installation and first configuration of Keystone
❖ Workshop
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
In the Juno summit, Symantec presented it's perspective on securing Keystone. Security is really a mindset and process. We proposed a layered security approach starting with the process for securing Keystone architecture, followed by securing the environment where Keystone is deployed and configured. Since then we have been implementing those security measures in our production environment. In this talk, we will discuss exactly how we have made our Keystone deployment secure and what we have learnt along the way.
Building IAM for OpenStack, presented at CIS (Cloud Identity Summit) 2015.
Discuss Identity Sources, Authentication, Managing Access and Federating Identities
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (liberty)
❖ Installation and first configuration of Keystone
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (kilo)
❖ Installation and first configuration of Keystone
❖ Workshop
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
In the Juno summit, Symantec presented it's perspective on securing Keystone. Security is really a mindset and process. We proposed a layered security approach starting with the process for securing Keystone architecture, followed by securing the environment where Keystone is deployed and configured. Since then we have been implementing those security measures in our production environment. In this talk, we will discuss exactly how we have made our Keystone deployment secure and what we have learnt along the way.
Henry Nash, OpenStack Lead, CSI, IBM
The OpenStack project provides an open source Infrastructure as a Service (IaaS) platform. Its mission: to produce the ubiquitous Open Source Cloud Computing platform that will meet the needs of public and private clouds regardless of size, by being simple to implement and massively scalable. To this end, OpenStack is composed of a wide variety of sub-projects focused specifically on compute resources, network infrastructure, object and block storage, metering and orchestration - all of which are exposed via APIs.
This talk will introduce Keystone, the token-based identity component of OpenStack. It will cover the security needs and challenges around authentication and authorization for protecting the diverse needs of OpenStack projects, as well as ideas for solving these problems in the future.
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
Experience in implementing SSL between Oracle DB and Oracle Clients" - presentation will explain how to configure implement SSL between Oracle DB/Client
OpenStack security is a huge topic. In these slides I presented at the OpenStack Day, I analyzed cloud security the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications.
Create Your Own Serverless PKI with .NET & Azure Key VaultEran Stiller
A Public Key Infrastructure (PKI) is the basis of modern system authentication; X.509 certificates are at the core of modern cryptography. Building your own PKI is not for the faint of heart, so we usually buy our certificates from an external Certificate Authority or operate a 3rd-party off-the-shelf PKI.
But what can you do if you need to issue your own certificates while keeping your costs low? What if, for example, you're in the business of manufacturing millions of IoT devices and you need to issue a certificate to each and every one of them? And to top it off - you want to do it in a Serverless manner?
Join me in this session, as we build a Serverless PKI system with Azure Functions & Key-Vault and learn all about Key-Vault's capabilities in regards to X.509 certificates along the way.
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...NETFest
A Public Key Infrastructure (PKI) is the basis of modern system authentication; X.509 certificates are at the core of modern cryptography. Building your own PKI is not for the faint of heart, so we usually buy our certificates from an external Certificate Authority or operate a 3rd-party off-the-shelf PKI.
But what can you do if you need to issue your own certificates while keeping your costs low? What if, for example, you're in the business of manufacturing millions of IoT devices and you need to issue a certificate to each and every one of them? And to top it off - you want to do it in a Serverless manner?
Join me in this session, as we build a Serverless PKI system with Azure Functions & Key-Vault and learn all about Key-Vault's capabilities in regards to X.509 certificates along the way.
Do you think of cheetahs not RabbitMQ when you hear the word Swift? Think a Nova is just a giant exploding star, not a cloud compute engine. This deck (presented at the OpenStack Boston meetup) provides introduction will answer your many questions. It covers the basic components including: Nova, Swift, Cinder, Keystone, Horizon and Glance.
This release aims at addressing the long-awaited JDK 11 compatibility which enables enterprises to migrate their middleware solutions to the LTS JDK version. In addition, this release features new productivity improvements including built-in test framework with comprehensive tooling support from Integration Studio and support for cloud-native integration requirements.
This WSO2 Enterprise Integrator release brings new product components and features specifically targeted to help developers build and deploy container-native integration solutions easily.
Watch the webinar on-demand here: https://wso2.com/library/webinars/2020/01/whats-new-in-wso2-enterprise-integrator-december-2019-release/
Henry Nash, OpenStack Lead, CSI, IBM
The OpenStack project provides an open source Infrastructure as a Service (IaaS) platform. Its mission: to produce the ubiquitous Open Source Cloud Computing platform that will meet the needs of public and private clouds regardless of size, by being simple to implement and massively scalable. To this end, OpenStack is composed of a wide variety of sub-projects focused specifically on compute resources, network infrastructure, object and block storage, metering and orchestration - all of which are exposed via APIs.
This talk will introduce Keystone, the token-based identity component of OpenStack. It will cover the security needs and challenges around authentication and authorization for protecting the diverse needs of OpenStack projects, as well as ideas for solving these problems in the future.
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
Experience in implementing SSL between Oracle DB and Oracle Clients" - presentation will explain how to configure implement SSL between Oracle DB/Client
OpenStack security is a huge topic. In these slides I presented at the OpenStack Day, I analyzed cloud security the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications.
Create Your Own Serverless PKI with .NET & Azure Key VaultEran Stiller
A Public Key Infrastructure (PKI) is the basis of modern system authentication; X.509 certificates are at the core of modern cryptography. Building your own PKI is not for the faint of heart, so we usually buy our certificates from an external Certificate Authority or operate a 3rd-party off-the-shelf PKI.
But what can you do if you need to issue your own certificates while keeping your costs low? What if, for example, you're in the business of manufacturing millions of IoT devices and you need to issue a certificate to each and every one of them? And to top it off - you want to do it in a Serverless manner?
Join me in this session, as we build a Serverless PKI system with Azure Functions & Key-Vault and learn all about Key-Vault's capabilities in regards to X.509 certificates along the way.
.NET Fest 2019. Eran Stiller. Create Your Own Serverless PKI with .NET & Azur...NETFest
A Public Key Infrastructure (PKI) is the basis of modern system authentication; X.509 certificates are at the core of modern cryptography. Building your own PKI is not for the faint of heart, so we usually buy our certificates from an external Certificate Authority or operate a 3rd-party off-the-shelf PKI.
But what can you do if you need to issue your own certificates while keeping your costs low? What if, for example, you're in the business of manufacturing millions of IoT devices and you need to issue a certificate to each and every one of them? And to top it off - you want to do it in a Serverless manner?
Join me in this session, as we build a Serverless PKI system with Azure Functions & Key-Vault and learn all about Key-Vault's capabilities in regards to X.509 certificates along the way.
Do you think of cheetahs not RabbitMQ when you hear the word Swift? Think a Nova is just a giant exploding star, not a cloud compute engine. This deck (presented at the OpenStack Boston meetup) provides introduction will answer your many questions. It covers the basic components including: Nova, Swift, Cinder, Keystone, Horizon and Glance.
This release aims at addressing the long-awaited JDK 11 compatibility which enables enterprises to migrate their middleware solutions to the LTS JDK version. In addition, this release features new productivity improvements including built-in test framework with comprehensive tooling support from Integration Studio and support for cloud-native integration requirements.
This WSO2 Enterprise Integrator release brings new product components and features specifically targeted to help developers build and deploy container-native integration solutions easily.
Watch the webinar on-demand here: https://wso2.com/library/webinars/2020/01/whats-new-in-wso2-enterprise-integrator-december-2019-release/
Scenic City Summit (2021): Real-Time Streaming in any and all clouds, hybrid...Timothy Spann
Scenic city summit real-time streaming in any and all clouds, hybrid and beyond
24-September-2021. Scenic City Summit. Virtual. Real-Time Streaming in Any and All Clouds, Hybrid and Beyond
Apache Pulsar, Apache NiFi, Apache Flink
StreamNative
Tim Spann
https://sceniccitysummit.com/
A central authentication server to rule all your services
Many companies or organizations run not only one ore two services, but 10 and more.
Often each of these services has its own isolated user management implementation, or talks to other micro services over hardcoded API keys.
The OAuth2 standard supports multiple authentication mechanisms to rule all of these requirements in one central place.
Don’t reinvent the wheel with every new application.
Introduction to Orchestration and DevOps with OpenStackAbderrahmane TEKFI
I would like to thank all who participates in the webinar, it was a great pleasure to share and contribute,
Below are the links to the record of the Webinar,
All the Webinar:
Just the Demo:
you can also find all the slides the HEAT template file, the CLI and all the materials used in this webinar here:
The OpenStack VM all-in-one: https://www.dropbox.com/s/501ul31o6ilnmv3/coa-aio-newton.ova?dl=0
All the materials: https://drive.google.com/drive/folders/1dTSe4n2m3VoevIHZGT_q8uZIV7_f9ZJt?usp=sharing
Thanks to Racim and to the ELIANIS TECHNOLOGIES team.
Special thanks to our REDHAT ARCHITECT Sir. Djelloul Bouida for attending the webinar and all our group member.
For those who didn't join our Group, here the link to our Group on Facebook: https://www.facebook.com/groups/475301352862998/
Session presented at Oracle Developer Live - MySQL, 2020. Recording available at https://developer.oracle.com/developer-live/mysql/
Abstract:
MySQL Shell is the new, advanced command-line client and editor for MySQL. It sends SQL statements to MySQL server, supports both the classic MySQL protocol and the newer X protocol, and provides scripting capabilities for JavaScript and Python. But there's more to MySQL Shell than meets the eye. It delivers a natural and powerful interface for all DevOps tasks related to MySQL by providing APIs for development and administration. This session covers MySQL Shell's core features, along with demonstrations of how to use the various APIs and how to extend MySQL Shell. We’ll address the regular interaction with databases, the built-in tools that make DBAs and developers’ lives easier, the easy and flawless set up of HA architectures, and the plugins and extensions framework.
Introduction to Open stack - An Overview SpringPeople
OpenStack is a free & open-source software platform for cloud computing, mostly deployed as an IaaS. In this Slide, we will cover:
- Evolution of Openstack
- Cloud, its types and advantages
- Importance and overview of Openstack
- Openstack course syllabus
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
The Cloud Identity Summit was founded by Ping Identity with support from industry leaders in 2010 to bring together the brightest minds across the identity and security industry. Today the event is recognized as the world’s premier identity industry conference and includes tracks from industry thought leaders, CIOs and practitioners. Cloud Identity Summit serves as a multi-year roadmap to deploy solutions that are here today but built for the future. For more info, go to www.cloudidentitysummit.com.
Be apart of the convo on Twitter: @CloudIDSummit + #CISNOLA
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
In an ever interconnected and inter-reliant world, the state of security has been a cause for deep pessimism. In the midst of all the gloom, there is good cause for optimism.
With some fits and starts, the building blocks for transforming mobile security are taking shape at every level from the processor, to the chipset to special purpose hardware to operating systems and protocols that address use cases from device integrity to user authentication to payments.
How do we think about security, privacy, identity and authentication in this world? This talk will provide a rapid overview of some selected building blocks and some practical examples that are now deployed at scale to illustrate the coming wave and how you as a practitioner or customer can participate and position yourself for maximum benefit.
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
Does anybody remember seeing a big red button with the word “PANICK!” written on it? I know it was around here somewhere. Also, there’s all these cats running pell-mell around the place, can someone give me a hand in herding them?
In this real-world case study, come and learn how a Fortune 100 with a diverse and extremely mobile work-force was able to turn up strong authentication protections for our critical cloud resources, and how the IT department lived to tell the tale. You’ll hear about the technical implementation of strong authentication enforcement, and how we made key design decisions in the ongoing balancing act between security and user experience, and how we managed up-and-down the chain from executive stakeholders to the boots-on-the-ground who were being asked to join us on this new security adventure.
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
This session will review digital identity’s transition from vulnerable authentication methods and what Microsoft and others are doing to address the hard problems associated with managing and protecting digital identities.
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
You'll laugh, you'll cry, and you might even pick up a useful nugget or two listening to a real-world enterprise IT architect share the experiences of the past year trying to support his business migrating to cloud services, and sharing the lessons learned from trying to integrate 2 hybrid enterprises into a single, streamlined company. You'll hear where the cloud came through for us, and how we often had to fall back to on-prem services such as FIM, Ping Federate, and ADFS to make the glue which binds it all together.
A "from the trenches" view into how GE is using federation standards to abstract & harden our growing cloud WAM platform. Topics covered: GE's approach to OpenID Connect for cross platform authentication (web, mobile), 2) GE's API management platform for API publishing, subscription & security, 3) how the two work together, 4) lessons learned & areas for improvement.
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
The IAM program needs to align behind the shift towards ITaaS, building the platform for execution and supporting transformation and migration activities. CIOs should keep informed through a relevant IAM capability roadmap in order to make calculated decisions on where investments should be made. Ongoing investments in the IAM program are crucial in order to fill capability gaps, keep up-to-date with support and license agreements and make opportunistic progress on the strategic roadmap. In this talk, Steve discusses recent experiences and lessons learned in preparing for and pitching VMware’s CIO on enterprise IAM program initiatives.
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
Companies and researchers are exploring ways to make software and hardware development easier for the masses. Soon you will be able to build your own autonomous drone, create a sensor that assess the watering needs of your plants, and develop a cat tracking device with minimal coding and hardware skills.
What is the place of security and privacy in this exciting development?
Are we building the next generation of Internet security vulnerabilities right now?
In his talk Hannes Tschofenig will highlight challenges with Internet of Things, what role standardization plays, and what contributions ARM, a provider of microprocessor IP, is making to improve IoT security.
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
The IDaaS (identity as a service) market segment continues to grow in popularity, and the scope of its vendor's capabilities continue to grow as well. It's still not a match for everyone, however. Join identity architect Sean Deuby for an overview of the most popular IDaaS deployment scenarios, scenarios where IDaaS has a tougher time meeting customer requirements, and whether your company is likely to find its perfect IDaaS mate.
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
In the past Enterprise Mobility Management (EMM) has focused primarily on MDM, MAM and MCM. Recently there has been a lot of focus on the fourth pillar of EMM - Mobile Identity Management (MIM). This session will cover the primary use cases and discuss current solutions available for managed/un-managed, internal/public and mobile/web apps for iOS/Android devices.
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
This talk will review the breadth of the Internet of Things (IoT), the challenges of Identity Management and the IoT and the impact to Industrial Enterprise.
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
Are you in a situation where you have two business units (maybe because of a merger) that have their own Federation solutions and now you need to share access to SaaS resources among the 2 workforces. But you don't want to have to setup to separate SaaS connections to the same vendor and you want to manage this connection on premises instead of in the Cloud. We can help with that, come see how!
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
Centralized session management has long been a goal of Web Access Management systems: the idea that one session can give end users access to dozens of protected applications with a seamless SSO experience, and terminating it (either by the end user themselves, or by an administrator) cuts off access instantly. It’s a nice dream isn’t it? Turns out that while most WAM products claim they can do this, when deployment time comes around (especially in globally distributed organizations) serious security and scalability challenges emerge that make it unfeasible. In this “session”, come and learn our vision for deploying session management at scale and see how Ping Identity has implemented it in our Federated Access Management solution.
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
Are you asking yourself how do I take my inhouse application and make it available to internal users, partners or customers using SSO and access management technologies? Oh, and you don't want it to be a 6 month project? No problem. Come and find out how to leverage your existing investments and move to modern standards like OpenID Connect, without having to rip and replace infrastructure. Learn the capabilities and tradeoffs you can make to deploy the right level of identity and access management infrastructure to match your security needs.
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
Devices need owners, people need confidence in device authenticity, data needs to persist in systems long after devices change hands, and access needs to be authorized selectively. That's a lot to ask; even if emerging web identity and security technologies are simpler than the models of yesteryear, IoT devices have complicating limitations when it comes to processing power, memory, user interface, and connectivity. But many use cases span web and IoT environments, so we must try! What are the specific requirements? What elements of web technologies can we borrow outright? What elements may need tweaking?
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
4. OpenStack Overview
● OpenStack
is
a
cloud
opera6ng
system
that
controls
large
pools
of
compute,
storage,
and
networking
resources
throughout
a
datacenter,
all
managed
through
a
rich
set
of
APIs
and
a
dashboard
that
gives
administrators
control
while
empowering
their
users
to
provision
resources
through
a
web
interface
● OpenStack’s
goals
are
to
support
interoperability
between
cloud
services
and
allow
businesses
to
build
AWS-‐like
cloud
services
in
their
own
data
centers
● Available
as
Free
and
Open
Source
under
the
Apache
2.0
license
Keystone - provides authentication and
authorization for all the services.
Nova - provides virtual machines (VMs)
Swift - supports object storage.
Cinder - persistent block storage to VMs.
Glance - catalog and repository for virtual
disk images.
Horizon - Web-based interface for
services.
Neutron - networking-as-a-service
between interface devices
5. Lots of different companies using OpenStack
A
lot
of
individuals
and
companies
have
contributed
to
making
Keystone
awesome
(just
to
name
a
few…)
6. Keystone Overview
● OpenStack’s
Iden6ty
and
Access
Management
(IAM)
Service
○ Authen6ca6on
○ Authoriza6on
○ Audit
○ Iden6ty
○ OpenStack
Service
Discovery
● Supports
integra6on
with
a
variety
of
Iden6ty
Providers
● Pluggable
authen6ca6on
architecture
● Supports
mul6ple
API
Authoriza6on
Token
formats
● New
enhancements
include
support
for
standard
federa6on
protocols
● Access
management
for
all
OpenStack
services
7. Scale of Keystone Deployments
Small
● Developer
environments
have
OpenStack
“all-‐in-‐one”
deployments
● Devstack
is
used
by
most
developers
to
spin
up
a
deployment
with
compute/storage/networking/iden6ty
Medium
● Single
datacenter
● Mul6ple
Keystone
instances
using
HAProxy
for
load
balancing
Large
● Several
OpenStack
deployments
spread
over
many
geographically
disperse
areas
● Mul6ple
Keystone
instances
using
HAProxy
for
load
balancing
and
SQL/LDAP
replica6on
to
keep
data
in
synchronized
Very
Large
/
Mul6ple
Organiza6ons
(Hybrid/Composite)
● Many
OpenStack
deployments
spread
over
many
geographically
disperse
areas
● Uses
Federated
Iden6ty
to
allow
near-‐seamless
access
to
all
deployments
● Some
deployments
will
provide
specific
services
/
features
9. SQL
● Users,
groups,
and
creden6als
are
managed
by
Keystone
● Se]ngs
for
connec6ng
to
a
database
are
handled
in
Keystone’s
config
file
● Essen6ally,
Keystone
is
ac6ng
as
an
Iden6ty
Provider
● Pros:
○ Easy
to
setup
○ Management
of
users
and
groups
through
OpenStack
APIs
● Cons:
○ Keystone
shouldn’t
be
an
Iden6ty
Provider
○ Weak
password
support
§ No
password
rota6on
§ No
password
recovery
§ No
password
enforcement
§ No
failed
login
a`empt
lockout
support
○ Most
enterprises
have
an
LDAP
server
that
they
want
to
use
○ Iden6ty
silo
-‐
Yet
another
username
and
password
users
must
remember
Use
Case:
-‐
Tes6ng
or
developing
with
OpenStack
-‐
Saving
OpenStack
service
accounts
10. LDAP
● Keystone
accessing
LDAP
should
act
just
like
any
other
applica6on
● Keystone
opera6ons
performed
on
LDAP
○ User/Group
lookup
(search)
○ Authen6ca6on
of
users
(bind)
● What
rights
does
Keystone
need
in
LDAP?
○ Read
access
to
user/group
a`ributes
defined
in
keystone.conf
○ Unprivileged
account
or
anonymous
is
preferable
○ Access
to
password
hashes
is
not
needed
Use
Case:
-‐
It’s
already
in
place
in
your
enterprise
-‐
Able
to
create
the
necessary
service
accounts
11. Multiple Backends
● As
of
the
Juno
release,
Keystone
supports
mul6ple
backends
● One
domain
per
backend
● The
default
domain
must
be
the
SQL
backend,
it
is
used
to
host
service
accounts
○ Ideally,
the
default
domain
should
be
normal
users
(LDAP),
but
this
requires
service
accounts
to
know
how
to
use
the
v3
API
○ Support
for
services
accounts
outside
the
default
domain
will
be
available
in
a
future
release
● Any
addi6onal
LDAP
backends
should
be
managed
by
their
own
domain
Use
Case:
-‐
Preferred
approach
for
most
enterprises
12. Identity Provider (IdP)
● A
source
for
iden66es
(Internal
IdP,
Google,
Facebook,
Twi`er)
● Handles
authen6ca6on
and
provides
iden6ty
informa6on
● Usually
backed
by
LDAP,
but
could
be
something
else,
like
AD
(Ac6ve
Directory)
● Essen6ally,
sohware
that
abstracts
out
the
actual
backend
and
translates
user
a`ributes
to
a
standard
protocol
format
(SAML,
OpenID
Connect,
etc.)
● If
you’ve
ever
used
your
Gmail
account
to
sign
into
another
online
applica6on…
then
you’ve
used
Google
as
the
Iden6ty
Provider
and
the
other
applica6on
as
the
Service
Provider
Use
Case:
-‐
Leverage
new
Federated
Iden6ty
-‐
An
IdP
already
exists
-‐
Non-‐LDAP
iden6ty
source
14. Password
● User
provides
their
username
and
password
● Keystone
returns
a
token
that
the
user
may
use
at
other
OpenStack
services
● The
token
will
eventually
expire
(configured
in
Keystone)
● Used
for
ini6ally
logging
into
Keystone
or
se]ng
up
service
accounts
for
other
OpenStack
services
Token
Token
Password
15. Token
● Users
can
exchange
their
exis6ng
(valid)
token
for
a
newer
token
● Also
sa6sfies
the
case
where
a
user
can
receive
an
unscoped
token
(ini6ally),
and
exchange
that
for
a
scoped
token
● Used
by
federa6on
client
code
Token
Token
Token Supports
Kerberos too!
17. Access Management Model in OpenStack
● Access
is
controlled
by
RBAC
and
endpoint
valida6on
Use
Case:
If
a
user
wants
to
start
a
VM,
what
is
the
full
flow?
1. Authen6cate
with
Keystone,
specifies
their
user
name,
password,
and
project
associated
with
the
VM
2. The
user
gets
back
a
token
that
is
scoped
to
that
project,
it
carries
authoriza6on
data
within
it
(a
set
of
roles
the
user
has
on
that
project)
NOTE:
The
role
could
have
been
granted
at
the
user
level
or
group
level
1. The
user
makes
a
requests
to
the
start
server
API
(/v2/{tenant_id}/servers/{server_id}/ac;on)
with
the
header
"X-‐Auth-‐Token:
<new_token>"
2. Depending
on
the
policy
set
for
the
API,
the
user’s
request
will
be
rejected
or
successful
18. What does a Keystone token look like?
{
"token": {
"issued_at": "201406-10T20:55:16.806027Z",
"expires_at": "2014-06-10T2:55:16.806001Z",
"roles": [{
"id": "c703057be878458588961ce9a0ce686b",
"name": "admin"}
],
"project": {
"domain": { "id": "default",
"name": "Default" },
"id": "8538a3f13f9541b28c2620eb19065e45",
"name": "admin"
},
"user": {
"domain": { "id": "default",
"name": "Default" },
"id": "3ec3164f750146be97f21559ee4d9c51",
"name": "admin"
},
"catalog": [
{
"endpoints": [...],
"type": "identity",
"id": "bd73972c0e14fb69bae8ff76e112a90",
"name": "keystone"
}
]
}
}
<<
Roles
represents
the
roles
that
the
user
has
on
the
resource
<<
Project
represents
the
resource
the
user
has
a
role
on.
From
the
scope
in
the
request
<<
User
represents
the
user
that
was
issued
the
token
<<
Catalog
describes
the
different
services
a
user
may
access,
and
their
various
endpoints
Services
may
be:
compute,
iden6ty,
image,
orchestra6on,
etc
19. Access Management Model in OpenStack
How
to
determine
if
a
user
can
perform
an
ac6on?
● All
APIs
are
documented
in
a
policy.json
file
● A
policy
file
is
broken
up
into
Targets
and
Rules
● Targets
map
to
a
specific
API
● Rules
are
a
set
of
simple
or
complex
checks
(RoleCheck,
RuleCheck,
OrCheck,
AndCheck)
● For
example…
compute:start
maps
to
/v2/{tenant_id}/servers/{server_id}/ac;on
definitions
targets rules
21. Federated Identity
● Users
can
exist
in
an
iden6ty
store
that
is
not
accessible
by
Keystone,
or
is
owned
by
a
different
en6ty
● Keystone
federa6on
allows
for
users
iden6ty
to
be
provided
as
a
part
of
the
authen6ca6on
request
○ Iden6ty
info
is
provided
as
environment
variables
● Keystone
is
protocol
agnos6c,
all
federa6on
protocol
details
are
handled
by
Apache
HTTPD
modules
○ SAML
-‐
mod_shib,
mod_auth_mellon
○ OpenID
Connect
-‐
mod_auth_openidc
● Terminology
○ Iden6ty
Provider
(IdP)
■ Trusted
provider
of
iden6ty
informa6on
○ Service
Provider
(SP)
■ Service
that
consumes
iden6ty
informa6on
(Keystone)
○ Asser6on
■ Trusted
representa6on
of
iden6ty
a`ributes
issued
by
IdP
for
consump6on
by
SP
■ If
using
SAML,
the
asser6on
represents
iden6ty
a`ributes
■ If
using
OpenID
Connect,
the
asser6on
is
a
set
of
claims
22. Mapping Engine
● Groups
are
created
in
Keystone's
iden6ty
backend
for
the
purpose
of
role
assignment
○ Mapping
establishes
group
membership
● Federa6on
specific
auth
URL
is
used
to
obtain
an
unscoped
token
○ Simply
iden6fies
user
and
groups
● Unscoped
federa6on
token
is
used
to
obtain
a
scoped
token
○ Contains
group
assigned
roles
28. Single Sign-On
● The
most
demanded
Federa6on
feature
in
OpenStack
is
finally
here!
● Cross
project
work
item
between
Keystone
and
Horizon.
○ Work
items
in
three
different
projects:
Keystone,
Horizon
and
django_openstack_auth
● Classic
Web
Single
Sign-‐On
experience
in
Horizon
○ Protocol
agnos6c
(supports
SAML,
OpenID
Connect,
Kerberos,
etc.)
○ Keystone
s6ll
acts
as
a
Service
Provider
○ Provides
users
with
familiar
branding
○ One
less
password
for
Keystone
and
Horizon
to
see
29. ● When
the
user
loads
Horizon,
they
can
select
the
protocol
desired,
or
use
the
old
service
accounts
Single Sign-On GUI Flow
30. ● Once
a
federated
protocol
is
selected,
the
branded
login
page
will
appear
Single Sign-On GUI Flow
31. ● When
authen6cated
with
their
Iden6ty
Provider,
the
user
will
be
logged
into
Horizon
Single Sign-On GUI Flow
39. Keystone 2 Keystone Federation
● Federa6ng
Iden66es
from
one
deployment
to
another
○ Works
almost
iden6cally
to
the
normal
Federated
Iden6ty
Flow
Except
the
origina;ng
SAML
IdP
is
another
Keystone
○ Trust
rela6onship
between
each
deployment
must
be
explicitly
setup
○ Leverages
Iden6ty
Provider
Ini6ated
SAML
Flow:
● User
authen6cates
with
their
own
cloud
● Exchanges
token
for
an
asser6on
● Forwards
the
asser6on
to
another
cloud
● User
now
has
a
token
for
the
remote
cloud
Highlighted
at
the
Keynote
of
the
last
OpenStack
summit!
40. Keystone 2 Keystone Architecture
Keystone
Nova
Glance
Keystone
Nova
Glance
Local Cloud
Remote
Cloud
A.
Add
Remote
Cloud
as
a
Service
Provider
B.
Add
Local
Cloud
as
an
IdenJty
Provider
One time setup performed by cloud admins
Local
Cloud
User
42. Future Plans
● MFA
-‐
Rackspace
has
proposed
an
MFA
specifica6on
that
is
in
progress
○ Would
be
pluggable
so
vendors
can
implement
their
own
MFA
● Federated
Iden6ty
Enhancements
(polish
off
rough
edges
from
Federated
Iden6ty
Keynote)
○ Be`er
client
experience
○ Easier
mapping
rules
● Authoriza6on
Enforcement
(Tokenless
Auth)
○ Use
X509
instead
of
passwords
○ No
token
needed
(with
X509)
for
interac6ng
with
Keystone
CRUD
interfaces
● Dynamic
Policy
○ Rather
than
relying
on
the
policy
files
themselves,
this
data
should
be
stored
in
a
database
and
cached
45. Title and Abstract
Title:
Building
IAM
for
OpenStack
Abstract:
Keystone
is
the
IAM
project
for
OpenStack,
and
as
such
has
to
handle
many
different
methods
of
deployment
–
On-‐Prem,
Hybrid,
Hosted
–
at
many
differing
levels
of
scale.
Some
deployments
are
no
more
than
a
VM
used
for
development
purposes,
while
others
are
100,000s
of
cores
across
mul6ple
data
centers
and
con6nents.
This
session
will
cover
details
of
Keystone,
what
can
be
accomplished
with
it
today,
how
OpenStack
integrates
with
your
enterprise
iden6ty
solu6on,
federated
iden6ty
across
OpenStack
deployments,
the
OpenStack
model
of
access
management
today,
and
our
plans
for
the
future.
46. not so pretty agenda to keep for slide titling (ICK!)
● Keystone
in
two
minutes
or
less!
○ Keystone
Overview
○ Iden6ty
API
vs
Keystone
○ Scale
of
Keystone
Deployments
(1
vm
to
1000s
of
physical
machines)
● Iden6ty
Sources
○ Direct
Connect
(SQL,
LDAP,
Mul6ple
Backends,
SSSD)
○ Iden6ty
Provider
(IdP)
○ Use
Cases
● Authen6ca6on
○ Password
○ Token
○ External
(Kerberos,
x509,
etc)
○ Mul6-‐Factor
● Iden6ty
Federa6on
○ Federa6on
(SAML,
OpenID
Connect,
ABFAB,
etc)
○ Keystone2Keystone
Iden6ty
Federa6on
○ Web
Single
Sign-‐On
● Access
Management
Model
in
OpenStack
○ RBAC
○ Authoriza6on
○ Endpoint
Valida6on
of
AuthZ
● Future
Plans
○ Enhancements
to
Direct
Iden6ty
Sources
○ Federated
Iden6ty
○ Authoriza6on
Enforcement
● Closing
statements
47. Keystone Auth Token Middleware
● A
common
authen6ca6on
protocol
used
between
OpenStack
projects
● Added
to
the
paste
pipeline
of
other
projects
48. SSSD
● Available
in
a
future
release
of
OpenStack
as
an
Iden6ty
Source
● Iden6ty
informa6on
lookup
can
be
offloaded
to
the
underlying
plaxorm
using
SSSD
● Eliminates
the
complexity
of
LDAP
handling
within
Keystone
● SSSD
-‐
System
Security
Services
Daemon
○ Provides
access
to
remove
authen6ca6on
and
iden6ty
sources
(FreeIPA,
Ac6ve
Directory,
LDAP)
○ Support
caching
for
high
performance
and
fault
tolerance
○ Supports
failover
for
fault
tolerance
○ Integrates
via
PAM,
NSS,
and
DBUS
● mod_lookup_iden6ty
○ Performs
lookup
of
iden6ty
a`ributes
from
SSSD
via
DBUS
○ Provides
iden6ty
a`ributes
as
environment
variables
to
web
applica6ons
● mod_auth_*
+
mod_lookup_iden6ty
looks
exactly
the
same
as
federa6on
from
the
perspec6ve
of
Keystone!
49. Multi-Factor Authentication
● When
knowing
a
password
is
not
enough
● These
factors
could
be:
○ knowledge
based
(ques6ons)
○ possession
based
(security
tokens,
text
messages)
○ inherence
based
(biometrics)
● FreeIPA
has
support
for
(One
Time
Password)
OTP
○ Keystone
can
work
with
it
via
it’s
LDAP
iden6ty
driver
or
via
SSSD
(federated
LDAP)
○ HOTP/TOTP
tokens
(Yubikey,
FreeOTP,
Google
Authen6cator)
● Rackspace
has
proposed
an
MFA
specifica6on
that
is
in
progress
○ Would
be
pluggable
so
vendors
can
implement
their
own
MFA