SlideShare a Scribd company logo
1 of 23
Download to read offline
Cloud Native Identity
Management
Andreas Zitzelsberger, QAware
Andrew Jessup, Scytale.io
Once upon a time...
Large cloud project for a major
company
• Hundreds of apps in the
cloud
• Many more on-prem
• Little centralized control
• Strict legal requirements
• Strict security requirements The Good, the Bad and the Ugly of Migrating Hundreds of Legacy
Applications to Kubernetes, Josef Adersberger, KubeCon 2017
https://bit.ly/2JZNRHw
Where did we start?
• Classic approach:
0-trust with TLS / X.509
• Secure
• But: Decomposition of
applications leads to an
explosion of trust relations
• Hard to manage at scale
• Complex and error-prone
• Also, no secret rotation
Let’s take a step back and look at
the problem...
App A App B
Id(A)
Trust(A) = {...}
Id(B)
Trust(B) = {Id(A)}
● Secure Authentication and
Authorization
● Scale
● Dynamicity
● Manageability
● Secret rotation
● Interoperability
● Hybrid cloud
GlueCon 2016
Joe Beda proposes SPIFFE
KubeCon NA 2017
SPIFFE & SPIRE 0.1 are released
April 2018
SPIFFE & SPIRE
accepted into the CNCF
Circa 2005
Google develops the Low Overhead
Authentication Service
11th USENIX Security Symposium (2002)
Plan9 security design published
SPIFFE Workload API
Workload
“Who am I?”
“You are
spiffe://acme.com/fe
And here is your short-lived
key to prove it to others.”
SPIRE
Workload Attestor Plug-ins Node Attestor Plug-ins
Workload API
Secure Introduction to other services
mTLS JWTs
Identity for proxy services
Linux
Windows
OS X
YubiKey
HSM providersAzure
GCP
Kubernetes
Mesosphere Join Token
AWS Kerberos
Simplify deployment of
distributed systems
CoreWorkloadPlatform
gRPC
Building on top of
SPIFFE and SPIRE
SPIRE provides identity,
Vault trust
App
Identity
Trust
spiffe://trust-domain/app
Trusted CAs: ...
+ Rotating credentials for Databases, RabbitMQ, …
+ Secrets
spiffe://.../app-1 -> spiffe://.../app-2
spiffe://.../app-1 -> spiffe://.../app-3
spiffe://.../app-2 -> spiffe://.../app-3
...
Trusted
CAs
Proper secret rotation is
surprisingly hard
• Assumption: Keys and certificates are (a) static and (b)
provided via files
• Python (with Flask)
app.run(ssl_context=( 'cert.pem', 'key.pem'))
• Go (GRPC with TLS)
credentials.NewServerTLSFromFile(crt, key)
• Also Envoy, Nginx, …
• Java
-Djavax.net.ssl.trustStore=... -Djavax.net.ssl.keyStore=...
• But Java has the java.security API
• Certificates and keys can be rotated online (if the API is used
properly)
Integrating Vault and SPIRE
Transport (TLS) Authentication
• Unfriendly to certificate
rotation due to unseal
process
• Solution: Put Vault
alongside SPIRE in the
same PKI
App Authentication
• Previously unable to validate
URI SANs because Go up to
1.9 lacked support
• Works from Vault 0.10.2 on
(PR #4231)
• Solution: Sidecar regularly
updates the trusted auth
certificate with the SPIRE CA
TLS
App
CloudId Lib
Java
SPIRE Agent
java.security
Workload API
Vault
Piecing it all together
TLS
● SVID as Server
Certificate
● Client cryptographically
checked against trusted
bundles
● Client Ids checked
against ACL
● SVID as Client Certificate
● Servers cryptographically
checked against trusted
bundles
● Server Ids checked
against ACL
Integration at application level.
Alternative: Use an ambassador proxy
See https://github.com/spiffe/spiffe-example
for examples with Envoy and Ghosttunnel
https://github.com/qaware/cloudid-showcaseDemo time
Our next steps...
Further exploration
• Use the SPIFFE Id for tracing and correlating logs
• Interaction with other service meshes
• Connect workload and user identities
• Federation and hybrid cloud
SPIRE Server SPIRE Server
Peering
Cloud Region 1 Cloud Region 2
Summary
There’s a lot of infrastructure...
… exposed with a single line of
code.
The configuration effort is reduced to
the actual business problem
● Specify who is who
● Specify who is allowed to talk to
whom
spiffe.io | github.com/spiffe | slack.spiffe.io
May 2 (Today) May 3 (Tomorrow) May 4 (Friday)
TheNewStack Pancake Breakfast
talks SPIFFE 7.30am
SPIFFE Project Intro 4.25pm SPIFFE Deep Dive
(Scytale) 2pm
Panel: App Security Requires
Containers 4.25pm
Thank You!
@andreasz82
Andreas Zitzelsberger
@whenfalse
Andrew Jessup
Special thanks to
Christian Fritz QAware
Roman Buchholz QAware
Evan Gilman Syctale.io
Nic Jackson Hashicorp

More Related Content

More from QAware GmbH

Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo QAware GmbH
 
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
 Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See... Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...QAware GmbH
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster QAware GmbH
 
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.QAware GmbH
 
Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!QAware GmbH
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s AutoscalingQAware GmbH
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPQAware GmbH
 
Service Mesh Pain & Gain. Experiences from a client project.
Service Mesh Pain & Gain. Experiences from a client project.Service Mesh Pain & Gain. Experiences from a client project.
Service Mesh Pain & Gain. Experiences from a client project.QAware GmbH
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s AutoscalingQAware GmbH
 
Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.QAware GmbH
 
Per Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysPer Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysQAware GmbH
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster QAware GmbH
 
How to speed up Spring Integration Tests
How to speed up Spring Integration TestsHow to speed up Spring Integration Tests
How to speed up Spring Integration TestsQAware GmbH
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-ClusterAus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-ClusterQAware GmbH
 
Cloud Migration – Eine Strategie die funktioniert
Cloud Migration – Eine Strategie die funktioniertCloud Migration – Eine Strategie die funktioniert
Cloud Migration – Eine Strategie die funktioniertQAware GmbH
 
Policy Driven Microservices mit Open Policy Agent
Policy Driven Microservices mit Open Policy AgentPolicy Driven Microservices mit Open Policy Agent
Policy Driven Microservices mit Open Policy AgentQAware GmbH
 
Make Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringMake Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringQAware GmbH
 
Security Lab: OIDC in der Praxis
Security Lab: OIDC in der PraxisSecurity Lab: OIDC in der Praxis
Security Lab: OIDC in der PraxisQAware GmbH
 
Die nächsten 100 Microservices
Die nächsten 100 MicroservicesDie nächsten 100 Microservices
Die nächsten 100 MicroservicesQAware GmbH
 
Enterprise-level Kubernetes Security mit Open Source Tools - geht das?
Enterprise-level Kubernetes Security mit Open Source Tools - geht das?Enterprise-level Kubernetes Security mit Open Source Tools - geht das?
Enterprise-level Kubernetes Security mit Open Source Tools - geht das?QAware GmbH
 

More from QAware GmbH (20)

Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo Cloud Migration mit KI: der Turbo
Cloud Migration mit KI: der Turbo
 
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
 Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See... Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
Migration von stark regulierten Anwendungen in die Cloud: Dem Teufel die See...
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
 
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
Endlich gute API Tests. Boldly Testing APIs Where No One Has Tested Before.
 
Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!Kubernetes with Cilium in AWS - Experience Report!
Kubernetes with Cilium in AWS - Experience Report!
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
 
Service Mesh Pain & Gain. Experiences from a client project.
Service Mesh Pain & Gain. Experiences from a client project.Service Mesh Pain & Gain. Experiences from a client project.
Service Mesh Pain & Gain. Experiences from a client project.
 
50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling50 Shades of K8s Autoscaling
50 Shades of K8s Autoscaling
 
Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.Blue turns green! Approaches and technologies for sustainable K8s clusters.
Blue turns green! Approaches and technologies for sustainable K8s clusters.
 
Per Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API GatewaysPer Anhalter zu Cloud Nativen API Gateways
Per Anhalter zu Cloud Nativen API Gateways
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
 
How to speed up Spring Integration Tests
How to speed up Spring Integration TestsHow to speed up Spring Integration Tests
How to speed up Spring Integration Tests
 
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-ClusterAus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
Aus blau wird grün! Ansätze und Technologien für nachhaltige Kubernetes-Cluster
 
Cloud Migration – Eine Strategie die funktioniert
Cloud Migration – Eine Strategie die funktioniertCloud Migration – Eine Strategie die funktioniert
Cloud Migration – Eine Strategie die funktioniert
 
Policy Driven Microservices mit Open Policy Agent
Policy Driven Microservices mit Open Policy AgentPolicy Driven Microservices mit Open Policy Agent
Policy Driven Microservices mit Open Policy Agent
 
Make Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform EngineeringMake Developers Fly: Principles for Platform Engineering
Make Developers Fly: Principles for Platform Engineering
 
Security Lab: OIDC in der Praxis
Security Lab: OIDC in der PraxisSecurity Lab: OIDC in der Praxis
Security Lab: OIDC in der Praxis
 
Die nächsten 100 Microservices
Die nächsten 100 MicroservicesDie nächsten 100 Microservices
Die nächsten 100 Microservices
 
Enterprise-level Kubernetes Security mit Open Source Tools - geht das?
Enterprise-level Kubernetes Security mit Open Source Tools - geht das?Enterprise-level Kubernetes Security mit Open Source Tools - geht das?
Enterprise-level Kubernetes Security mit Open Source Tools - geht das?
 

Recently uploaded

The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...Neo4j
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanNeo4j
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14VMware Tanzu
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfICS
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfWSO2
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jNeo4j
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfkalichargn70th171
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699
 

Recently uploaded (20)

The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
 
Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 

Cloud Native Identity Management

  • 1. Cloud Native Identity Management Andreas Zitzelsberger, QAware Andrew Jessup, Scytale.io
  • 2. Once upon a time... Large cloud project for a major company • Hundreds of apps in the cloud • Many more on-prem • Little centralized control • Strict legal requirements • Strict security requirements The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications to Kubernetes, Josef Adersberger, KubeCon 2017 https://bit.ly/2JZNRHw
  • 3. Where did we start? • Classic approach: 0-trust with TLS / X.509 • Secure • But: Decomposition of applications leads to an explosion of trust relations • Hard to manage at scale • Complex and error-prone • Also, no secret rotation
  • 4. Let’s take a step back and look at the problem... App A App B Id(A) Trust(A) = {...} Id(B) Trust(B) = {Id(A)} ● Secure Authentication and Authorization ● Scale ● Dynamicity ● Manageability ● Secret rotation ● Interoperability ● Hybrid cloud
  • 5.
  • 6. GlueCon 2016 Joe Beda proposes SPIFFE KubeCon NA 2017 SPIFFE & SPIRE 0.1 are released April 2018 SPIFFE & SPIRE accepted into the CNCF Circa 2005 Google develops the Low Overhead Authentication Service 11th USENIX Security Symposium (2002) Plan9 security design published
  • 7. SPIFFE Workload API Workload “Who am I?” “You are spiffe://acme.com/fe And here is your short-lived key to prove it to others.”
  • 8. SPIRE Workload Attestor Plug-ins Node Attestor Plug-ins Workload API Secure Introduction to other services mTLS JWTs Identity for proxy services Linux Windows OS X YubiKey HSM providersAzure GCP Kubernetes Mesosphere Join Token AWS Kerberos Simplify deployment of distributed systems CoreWorkloadPlatform gRPC
  • 9. Building on top of SPIFFE and SPIRE
  • 10. SPIRE provides identity, Vault trust App Identity Trust spiffe://trust-domain/app Trusted CAs: ... + Rotating credentials for Databases, RabbitMQ, … + Secrets spiffe://.../app-1 -> spiffe://.../app-2 spiffe://.../app-1 -> spiffe://.../app-3 spiffe://.../app-2 -> spiffe://.../app-3 ... Trusted CAs
  • 11. Proper secret rotation is surprisingly hard • Assumption: Keys and certificates are (a) static and (b) provided via files • Python (with Flask) app.run(ssl_context=( 'cert.pem', 'key.pem')) • Go (GRPC with TLS) credentials.NewServerTLSFromFile(crt, key) • Also Envoy, Nginx, … • Java -Djavax.net.ssl.trustStore=... -Djavax.net.ssl.keyStore=... • But Java has the java.security API • Certificates and keys can be rotated online (if the API is used properly)
  • 12. Integrating Vault and SPIRE Transport (TLS) Authentication • Unfriendly to certificate rotation due to unseal process • Solution: Put Vault alongside SPIRE in the same PKI App Authentication • Previously unable to validate URI SANs because Go up to 1.9 lacked support • Works from Vault 0.10.2 on (PR #4231) • Solution: Sidecar regularly updates the trusted auth certificate with the SPIRE CA
  • 13. TLS App CloudId Lib Java SPIRE Agent java.security Workload API Vault Piecing it all together TLS ● SVID as Server Certificate ● Client cryptographically checked against trusted bundles ● Client Ids checked against ACL ● SVID as Client Certificate ● Servers cryptographically checked against trusted bundles ● Server Ids checked against ACL Integration at application level. Alternative: Use an ambassador proxy See https://github.com/spiffe/spiffe-example for examples with Envoy and Ghosttunnel
  • 16. Further exploration • Use the SPIFFE Id for tracing and correlating logs • Interaction with other service meshes • Connect workload and user identities • Federation and hybrid cloud
  • 17. SPIRE Server SPIRE Server Peering Cloud Region 1 Cloud Region 2
  • 19. There’s a lot of infrastructure...
  • 20. … exposed with a single line of code.
  • 21. The configuration effort is reduced to the actual business problem ● Specify who is who ● Specify who is allowed to talk to whom
  • 22. spiffe.io | github.com/spiffe | slack.spiffe.io May 2 (Today) May 3 (Tomorrow) May 4 (Friday) TheNewStack Pancake Breakfast talks SPIFFE 7.30am SPIFFE Project Intro 4.25pm SPIFFE Deep Dive (Scytale) 2pm Panel: App Security Requires Containers 4.25pm
  • 23. Thank You! @andreasz82 Andreas Zitzelsberger @whenfalse Andrew Jessup Special thanks to Christian Fritz QAware Roman Buchholz QAware Evan Gilman Syctale.io Nic Jackson Hashicorp