This document discusses Cloud Native Identity Management using SPIFFE (Secure Production Identity Framework for Everyone) and SPIRE (SPIFFE Runtime Environment). It provides an overview of SPIFFE and SPIRE, including how they address identity management challenges in cloud-native environments. It then summarizes how SPIRE implements the SPIFFE specifications through a node attestation and workload attestation process where a SPIRE agent authenticates to a server, retrieves selectors to verify workloads, and issues signed identity documents when a workload matches the selectors.
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraPreferred Networks
In SPIRE, attestation is the essential process because it certifies a node or workload, i.e. it asserts the identities of them. This talk describes how SPIRE implement this process and make it flexible. Moreover, it explains the detail of how spire-server and spire-agent (running at a node) interacts in the attestation process.
This is a presentation I held at "DevOps and Security" -meetup on 5th of April 2016 at RedHat.
Source is available at: https://github.com/jerryjj/devsec_050416
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
Kubernetes has the concept of resource requests and limits. Pods get scheduled on the nodes based on their requests and optionally limited in how much of the resource they can consume. Understanding and optimizing resource requests/limits is crucial both for reducing resource "slack" and ensuring application performance/low-latency. This talk shows our approach to monitoring and optimizing Kubernetes resources for 80+ clusters to achieve cost-efficiency and reducing impact for latency-critical applications. All shown tools are Open Source and can be applied to most Kubernetes deployments.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraPreferred Networks
In SPIRE, attestation is the essential process because it certifies a node or workload, i.e. it asserts the identities of them. This talk describes how SPIRE implement this process and make it flexible. Moreover, it explains the detail of how spire-server and spire-agent (running at a node) interacts in the attestation process.
This is a presentation I held at "DevOps and Security" -meetup on 5th of April 2016 at RedHat.
Source is available at: https://github.com/jerryjj/devsec_050416
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
Kubernetes has the concept of resource requests and limits. Pods get scheduled on the nodes based on their requests and optionally limited in how much of the resource they can consume. Understanding and optimizing resource requests/limits is crucial both for reducing resource "slack" and ensuring application performance/low-latency. This talk shows our approach to monitoring and optimizing Kubernetes resources for 80+ clusters to achieve cost-efficiency and reducing impact for latency-critical applications. All shown tools are Open Source and can be applied to most Kubernetes deployments.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...Edureka!
***** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification *****
This Edureka tutorial on "What is Kubernetes" will give you an introduction to one of the most popular Devops tool in the market - Kubernetes, and its importance in today's IT processes. This tutorial is ideal for beginners who want to get started with Kubernetes & DevOps. The following topics are covered in this training session:
1. Need for Kubernetes
2. What is Kubernetes and What it's not
3. How does Kubernetes work?
4. Use-Case: Kubernetes @ Pokemon Go
5. Hands-on: Deployment with Kubernetes
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
What does Day 0 with Vault secrets management look like? What about Day 1? 2? N? This talk gives you a detailed look at typical Vault user progressions that provide the most successful deployments for customers
Have you ever wondered what the relative differences are between two of the more popular open source, in-memory data stores and caches? In this session, we will describe those differences and, more importantly, provide live demonstrations of the key capabilities that could have a major impact on your architectural Java application designs.
If you’re working with just a few containers, managing them isn't too complicated. But what if you have hundreds or thousands? Think about having to handle multiple upgrades for each container, keeping track of container and node state, available resources, and more. That’s where Kubernetes comes in. Kubernetes is an open source container management platform that helps you run containers at scale. This talk will cover Kubernetes components and show how to run applications on it.
This session is focused on the Hashicorp vault which is a secret management tool. We can manage secrets for 2-3 environments but what if we have more than 10 environments, then it will become a very painful task to manage them when secrets are dynamic and need to be rotated after some time. Hashicorp vault can easily manage secrets for both static and dynamic also it can help in secret rotations.
Multi-Clusters Made Easy with Liqo: Getting Rid of Your Clusters Keeping Them...KCDItaly
Many companies are experiencing a dramatic increase in the number of their Kubernetes clusters, for
reasons such as geographical/legislative constraints, data/service replication, etc.
However, when the number of clusters increases, the complexity of deploying apps, managing the entire
multi-cluster infrastructure, and keeping its state under control, becomes rapidly an unmanageable
problem.
A possible solution is Liqo, an open-source project that simplifies the creation of multi-cluster topologies
by replicating the Kubernetes “cattle” model also to clusters.
Liqo creates a virtual cluster that spans multiple real clusters, either on-prem or managed (AKS, EKS,
GKE), and instantiates the desired applications seamlessly in the appropriate cluster.
This talk will discuss the potentials and roadblocks of this vision and highlight how Liqo brings multi-
cluster transparency to the users.
Kubernetes Architecture - beyond a black box - Part 1Hao H. Zhang
This is part 1 of my Kubernetes architecture deep-dive slide series.
I have been working with Kubernetes for more than a year, from v1.3.6 to v1.6.7, and I am a CNCF certified Kubernetes administrator. Before I move on to something else, I would like to summarize and share my knowledges and take-aways about Kubernetes, from a software engineer perspective.
This set of slides is a humble dig into one level below your running application in production, revealing how different components of Kubernetes work together to orchestrate containers and present your applications to the rest of the world.
The slides contains 80+ external links to Kubernetes documentations, blog posts, Github issues, discussions, design proposals, pull requests, papers, source code files I went through when I was working with Kubernetes - which I think are valuable for people to understand how Kubernetes works, Kubernetes design philosophies and why these design came into places.
EFK Stack이란 ElasticSearch, Fluentd, Kibana라는 오픈소스의 조합으로, 방대한 양의 데이터를 신속하고 실시간으로 수집/저장/분석/시각화 할 수 있는 솔루션입니다. 특히 컨테이너 환경에서 로그 수집을 위해 주로 사용되는 기술 스택입니다.
Elasitc Stack에 대한 소개와 EFK Stack 설치 방법에 대해 설명합니다.
Re:invent 2016 Container Scheduling, Execution and AWS Integrationaspyker
Members from over all over the world streamed over forty-two billion hours of Netflix content last year. Various Netflix batch jobs and an increasing number of service applications use containers for their processing. In this session, Netflix presents a deep dive on the motivations and the technology powering container deployment on top of Amazon Web Services. The session covers our approach to resource management and scheduling with the open source Fenzo library, along with details of how we integrate Docker and Netflix container scheduling running on AWS. We cover the approach we have taken to deliver AWS platform features to containers such as IAM roles, VPCs, security groups, metadata proxies, and user data. We want to take advantage of native AWS container resource management using Amazon ECS to reduce operational responsibilities. We are delivering these integrations in collaboration with the Amazon ECS engineering team. The session also shares some of the results so far, and lessons learned throughout our implementation and operations.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
Squirreling Away $640 Billion: How Stripe Leverages Flink for Change Data Cap...Flink Forward
Flink Forward San Francisco 2022.
Being in the payments space, Stripe requires strict correctness and freshness guarantees. We rely on Flink as the natural solution for delivering on this in support of our Change Data Capture (CDC) infrastructure. We heavily rely on CDC as a tool for capturing data change streams from our databases without critically impacting database reliability, scalability, and maintainability. Data derived from these streams is used broadly across the business and powers many of our critical financial reporting systems totalling over $640 Billion in payment volume annually. We use many components of Flink’s flexible DataStream API to perform aggregations and abstract away the complexities of stream processing from our downstreams. In this talk, we’ll walk through our experience from the very beginning to what we have in production today. We’ll share stories around the technical details and trade-offs we encountered along the way.
by
Jeff Chao
Building Trust Between Modern Distributed Systems with SPIFFEQAware GmbH
Cloud Native Night, February 2018, Munich: Talk by Andrew Jessup (@whenfalse, co-founder of & Head of Product at Skytale)
Join our Meetup: https://www.meetup.com/de-DE/cloud-native-muc/
Abstract:
This talk gives an overview of the motivation and design of the SPIFFE and SPIRE projects, which provide an open standard and toolchain for trusted communication in modern cloud computing environments, and how they are being used as a foundation for other infrastructure tools including Hashicorp Vault, Lyft's Envoy and the Istio project.
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...Edureka!
***** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification *****
This Edureka tutorial on "What is Kubernetes" will give you an introduction to one of the most popular Devops tool in the market - Kubernetes, and its importance in today's IT processes. This tutorial is ideal for beginners who want to get started with Kubernetes & DevOps. The following topics are covered in this training session:
1. Need for Kubernetes
2. What is Kubernetes and What it's not
3. How does Kubernetes work?
4. Use-Case: Kubernetes @ Pokemon Go
5. Hands-on: Deployment with Kubernetes
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
What does Day 0 with Vault secrets management look like? What about Day 1? 2? N? This talk gives you a detailed look at typical Vault user progressions that provide the most successful deployments for customers
Have you ever wondered what the relative differences are between two of the more popular open source, in-memory data stores and caches? In this session, we will describe those differences and, more importantly, provide live demonstrations of the key capabilities that could have a major impact on your architectural Java application designs.
If you’re working with just a few containers, managing them isn't too complicated. But what if you have hundreds or thousands? Think about having to handle multiple upgrades for each container, keeping track of container and node state, available resources, and more. That’s where Kubernetes comes in. Kubernetes is an open source container management platform that helps you run containers at scale. This talk will cover Kubernetes components and show how to run applications on it.
This session is focused on the Hashicorp vault which is a secret management tool. We can manage secrets for 2-3 environments but what if we have more than 10 environments, then it will become a very painful task to manage them when secrets are dynamic and need to be rotated after some time. Hashicorp vault can easily manage secrets for both static and dynamic also it can help in secret rotations.
Multi-Clusters Made Easy with Liqo: Getting Rid of Your Clusters Keeping Them...KCDItaly
Many companies are experiencing a dramatic increase in the number of their Kubernetes clusters, for
reasons such as geographical/legislative constraints, data/service replication, etc.
However, when the number of clusters increases, the complexity of deploying apps, managing the entire
multi-cluster infrastructure, and keeping its state under control, becomes rapidly an unmanageable
problem.
A possible solution is Liqo, an open-source project that simplifies the creation of multi-cluster topologies
by replicating the Kubernetes “cattle” model also to clusters.
Liqo creates a virtual cluster that spans multiple real clusters, either on-prem or managed (AKS, EKS,
GKE), and instantiates the desired applications seamlessly in the appropriate cluster.
This talk will discuss the potentials and roadblocks of this vision and highlight how Liqo brings multi-
cluster transparency to the users.
Kubernetes Architecture - beyond a black box - Part 1Hao H. Zhang
This is part 1 of my Kubernetes architecture deep-dive slide series.
I have been working with Kubernetes for more than a year, from v1.3.6 to v1.6.7, and I am a CNCF certified Kubernetes administrator. Before I move on to something else, I would like to summarize and share my knowledges and take-aways about Kubernetes, from a software engineer perspective.
This set of slides is a humble dig into one level below your running application in production, revealing how different components of Kubernetes work together to orchestrate containers and present your applications to the rest of the world.
The slides contains 80+ external links to Kubernetes documentations, blog posts, Github issues, discussions, design proposals, pull requests, papers, source code files I went through when I was working with Kubernetes - which I think are valuable for people to understand how Kubernetes works, Kubernetes design philosophies and why these design came into places.
EFK Stack이란 ElasticSearch, Fluentd, Kibana라는 오픈소스의 조합으로, 방대한 양의 데이터를 신속하고 실시간으로 수집/저장/분석/시각화 할 수 있는 솔루션입니다. 특히 컨테이너 환경에서 로그 수집을 위해 주로 사용되는 기술 스택입니다.
Elasitc Stack에 대한 소개와 EFK Stack 설치 방법에 대해 설명합니다.
Re:invent 2016 Container Scheduling, Execution and AWS Integrationaspyker
Members from over all over the world streamed over forty-two billion hours of Netflix content last year. Various Netflix batch jobs and an increasing number of service applications use containers for their processing. In this session, Netflix presents a deep dive on the motivations and the technology powering container deployment on top of Amazon Web Services. The session covers our approach to resource management and scheduling with the open source Fenzo library, along with details of how we integrate Docker and Netflix container scheduling running on AWS. We cover the approach we have taken to deliver AWS platform features to containers such as IAM roles, VPCs, security groups, metadata proxies, and user data. We want to take advantage of native AWS container resource management using Amazon ECS to reduce operational responsibilities. We are delivering these integrations in collaboration with the Amazon ECS engineering team. The session also shares some of the results so far, and lessons learned throughout our implementation and operations.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
Squirreling Away $640 Billion: How Stripe Leverages Flink for Change Data Cap...Flink Forward
Flink Forward San Francisco 2022.
Being in the payments space, Stripe requires strict correctness and freshness guarantees. We rely on Flink as the natural solution for delivering on this in support of our Change Data Capture (CDC) infrastructure. We heavily rely on CDC as a tool for capturing data change streams from our databases without critically impacting database reliability, scalability, and maintainability. Data derived from these streams is used broadly across the business and powers many of our critical financial reporting systems totalling over $640 Billion in payment volume annually. We use many components of Flink’s flexible DataStream API to perform aggregations and abstract away the complexities of stream processing from our downstreams. In this talk, we’ll walk through our experience from the very beginning to what we have in production today. We’ll share stories around the technical details and trade-offs we encountered along the way.
by
Jeff Chao
Building Trust Between Modern Distributed Systems with SPIFFEQAware GmbH
Cloud Native Night, February 2018, Munich: Talk by Andrew Jessup (@whenfalse, co-founder of & Head of Product at Skytale)
Join our Meetup: https://www.meetup.com/de-DE/cloud-native-muc/
Abstract:
This talk gives an overview of the motivation and design of the SPIFFE and SPIRE projects, which provide an open standard and toolchain for trusted communication in modern cloud computing environments, and how they are being used as a foundation for other infrastructure tools including Hashicorp Vault, Lyft's Envoy and the Istio project.
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
Novell Access Manager provides many different levels of authentication beyond a simple user name and password. In this session, you will learn about its more advanced methods of authentication—from emerging standard like OpenID and CardSpace to tokens and certificates. Attendees will also see a demonstration of FreeRADIUS and the Vasco Digipass with Novell eDirectory, the Vasco NMAS method and an Access Manager plug-in that provides SSO to Web applications that expect a static password.
Configuration of Spring Boot applications using Spring Cloud Config and Spring Cloud Vault.
Presentation given at the meeting of the Java User Group Freiburg on October 24, 2017
Cisco iso based CA (certificate authority)Netwax Lab
IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates
in environments where PKI is needed for security reasons.
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital
certificates. A digital certificate certifies the ownership of a public key by the named subject of the
certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the
private key that corresponds to the certified public key. In this model of trust relationships, a CA is a
trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon
the certificate.
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersDataWorks Summit
Apache Knox Gateway is a proxy for interacting with Apache Hadoop clusters in a secure way providing authentication, service level authorization, and many other extensions to secure any HTTP interactions in your cluster. One main feature of Apache Knox Gateway is the ability to extend the reach of your REST APIs to the internet while still securing your cluster and working with Kerberos. Recent contributions to the Apache Knox community have added support for Single Sign On (SSO) based on Pac4j 1.8.9 which is a very powerful security engine which provides SSO support through SAML2, OAuth, OpenID, and CAS. In addition, through recent community contributions Apache Ambari, and Apache Ranger can now also provide SSO authentication through Knox. This paper will discuss the architecture of Knox SSO, it will explain how enterprise user could benefit by this feature and will present enterprise use cases for Knox SSO, and integration with open source Shibboleth, ADFS Windows server Idp support, and Okta cloud Idp.
Containerizing your Security Operations CenterJimmy Mesta
AppSec USA 2016 talk on using containers and Kubernetes to manage a variety of security tools. Includes best practices for securing Kubernetes implementations.
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
What do companies with internal platforms have to change to succeed in the cloud? The five pillars at the heart of IT solutions in the cloud are automation, fault tolerance, horizontal scalability, security, and cost-effectiveness. This talk discusses tools that facilitate the development and automate the deployment of secure, highly available microservices. The tools were developed using AWS CloudFormation, AWS SDKs, AWS CLI, Amazon RDS, and various open-source software such as Docker. The talk provides concrete examples of how these tools can help developers and architects move from beginning/intermediate AWS practitioners to cloud deployment experts.
by Brad Dispensa, Sr. Solutions Architect, AWS
Operating a security practice on AWS brings many new challenges that haven't been faced in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session we will cover how you can use secure configuration and automation to monitor, audit, and enforce your security policies within an AWS environment. Level 200
With a complete new Identity/Access Management Suite on the Oracle market,
one might forget the good old SSO server, bundled with each and every IAS server.
Although it has some out-of-the-box capabilities like WNA and X509 certificate support,
it can be quite hard to set up an authentication scheme just the way you (or your customers) like it.
Using a case study, this presentation discusses how you can extend Oracle’s Single
Sign On (SSO) server to your needs. It will discuss :
- Integration & authentication with smartcard passports (eID)
- Authentication with digital certificates
- Implementing fallback authentication schemes
- Integration with SSL terminators and reverse proxies
- DIY federated authentication
- writing your own SSO plugin
The solutions presented are part of AXI NV/BV's portfolio.
Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed.
This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.
Connected business is a very dynamic and complex environment. Your desire is to reach out to your customers, partners, distributors and suppliers and create more and more business interactions and activities, that will generate more revenue. The goal here is not just integrate technological silos, in your enterprise – but also make your business more accessible and reactive. The ability to propagate identities across borders in a protocol-agnostic manner is a core ingredient in producing a connected business environment.
SAML, OpenID, OpenID Connect, WS-Federation all support identity federation – cross domain authentication. But, can we always expect all the parties in a connected environment to support SAML, OpenID or OpenID Connect ? Most of the federation systems we see today are in silos. It can be a silo of SAML federation, a silo of OpenID Connect federation or a silo of OpenID federation.
Even in a given federation silo how do you scale with increasing number of service providers and identity providers? Each service provider has to trust each identity provider and this leads into the Spaghetti Identity anti-pattern.
Federation Silos and Spaghetti Identity are two anti-patterns that needs to be addressed in a connected environment.
This talk will present benefits, risks and challenges in a connected identity environment
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
4. Mobile API Web Front End POS API
TicketsSubscriptions
Billing
Members DB
5. Firewall
Web Front End Subscriptions
Model 0: Rely on the network
Source workload Destination
workload
6. Web Front End Subscriptions
4. Acknowledge
* Or key/secret, signed nonce etc.
2. Supply username and password*
with authentication handshake
Accounts
1. Retrieve
username and
password from
configuration
Model 1: Destination workload authentication
3. Verify
username
and
password
?
?
Source workload Destination
workload
7. Model 2: Platform mediated identity
Web Front End Subscriptions
4. Acknowledge
2. Send proof of identity with
authentication handshake
1. Retrieve
proof-of-identity from
the platform
3. Verify source
workload
identity
Platform (eg. AWS, or Kubernetes)
Eg. AWS IAM, Kubernetes Service Accounts
Privileged API Privileged API
Source workload
Destination
workload
9. GlueCon 2016
Joe Beda proposes SPIFFE
KubeCon NA 2017
SPIFFE & SPIRE 0.1 are released
April 2018
CNCF welcomes SPIFFE & SPIRE
Circa 2005
Google rolls-out LOAS
11th USENIX Security Symposium (2002)
Plan9 security design published
10. The Inspiration for SPIFFE and SPIRE
Google Application Layer Transport
Security
“The ALTS trust model has been
tailored for cloud-like containerized
applications. Identities are bound to
entities instead of to a specific server
name or host. This trust model
facilitates seamless microservice
replication, load balancing, and
rescheduling across hosts.”
“Secure authentication and authorization
within Facebook’s infrastructure play
important roles in protecting people using
Facebook’s services. Enforcing security while
maintaining a flexible and performant
infrastructure can be challenging at
Facebook’s scale, especially in the presence
of varying layers of trust among our servers.”
“During the startup, access to the
long-lived credentials and short-lived
credentials are provisioned to each
instance.
This credential bootstrap is done by
Metatron, which is a tool at Netflix,
which does credential management.”
12. A set of specifications that cover how a workload should
retrieve and use it’s identity.
● SPIFFE ID
● SPIFFE Verifiable Identity Documents (SVIDs)
● The SPIFFE Workload API
The SPIFFE Runtime Environment. Open-source software
that implements the SPIFFE Workload API for a variety of
platforms.
Apache 2.0 license. Independent governance. Highly
extensible through plug-ins.
github.com/spiffe/spiffe
github.com/spiffe/spire
14. SPIFFE Verifiable Identity Document
spiffe://acme.com/billing/payments
Today only one form of SVID (X509-SVID).
Other document types under consideration
(including JWT-SVID)
Typically short-lived
18. Design Goals of SPIFFE and SPIRE
● Application identity driven. By building a security model rooted in a strong assertion of
application identity, policies and practices become application- and business unit-
oriented rather than infrastructure-oriented.
● Easily adoptable. Users should be able to leverage Emissary with little or no code change.
The system should work well in dynamically orchestrated containerized environments.
● Federatable. It should be possible to use these identity mechanisms across business units
and even organizations.
● Reliable. The single points of failures in the system should be minimized and the system
should degrade gracefully when any single point of failure is down.
● Cloud and Container Ready. It should be possible to safely extend trust to entities running
on to third party cloud providers such as Amazon Web Services and Microsoft Azure, and
container orchestrators such as Cloud Foundry and Kubernetes.
19. Security Goals of SPIFFE and SPIRE
● Fully automated and policy driven. Existing identity (particularly PKI)
infrastructure is both complex and often requires “human trust”, which weakens
delivery. Emissary is fully automated and should minimize manual key
distribution.
● Minimal Knowledge. A compromised machine should only expose any secrets
for workloads that happen to be running on that machine.
● Reliable. The single points of failures in the system should be minimized and
the system should degrade gracefully when any SPOF is down. All “steady
state” operations shouldn’t have requirements off of a specific node.
● Scoped trust roots. There should be no hardcoded, global trust roots as we see
in the web browser world.
20. SPIFFE Workload API
Secure authentication amongst services
mTLS JWT
Identity for service mesh Bootstrap deployment for
distributed systems
gRPC
Secret
Stores
Proxy
Proxy
SPIFFE Verifiable Identity Documents (SVIDs)
Cloud platform
attestation plug-ins
OS attestation
plug-ins
Scheduler and PaaS
attestation plug-ins
HSM, TPM, Kerberos
attestation plug-ins
CA and secret
store plug-ins
21. Use cases
How the identity plane becomes
the unifying layer for
infrastructure
22. Turn-key, best practice authentication
Source
SPIRE Agent SPIRE Agent
eg. Vault, APIGateway, ADFS etc.
Authenticated
connection
Identify
workload Distribute trust
bundles
Destination
23. Minimize key leaks with secure introduction
API Service
Secret Store
or
Identity Broker
SPIRE Agent SPIRE Agent
eg. Vault, APIGateway, ADFS etc.
Authenticated
connection
Identify
workload Distribute trust
bundles
24. Simplify workload AuthN and AuthZ with
Service Mesh
API Service Database
SPIRE Agent SPIRE Agent
Verify the
infrastructure
Verify workload
Ambassador Proxy Ambassador Proxy
mTLS or JWT
authenticated
connection
25. Simplify workload AuthN and AuthZ with
Service Mesh
API Service Database
SPIRE Agent SPIRE Agent
Verify the
infrastructure
Verify workload
Ambassador Proxy Ambassador Proxy
27. CI/CD Pipeline
Enforce and verify release pipelines
Billing
Service
SPIRE Agent SPIRE Agent
Passes attestation, is
issued identity
spiffe://acme.com/billing
● runs as user ‘billing-svc’
● in the AWS security group sg-5c24f185”, and
● runs in a docker image that been signed
by our build system’s private key.
Billing
Service
Fails attestation, is
issued identity
Artifact Built Artifact Signed Artifact Built
28. Authenticate developer access (BeyondCorp)
Jan’s Laptop
spiffe://acme.com/developers
/janc/macbook4
SSH
SPIRE Agent
YubiKey
User IdP
Remote Node
SSH
SPIRE Agent
HSM
spiffe://acme.com/developers/janc/macbook4
● Has authenticated as ldap user janc
● Has authenticated with the YubiKey
associated with macbook4
eg. LDAP
29. Service Mesh Secure Introduction Unified telemetry Enforcement of
Software Supply
Chain
SPIFFE (API)
Identity Plane (SPIRE)
Envoy, LinkerD,
nginx, gRPC
Vault, Confidant,
Knox
Prometheus
Grafana
Jaeger
TUF, Notary,
Grafeas
The Identity Plane becomes the unifying layer for
infrastructure
...
36. EC2 Instance
Workload attestation
Container
SPIRE Agent
Workload API
SPIRE Server
3. Workload requests identity
4. Node agent performs an out-of-band
check of the workload process metadata,
compares to known selectorswhoami()
Kubelet
37. EC2 Instance
SVID Bundle Issuance
Container
SPIRE Agent
Workload API
SPIRE Server
5. If match found, NA generates a key for
the workload
6. NA sends certificate signing request
based on that key to SPIRE Server
Kubelet
38. EC2 Instance
Kubelet
SVID Bundle Issuance
Container
SPIRE Agent
Workload API
SPIRE Server
6. SPIRE server issues SVID (as well as
certificates for any other workload the
instance should support)
39. EC2 Instance
Kubelet
SVID Bundle Issuance
Container
SPIRE Agent
Workload API
SPIRE Server
7. Certificate bundle returned to the
workload
Kubelet