SlideShare a Scribd company logo

Decentralized Authorization

Download as PPTX, PDF
S
Sitaraman Lakshminarayanan

How to push authorization decisions closer to service but still centrally create authorization policies using Open Policy Agent.

1 of 23
Seattle | September 16-17, 2019 Decentralized Authorization SITARAMAN LAKSHMINARAYANAN
Seattle | September 16-17, 2019 Am I Authorized to speak about this topic? OR whoami ? • Subject – Sitaraman ( Ram) Lakshminarayanan • Resources – I work for Pure Storage as Sr Security Architect • Actions – Author-Web Services Security, Co-Author ASP.NET Security • Other Attributes: Twitter: @Lsitaraman , Exp : 20 Years, Can speak Role Based and Fine Grained Authorization semantics among other things.
Seattle | September 16-17, 2019 Why talk about Authorization here? • Security Teams are always in the mix between – Developers / Operations / Customers/ PM’s. • Let’s not just ask questions, provide solutions. • Just pointing in the right direction is a big favor to developers.
Seattle | September 16-17, 2019 What is Authorization? Subject – User / Application Resource – Web App, API, or any feature of your App Action – Read , Write, Delete, Approve, Deny, etc. Is the User (Subject) allowed to Perform the said action on a Resource?
Seattle | September 16-17, 2019 Role Based Access Control – one form of AuthZ Role Resources Actions Group
Seattle | September 16-17, 2019 Developer’s view of Implementing RBAC If Role == “Manager|Admin” { return True; } Something along those lines.. - Rules are hard coded in the code. - Implementation varies between Teams / Stack
Seattle | September 16-17, 2019 Dev-Sec-Ops Developer- Implements AuthZ logic Security – wants to verify if you can enforce “need to know” basis / Least privilege. Ops – wants to make sure everything is running / deployment doesn’t take hours, etc.
Seattle | September 16-17, 2019 When Security Team reviews the code/deployment? Security: Can I change what this Role- Manager or Admin can do ? Developer : ?? Why?? Security: 1. Our Policy 2. Its too high of privileges for Role- XYZ ( e.g. Manager) 3. Separation of Duties
Seattle | September 16-17, 2019 How would a Developer Re-design RBAC? Role Permission Group Permission Resource+Action
Seattle | September 16-17, 2019 Back to Security Security – Super Excited !!.. At least I was when I did this in 2004
Seattle | September 16-17, 2019 Operations – How to deploy this in Production? On Call person who has to deploy/ debug Apps permissions have to 1. Add Resources / Permissions 2. Create new Roles 3. Map Roles to Permissions Its usually 10’s of pages of doc per Application.  Listen to talk about Security & Dev Ops by @IanColdwalter BSidesNOVA 2019 https://www.youtube.com/watch?time_continue=2&v=OlAFuiDCqbM
Seattle | September 16-17, 2019 Operations Person? Imagine managing/configuring Roles, Permissions, Resources for multiple apps
Seattle | September 16-17, 2019 Did Centralized AuthZ model work? 1. Hard coded apps to centralized authorization services 2. App developers have to understand AuthZ Service to better take advantage of centralized service. 3. Changing permissions/policies is not easy 4. It actually slows down time to deploy.
Seattle | September 16-17, 2019 What If? 1. We externalize authorization from code 2. Provide developers full control of how they want to write their AuthZ Rules 3. Give Security Teams option to customize the authZ rules/policies 4. Does not Involve too much operational overhead 5. Reduces time to deploy? 6. Consistent way to enforce policies across various languages/stack
Seattle | September 16-17, 2019 Intro to Open Policy Agent Client/App- makes REST API call to get Decisions from OPA OPA – makes Policy Decision – Evaluating Input Data against Policies OPA Policies are written in Rego outside of Code
Seattle | September 16-17, 2019 OPA and Rego 1. Rego is a query language 2. OPA Policies are written in Rego 3. SQL for Authorization – You write your AuthZ rules in a consistent manner.
Seattle | September 16-17, 2019 OPA - Example Policy package httpapi.authz subordinates = {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]} import input as http_api allow { http_api.method = "GET" http_api.path = ["finance", “salary", username] username = http_api.user }
Seattle | September 16-17, 2019 OPA – Other benefits • Provides an Interface to get Decision Logs through API / Web Hooks • Provides an option to get Telemetry about OPA itself ( up /down) • Policies can be distributed as Bundles ( Bundles = Rego file, Data file)
Seattle | September 16-17, 2019 OPA – Interactions from Developer Point of View
Seattle | September 16-17, 2019 Externalized Policy
Seattle | September 16-17, 2019 Kubernetes AuthZ model
Seattle | September 16-17, 2019 Key takeaways • Externalize Authorization from your code – As product / Service • During Security Reviews – ask If Authorization can be externalized from code • Use Open Policy Agent to standardize on how to write AuthZ rules. • Integrate with SIEM for decisions- allow/deny. • Establish a pattern across your Product/Service for consistent authZ. Authorization does not happen without a proper Authentication. Check out– SPIFFE /SPIRE for Secure Introduction of Identities
Seattle | September 16-17, 2019 Thank You. @Lsitaraman

Recommended

Leweb Ignite Talk on APIs
Leweb Ignite Talk on APIsLeweb Ignite Talk on APIs
Leweb Ignite Talk on APIs
3scale
 
Copyright, Open Source and APIs (towards an Interface Commons)
Copyright, Open Source and APIs (towards an Interface Commons)Copyright, Open Source and APIs (towards an Interface Commons)
Copyright, Open Source and APIs (towards an Interface Commons)
3scale
 
Why apis
Why apisWhy apis
Why apis
javier ramirez
 
Apis power-mvc-for-the-web
Apis power-mvc-for-the-webApis power-mvc-for-the-web
Apis power-mvc-for-the-web
Steven Willmott
 
Api types
Api typesApi types
Api types
Sarah Maddox
 
Building Successful API Programs in Higher Education
Building Successful API Programs in Higher EducationBuilding Successful API Programs in Higher Education
Building Successful API Programs in Higher Education
3scale
 
What is a Data Liberator
What is a Data LiberatorWhat is a Data Liberator
What is a Data Liberator
MenSagam Technologies
 
Unleash the Power of your API
Unleash the Power of your APIUnleash the Power of your API
Unleash the Power of your API
3scale
 

Recommended

Leweb Ignite Talk on APIs
Leweb Ignite Talk on APIsLeweb Ignite Talk on APIs
Leweb Ignite Talk on APIs
3scale
 
Copyright, Open Source and APIs (towards an Interface Commons)
Copyright, Open Source and APIs (towards an Interface Commons)Copyright, Open Source and APIs (towards an Interface Commons)
Copyright, Open Source and APIs (towards an Interface Commons)
3scale
 
Why apis
Why apisWhy apis
Why apis
javier ramirez
 
Apis power-mvc-for-the-web
Apis power-mvc-for-the-webApis power-mvc-for-the-web
Apis power-mvc-for-the-web
Steven Willmott
 
Api types
Api typesApi types
Api types
Sarah Maddox
 
Building Successful API Programs in Higher Education
Building Successful API Programs in Higher EducationBuilding Successful API Programs in Higher Education
Building Successful API Programs in Higher Education
3scale
 
What is a Data Liberator
What is a Data LiberatorWhat is a Data Liberator
What is a Data Liberator
MenSagam Technologies
 
Unleash the Power of your API
Unleash the Power of your APIUnleash the Power of your API
Unleash the Power of your API
3scale
 
Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
Power bi and azure ml
Power bi and azure mlPower bi and azure ml
Power bi and azure ml
Berkovich Consulting
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
AI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning InitiativesAI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning Initiatives
Nicholas Walsh
 
Architect's Guide to Building an API Program
Architect's Guide to Building an API ProgramArchitect's Guide to Building an API Program
Architect's Guide to Building an API Program
clatimer
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
 
Principles of REST API Design
Principles of REST API DesignPrinciples of REST API Design
Principles of REST API Design
Two Sigma
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)
3scale
 
Services, Apps and the API Powered Web
Services, Apps and the API Powered WebServices, Apps and the API Powered Web
Services, Apps and the API Powered Web
Steven Willmott
 
Advanced Web Development
Advanced Web DevelopmentAdvanced Web Development
Advanced Web Development
Robert J. Stein
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
01 introduction to course
01 introduction to course01 introduction to course
01 introduction to course
xavier john
 
API and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local MarketsAPI and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local Markets
Axway
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
David Keener
 
IBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To HeroIBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To Hero
LetsConnect
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Aduci
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-API
Patrick Emmons
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
VMware Tanzu
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
Kasun Indrasiri
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 

More Related Content

Similar to Decentralized Authorization

Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
Api Testing
Api TestingApi Testing
Api Testing
Vishwanath KC
 
Power bi and azure ml
Power bi and azure mlPower bi and azure ml
Power bi and azure ml
Berkovich Consulting
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
AI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning InitiativesAI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning Initiatives
Nicholas Walsh
 
Architect's Guide to Building an API Program
Architect's Guide to Building an API ProgramArchitect's Guide to Building an API Program
Architect's Guide to Building an API Program
clatimer
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
 
Principles of REST API Design
Principles of REST API DesignPrinciples of REST API Design
Principles of REST API Design
Two Sigma
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)
3scale
 
Services, Apps and the API Powered Web
Services, Apps and the API Powered WebServices, Apps and the API Powered Web
Services, Apps and the API Powered Web
Steven Willmott
 
Advanced Web Development
Advanced Web DevelopmentAdvanced Web Development
Advanced Web Development
Robert J. Stein
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
01 introduction to course
01 introduction to course01 introduction to course
01 introduction to course
xavier john
 
API and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local MarketsAPI and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local Markets
Axway
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
David Keener
 
IBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To HeroIBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To Hero
LetsConnect
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Aduci
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-API
Patrick Emmons
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
VMware Tanzu
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
Kasun Indrasiri
 

Similar to Decentralized Authorization (20)

Api Testing
Api TestingApi Testing
Api Testing
 
Api Testing
Api TestingApi Testing
Api Testing
 
Power bi and azure ml
Power bi and azure mlPower bi and azure ml
Power bi and azure ml
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
AI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning InitiativesAI APIs as a Catalyst for Machine Learning Initiatives
AI APIs as a Catalyst for Machine Learning Initiatives
 
Architect's Guide to Building an API Program
Architect's Guide to Building an API ProgramArchitect's Guide to Building an API Program
Architect's Guide to Building an API Program
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach
 
Principles of REST API Design
Principles of REST API DesignPrinciples of REST API Design
Principles of REST API Design
 
API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)API Management Workshop (at Startupbootcamp Berlin)
API Management Workshop (at Startupbootcamp Berlin)
 
Services, Apps and the API Powered Web
Services, Apps and the API Powered WebServices, Apps and the API Powered Web
Services, Apps and the API Powered Web
 
Advanced Web Development
Advanced Web DevelopmentAdvanced Web Development
Advanced Web Development
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
01 introduction to course
01 introduction to course01 introduction to course
01 introduction to course
 
API and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local MarketsAPI and Platform Strategies to Win in Global and Local Markets
API and Platform Strategies to Win in Global and Local Markets
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
 
IBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To HeroIBM Connections Customizer: From Zero To Hero
IBM Connections Customizer: From Zero To Hero
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
 
TEC-Roundtable-API
TEC-Roundtable-APITEC-Roundtable-API
TEC-Roundtable-API
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 

Recently uploaded

E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 

Recently uploaded (20)

E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 

Decentralized Authorization

  • 1. Seattle | September 16-17, 2019 Decentralized Authorization SITARAMAN LAKSHMINARAYANAN
  • 2. Seattle | September 16-17, 2019 Am I Authorized to speak about this topic? OR whoami ? • Subject – Sitaraman ( Ram) Lakshminarayanan • Resources – I work for Pure Storage as Sr Security Architect • Actions – Author-Web Services Security, Co-Author ASP.NET Security • Other Attributes: Twitter: @Lsitaraman , Exp : 20 Years, Can speak Role Based and Fine Grained Authorization semantics among other things.
  • 3. Seattle | September 16-17, 2019 Why talk about Authorization here? • Security Teams are always in the mix between – Developers / Operations / Customers/ PM’s. • Let’s not just ask questions, provide solutions. • Just pointing in the right direction is a big favor to developers.
  • 4. Seattle | September 16-17, 2019 What is Authorization? Subject – User / Application Resource – Web App, API, or any feature of your App Action – Read , Write, Delete, Approve, Deny, etc. Is the User (Subject) allowed to Perform the said action on a Resource?
  • 5. Seattle | September 16-17, 2019 Role Based Access Control – one form of AuthZ Role Resources Actions Group
  • 6. Seattle | September 16-17, 2019 Developer’s view of Implementing RBAC If Role == “Manager|Admin” { return True; } Something along those lines.. - Rules are hard coded in the code. - Implementation varies between Teams / Stack
  • 7. Seattle | September 16-17, 2019 Dev-Sec-Ops Developer- Implements AuthZ logic Security – wants to verify if you can enforce “need to know” basis / Least privilege. Ops – wants to make sure everything is running / deployment doesn’t take hours, etc.
  • 8. Seattle | September 16-17, 2019 When Security Team reviews the code/deployment? Security: Can I change what this Role- Manager or Admin can do ? Developer : ?? Why?? Security: 1. Our Policy 2. Its too high of privileges for Role- XYZ ( e.g. Manager) 3. Separation of Duties
  • 9. Seattle | September 16-17, 2019 How would a Developer Re-design RBAC? Role Permission Group Permission Resource+Action
  • 10. Seattle | September 16-17, 2019 Back to Security Security – Super Excited !!.. At least I was when I did this in 2004
  • 11. Seattle | September 16-17, 2019 Operations – How to deploy this in Production? On Call person who has to deploy/ debug Apps permissions have to 1. Add Resources / Permissions 2. Create new Roles 3. Map Roles to Permissions Its usually 10’s of pages of doc per Application.  Listen to talk about Security & Dev Ops by @IanColdwalter BSidesNOVA 2019 https://www.youtube.com/watch?time_continue=2&v=OlAFuiDCqbM
  • 12. Seattle | September 16-17, 2019 Operations Person? Imagine managing/configuring Roles, Permissions, Resources for multiple apps
  • 13. Seattle | September 16-17, 2019 Did Centralized AuthZ model work? 1. Hard coded apps to centralized authorization services 2. App developers have to understand AuthZ Service to better take advantage of centralized service. 3. Changing permissions/policies is not easy 4. It actually slows down time to deploy.
  • 14. Seattle | September 16-17, 2019 What If? 1. We externalize authorization from code 2. Provide developers full control of how they want to write their AuthZ Rules 3. Give Security Teams option to customize the authZ rules/policies 4. Does not Involve too much operational overhead 5. Reduces time to deploy? 6. Consistent way to enforce policies across various languages/stack
  • 15. Seattle | September 16-17, 2019 Intro to Open Policy Agent Client/App- makes REST API call to get Decisions from OPA OPA – makes Policy Decision – Evaluating Input Data against Policies OPA Policies are written in Rego outside of Code
  • 16. Seattle | September 16-17, 2019 OPA and Rego 1. Rego is a query language 2. OPA Policies are written in Rego 3. SQL for Authorization – You write your AuthZ rules in a consistent manner.
  • 17. Seattle | September 16-17, 2019 OPA - Example Policy package httpapi.authz subordinates = {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]} import input as http_api allow { http_api.method = "GET" http_api.path = ["finance", “salary", username] username = http_api.user }
  • 18. Seattle | September 16-17, 2019 OPA – Other benefits • Provides an Interface to get Decision Logs through API / Web Hooks • Provides an option to get Telemetry about OPA itself ( up /down) • Policies can be distributed as Bundles ( Bundles = Rego file, Data file)
  • 19. Seattle | September 16-17, 2019 OPA – Interactions from Developer Point of View
  • 20. Seattle | September 16-17, 2019 Externalized Policy
  • 21. Seattle | September 16-17, 2019 Kubernetes AuthZ model
  • 22. Seattle | September 16-17, 2019 Key takeaways • Externalize Authorization from your code – As product / Service • During Security Reviews – ask If Authorization can be externalized from code • Use Open Policy Agent to standardize on how to write AuthZ rules. • Integrate with SIEM for decisions- allow/deny. • Establish a pattern across your Product/Service for consistent authZ. Authorization does not happen without a proper Authentication. Check out– SPIFFE /SPIRE for Secure Introduction of Identities
  • 23. Seattle | September 16-17, 2019 Thank You. @Lsitaraman