Download to read offline
Uploaded bySoluto
Solving trust issues at scale
The document discusses the development of a secure and scalable authorization system emphasizing a zero-trust approach and least privilege principles to manage micro-services. It highlights the integration of technologies like Envoy and Open Policy Agent (OPA) for authentication and authorization while focusing on enhancing security measures, logging, and automation. The goal is to enable developers to manage permissions efficiently without hindering their speed or productivity.
More Related Content
Similar to Solving trust issues at scale
Solving trust issues at scale
- 1. Solving Trust Issues AtScale Building an Authorization System that Devs Don’t Hate @omerlh
- 2.
- 3.
- 4.
- 5. Lesson Learned • AutomaticDetection (GitGurdian) • Harden Authorization System • Better audit logs • Who used this token? • Who created it and why? @omerlh
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13. One horse cantake down our fort... @omerlh
- 14. Let’s talk aboutblast radius • One vulnerable service affects all the other • Ensuring all services are trust worthy is impossible • We must narrow the blast radius @omerlh
- 15.
- 16.
- 17. The Ideal System LeastPrivilege • Just the permissions required Secure by Default • Zero permissions by default Self Service • Minimize the impact on development speed Scale • Hundred of micro-services to manage @omerlh
- 18.
- 19.
- 20. High Level Overview AppIncomingrequest Collect decision logs Get bundlesPublish bundle Is Authorized? @omerlh
- 21.
- 22. Envoy Proxy • ACNCF project • Authentication and Authorization filters • Run as side car on the pod • No code changes required @omerlh
- 23.
- 24.
- 25.
- 26.
- 27. Meet Open PolicyAgent • An open source policy system • Author policies using Rego DSL • Built-in Envoy integration • A CNCF project @omerlh
- 28.
- 29.
- 30. Envoy + OPA= KISS @omerlh
- 31.
- 32.
- 33.
- 34.
- 35.
- 36. Done? Least Privilege • Justthe permissions required Secure by Default • Zero permissions by default Self Service • Minimize the impact on development speed Scale • Hundred of micro-services to manage @omerlh
- 37. Wait, all devsneed to learn Rego? @omerlh
- 38. Using data forabstraction • Policies can load data from JSON/YAML • Author generic policies • Devs just needs to fill the input @omerlh
- 39.
- 40.
- 41.
- 42. Building our policies •A common policy, maintained by the security team • Including unit tests! • Each service has it’s own data file • Permission request is just a PR • Built in audit and review features @omerlh
- 43.
- 44.
- 45. Done? Least Privilege • Justthe permissions required Secure by Default • Zero permissions by default Self Service • Minimize the impact on development speed Scale • Hundred of micro-services to manage @omerlh
- 46. Loading Policies • Bundlesare policies archive • Hot bundle loading • Dynamic bundle discovery @omerlh
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55. What about logging? •OPA log each decision into decision logs • Can be used for debug and audit purposes • Support redacting for sensitive input • Collect with fluentd/Loki @omerlh
- 56.
- 57. Putting it alltogether AppIncoming request Collect decision logs Get bundlesPublish bundle Is Authorized? @omerlh
- 58. Done? Least Privilege • Justthe permissions required Secure by Default • Zero permissions by default Self Service Minimize the impact on development speed Scale • Hundred of micro-services to manage @omerlh
- 59. Everything come witha price… • OPA/Envoy running as side-car • Resource usage costs per pod • A bug in OPA/Envoy has serious implication @omerlh
- 60. How can Ibuild it? • Fork the GitHub repo - https://github.com/omerlh/opa-demo • Follow the readme • Reach out with questions @omerlh
- 61.
- 62.
- 63. Going Forward • ImprovedVisibility • More Complex Policies • Expend adoption @omerlh
- 64. Lesson Learned • AutomaticDetection (GitGurdian) • Harden Authorization System • Better audit logs • Who used this token? • Who created it and why? @omerlh
- 65.
- 66.
- 67. @omerlh Enable Devs toMove Faster and Safer
- 68.
- 69. Resources • OPA-Envoy integration •Envoy JWT authentication • GitHub demo repo @omerlh
Editor's Notes
- #7 I’m a builder, this is what I love doing and doing it from a really early age Doing it professionally for the last 8 years I’m from Israel, married etc Who else is a builder? This talk is for you!
- #8 Today I’m working at Soluto, our missing is to help people with their technology My job is DevSecOps, or as I see it - helping the entire team to build a more secure software I’m achieving it via many approaches, including education, reviewing and threat modeling – but what I love the most is threat modeling