SlideShare a Scribd company logo

Cloud Native App Security

D
Dominik Guhr

IAM Concepts for the cloud native world. Slides from our talk at the TDC 2021.

Software
1 of 21
Download to read offline
Cloud Native App Security IAM concepts for the cloud-native world
WHAT IS THE BEST SECURITY YOU CAN GET WHEN WORKING WITH DISTRIBUTED SYSTEMS? Let’s start with a short question:
Security, as every architectural decision, is always a trade-off. There is no “perfect” security. But relying on good practices can help. Just to double-check: there is no silver bullet.
@pinguwien dguhr@redhat.com linkedin.com/in/dguhr/ github.com/DGuhr Who we are Dominik Guhr Over 10 years of experience as a software engineer /consultant / agile guy / PO problem solver Current: Senior software engineer at the Keycloak Team at Red Hat Jonathan Vila Java Champion, Organiser at BarcelonaJUG, cofounder of the JBCNConf conference. Have worked as a developer since the release of The Secret of Monkey Island, about 30 years ago. PMP certified by the PMI in Project Management. Senior Software Engineer at Red Hat at Keycloak Cloud Native team. @vilojona jvilalop@redhat.com aytartana.wordpress.com github.com/jonathanvila
IAM , OAuth2 & OpenID Connect Identity and Access Management (IAM): Authentication / AuthN: Are you really you? -> proof of identity Authorization / AuthZ: Are you allowed to access that? -> proof of permission OAuth2: JWT / token-based Designed to answer the second question only OpenID Connect (OIDC): Secure AuthN Layer on top of OAuth2. Generally two types of clients: public / confidential
OIDC / OAuth2 Flows Implicit Flow Authorization Code Flow Authorization Code Flow with PKCE
Authorization code flow: Why it’s not enough? 1⃣ AuthN Request 2⃣ AuthN Request 3⃣ code 4⃣ code 5⃣ Token request 6⃣ Access Token Pixies to the rescue! 󰧝
PKCE: What is it, and why? PKCE - “Proof Key of Code Exchange” Initially for mobile / native apps, but now also recommended for SPAs by IETF security extension of the authorization code flow client verifier / client challenge dynamically generated, secure “one-time” secrets Goal: client which requests tokens is the same client who started the authentication request 󰧝
0⃣ Generate Verifier, code_challenge & method 1⃣ AuthN Request + code_challenge & method 2⃣ Record code_challenge & method used 3⃣ Return AuthZ Code 4⃣ Token Request w/o Verifier 5⃣ Check/Comparison fails. 6⃣ NOPE! 󰗫 Authorization code flow with 󰧝: How it works?
So… are we secure yet? … ... … let’s say we’re confident that this is good enough. (But have you heard of refresh tokens?)
refresh tokens & access tokens → bearer tokens Bearer = Identity trusted - Access checked before Browser = untrusted = “here be dragons” Stolen : ● Refresh Token → exchange new token pair. ● Access_token → short time access. Problem: Proof of Possession Mitigation: ● Refresh token rotation Solutions: ● mTLS ● DPoP
Current good practice(IETF): Refresh token rotation
“OK OK WE GOT IT! BROWSER = HERE BE DRAGONS! Can we just avoid leaking ALL tokens to the front channel?”
Well… “yes, we can!” Let’s take a look at the BFF pattern.
Conclusion: BFF Pro: No Tokens in the browser anymore! Yay! Secure HttpOnly SameSite Cookie: Effective protection vs CSRF/XSS. CON: Additional component = additional maintenance. (but BFF can be very simple)
Securing K8s Apps: BFF/Proxies Gateway Sidecar Service Mesh
.X Social login Single Sign On/Off 2FA Multiple adapters Open source K8s Operator Productised version Container CIAM Multisource configuration GitOps Friendly Cloud Native Observability Zero downtime upgrade Scalability and Availability Vault integration Rewritten Operator
● Usability ○ Keycloak Image Configuration: ● Wrapper around Quarkus Configuration ● environment variables ● Configuration properties ○ Rich CLI ● Specific for Keycloak ● Configure everything from CLI ● UX and troubleshooting in mind ○ New Store Capabilities ● Zero-Downtime Upgrade ● File based storage for immutable conf ● Git Keycloak.X
Keycloak.X ● Cloud Native First-Approach ○ Based on supersonic subatomic Quarkus ;) ○ Faster Startup : 7 s ○ Lower Memory Footprint : 428 Mb ○ Less distribution size ○ Stateless & Decomposed * 35% improvement vs Keycloak
… but always remember: Security is Architecture. Architecture is always a trade-off. … and there is no silver bullet. ever.
QUESTIONS? Thank you! @vilojona jvilalop@redhat.com aytartana.wordpress.com github.com/jonathanvila @pinguwien dguhr@redhat.com linkedin.com/in/dguhr/ github.com/DGuhr

Recommended

Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...André Goliath
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesFab L
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Edureka!
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsPhillip Maddux
 

Recommended

Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...André Goliath
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesFab L
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Edureka!
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsPhillip Maddux
 
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Docker, Inc.
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
 
通往測試最高殿堂的旅程 - GTAC 2016
通往測試最高殿堂的旅程 - GTAC 2016通往測試最高殿堂的旅程 - GTAC 2016
通往測試最高殿堂的旅程 - GTAC 2016Chloe Chen
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Blockchain for Graduates | Technical Explanation
Blockchain for Graduates | Technical ExplanationBlockchain for Graduates | Technical Explanation
Blockchain for Graduates | Technical ExplanationAkshansh Chaudhary
 
From SLO to GOTY
From SLO to GOTYFrom SLO to GOTY
From SLO to GOTYScyllaDB
 
100% Code Coverage in Symfony applications
100% Code Coverage in Symfony applications100% Code Coverage in Symfony applications
100% Code Coverage in Symfony applicationsAndreas Czakaj
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Disruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B TestingDisruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B TestingOptimizely
 
Docker all the way
Docker all the wayDocker all the way
Docker all the wayJohan Vergeer
 
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency appDylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency appDevCamp Campinas
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceMadusha Perera
 
TxJS 2011
TxJS 2011TxJS 2011
TxJS 2011Brian LeRoux
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefAmanda MacLeod
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

More Related Content

Similar to Cloud Native App Security

Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Docker, Inc.
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
 
通往測試最高殿堂的旅程 - GTAC 2016
通往測試最高殿堂的旅程 - GTAC 2016通往測試最高殿堂的旅程 - GTAC 2016
通往測試最高殿堂的旅程 - GTAC 2016Chloe Chen
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Blockchain for Graduates | Technical Explanation
Blockchain for Graduates | Technical ExplanationBlockchain for Graduates | Technical Explanation
Blockchain for Graduates | Technical ExplanationAkshansh Chaudhary
 
From SLO to GOTY
From SLO to GOTYFrom SLO to GOTY
From SLO to GOTYScyllaDB
 
100% Code Coverage in Symfony applications
100% Code Coverage in Symfony applications100% Code Coverage in Symfony applications
100% Code Coverage in Symfony applicationsAndreas Czakaj
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Disruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B TestingDisruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B TestingOptimizely
 
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency appDylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency appDevCamp Campinas
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceMadusha Perera
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefAmanda MacLeod
 

Similar to Cloud Native App Security (20)

Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
 
通往測試最高殿堂的旅程 - GTAC 2016
通往測試最高殿堂的旅程 - GTAC 2016通往測試最高殿堂的旅程 - GTAC 2016
通往測試最高殿堂的旅程 - GTAC 2016
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Blockchain for Graduates | Technical Explanation
Blockchain for Graduates | Technical ExplanationBlockchain for Graduates | Technical Explanation
Blockchain for Graduates | Technical Explanation
 
From SLO to GOTY
From SLO to GOTYFrom SLO to GOTY
From SLO to GOTY
 
100% Code Coverage in Symfony applications
100% Code Coverage in Symfony applications100% Code Coverage in Symfony applications
100% Code Coverage in Symfony applications
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec California
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Disruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B TestingDisruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B Testing
 
Docker all the way
Docker all the wayDocker all the way
Docker all the way
 
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency appDylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS device
 
TxJS 2011
TxJS 2011TxJS 2011
TxJS 2011
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and Chef
 

Recently uploaded

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 

Recently uploaded (20)

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 

Cloud Native App Security

  • 1. Cloud Native App Security IAM concepts for the cloud-native world
  • 2. WHAT IS THE BEST SECURITY YOU CAN GET WHEN WORKING WITH DISTRIBUTED SYSTEMS? Let’s start with a short question:
  • 3. Security, as every architectural decision, is always a trade-off. There is no “perfect” security. But relying on good practices can help. Just to double-check: there is no silver bullet.
  • 4. @pinguwien dguhr@redhat.com linkedin.com/in/dguhr/ github.com/DGuhr Who we are Dominik Guhr Over 10 years of experience as a software engineer /consultant / agile guy / PO problem solver Current: Senior software engineer at the Keycloak Team at Red Hat Jonathan Vila Java Champion, Organiser at BarcelonaJUG, cofounder of the JBCNConf conference. Have worked as a developer since the release of The Secret of Monkey Island, about 30 years ago. PMP certified by the PMI in Project Management. Senior Software Engineer at Red Hat at Keycloak Cloud Native team. @vilojona jvilalop@redhat.com aytartana.wordpress.com github.com/jonathanvila
  • 5. IAM , OAuth2 & OpenID Connect Identity and Access Management (IAM): Authentication / AuthN: Are you really you? -> proof of identity Authorization / AuthZ: Are you allowed to access that? -> proof of permission OAuth2: JWT / token-based Designed to answer the second question only OpenID Connect (OIDC): Secure AuthN Layer on top of OAuth2. Generally two types of clients: public / confidential
  • 6. OIDC / OAuth2 Flows Implicit Flow Authorization Code Flow Authorization Code Flow with PKCE
  • 7. Authorization code flow: Why it’s not enough? 1⃣ AuthN Request 2⃣ AuthN Request 3⃣ code 4⃣ code 5⃣ Token request 6⃣ Access Token Pixies to the rescue! 󰧝
  • 8. PKCE: What is it, and why? PKCE - “Proof Key of Code Exchange” Initially for mobile / native apps, but now also recommended for SPAs by IETF security extension of the authorization code flow client verifier / client challenge dynamically generated, secure “one-time” secrets Goal: client which requests tokens is the same client who started the authentication request 󰧝
  • 9. 0⃣ Generate Verifier, code_challenge & method 1⃣ AuthN Request + code_challenge & method 2⃣ Record code_challenge & method used 3⃣ Return AuthZ Code 4⃣ Token Request w/o Verifier 5⃣ Check/Comparison fails. 6⃣ NOPE! 󰗫 Authorization code flow with 󰧝: How it works?
  • 10. So… are we secure yet? … ... … let’s say we’re confident that this is good enough. (But have you heard of refresh tokens?)
  • 11. refresh tokens & access tokens → bearer tokens Bearer = Identity trusted - Access checked before Browser = untrusted = “here be dragons” Stolen : ● Refresh Token → exchange new token pair. ● Access_token → short time access. Problem: Proof of Possession Mitigation: ● Refresh token rotation Solutions: ● mTLS ● DPoP
  • 12. Current good practice(IETF): Refresh token rotation
  • 13. “OK OK WE GOT IT! BROWSER = HERE BE DRAGONS! Can we just avoid leaking ALL tokens to the front channel?”
  • 14. Well… “yes, we can!” Let’s take a look at the BFF pattern.
  • 15. Conclusion: BFF Pro: No Tokens in the browser anymore! Yay! Secure HttpOnly SameSite Cookie: Effective protection vs CSRF/XSS. CON: Additional component = additional maintenance. (but BFF can be very simple)
  • 16. Securing K8s Apps: BFF/Proxies Gateway Sidecar Service Mesh
  • 17. .X Social login Single Sign On/Off 2FA Multiple adapters Open source K8s Operator Productised version Container CIAM Multisource configuration GitOps Friendly Cloud Native Observability Zero downtime upgrade Scalability and Availability Vault integration Rewritten Operator
  • 18. ● Usability ○ Keycloak Image Configuration: ● Wrapper around Quarkus Configuration ● environment variables ● Configuration properties ○ Rich CLI ● Specific for Keycloak ● Configure everything from CLI ● UX and troubleshooting in mind ○ New Store Capabilities ● Zero-Downtime Upgrade ● File based storage for immutable conf ● Git Keycloak.X
  • 19. Keycloak.X ● Cloud Native First-Approach ○ Based on supersonic subatomic Quarkus ;) ○ Faster Startup : 7 s ○ Lower Memory Footprint : 428 Mb ○ Less distribution size ○ Stateless & Decomposed * 35% improvement vs Keycloak
  • 20. … but always remember: Security is Architecture. Architecture is always a trade-off. … and there is no silver bullet. ever.