SlideShare une entreprise Scribd logo

Cloud Native Identity with SPIFFE

Prabath Siriwardena
Prabath Siriwardena

Cloud Native Identity with SPIFFE talk by Andrew Jessup at the Silicon Valley IAM Meetup

Formation
1  sur  40
Télécharger pour lire hors ligne
Cloud Native Identity Management Andrew Jessup, Scytale Inc.
About me Assorted Australian Startups Andrew Jessup andrew@scytale.io @whenfalse
Agenda Motivation SPIFFE and SPIRE Use cases In-depth, how SPIRE works (
Mobile API Web Front End POS API TicketsSubscriptions Billing Members DB
Firewall Web Front End Subscriptions Model 0: Rely on the network Source workload Destination workload
Web Front End Subscriptions 4. Acknowledge * Or key/secret, signed nonce etc. 2. Supply username and password* with authentication handshake Accounts 1. Retrieve username and password from configuration Model 1: Destination workload authentication 3. Verify username and password ? ? Source workload Destination workload
Model 2: Platform mediated identity Web Front End Subscriptions 4. Acknowledge 2. Send proof of identity with authentication handshake 1. Retrieve proof-of-identity from the platform 3. Verify source workload identity Platform (eg. AWS, or Kubernetes) Eg. AWS IAM, Kubernetes Service Accounts Privileged API Privileged API Source workload Destination workload
Destination workload authentication Platform mediated identity SPIFFE API-driven credential rotation and distribution No Yes Yes One identity per workload No Yes Yes No credentials need to be deployed with the workload No Yes Yes Supports trust across different platforms platforms Yes No Yes
GlueCon 2016 Joe Beda proposes SPIFFE KubeCon NA 2017 SPIFFE & SPIRE 0.1 are released April 2018 CNCF welcomes SPIFFE & SPIRE Circa 2005 Google rolls-out LOAS 11th USENIX Security Symposium (2002) Plan9 security design published
The Inspiration for SPIFFE and SPIRE Google Application Layer Transport Security “The ALTS trust model has been tailored for cloud-like containerized applications. Identities are bound to entities instead of to a specific server name or host. This trust model facilitates seamless microservice replication, load balancing, and rescheduling across hosts.” “Secure authentication and authorization within Facebook’s infrastructure play important roles in protecting people using Facebook’s services. Enforcing security while maintaining a flexible and performant infrastructure can be challenging at Facebook’s scale, especially in the presence of varying layers of trust among our servers.” “During the startup, access to the long-lived credentials and short-lived credentials are provisioned to each instance. This credential bootstrap is done by Metatron, which is a tool at Netflix, which does credential management.”
and
A set of specifications that cover how a workload should retrieve and use it’s identity. ● SPIFFE ID ● SPIFFE Verifiable Identity Documents (SVIDs) ● The SPIFFE Workload API The SPIFFE Runtime Environment. Open-source software that implements the SPIFFE Workload API for a variety of platforms. Apache 2.0 license. Independent governance. Highly extensible through plug-ins. github.com/spiffe/spiffe github.com/spiffe/spire
SPIFFE ID spiffe://acme.com/billing/payments Trust Domain Workload Identifier
SPIFFE Verifiable Identity Document spiffe://acme.com/billing/payments Today only one form of SVID (X509-SVID). Other document types under consideration (including JWT-SVID) Typically short-lived
Server SPIFFE Workload API Workload Workload API whoami() Workload whoami()
SPIRE Server SPIRE Server SPIRE Agent A cross-platform implementation of the SPIFFE specifications
SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: k8s:ns:payments selector: k8s:sa:pay-svc selector: docker:image-id:442ca9 Node Workload SPIRE Agent Workload API Workload
Design Goals of SPIFFE and SPIRE ● Application identity driven. By building a security model rooted in a strong assertion of application identity, policies and practices become application- and business unit- oriented rather than infrastructure-oriented. ● Easily adoptable. Users should be able to leverage Emissary with little or no code change. The system should work well in dynamically orchestrated containerized environments. ● Federatable. It should be possible to use these identity mechanisms across business units and even organizations. ● Reliable. The single points of failures in the system should be minimized and the system should degrade gracefully when any single point of failure is down. ● Cloud and Container Ready. It should be possible to safely extend trust to entities running on to third party cloud providers such as Amazon Web Services and Microsoft Azure, and container orchestrators such as Cloud Foundry and Kubernetes.
Security Goals of SPIFFE and SPIRE ● Fully automated and policy driven. Existing identity (particularly PKI) infrastructure is both complex and often requires “human trust”, which weakens delivery. Emissary is fully automated and should minimize manual key distribution. ● Minimal Knowledge. A compromised machine should only expose any secrets for workloads that happen to be running on that machine. ● Reliable. The single points of failures in the system should be minimized and the system should degrade gracefully when any SPOF is down. All “steady state” operations shouldn’t have requirements off of a specific node. ● Scoped trust roots. There should be no hardcoded, global trust roots as we see in the web browser world.
SPIFFE Workload API Secure authentication amongst services mTLS JWT Identity for service mesh Bootstrap deployment for distributed systems gRPC Secret Stores Proxy Proxy SPIFFE Verifiable Identity Documents (SVIDs) Cloud platform attestation plug-ins OS attestation plug-ins Scheduler and PaaS attestation plug-ins HSM, TPM, Kerberos attestation plug-ins CA and secret store plug-ins
Use cases How the identity plane becomes the unifying layer for infrastructure
Turn-key, best practice authentication Source SPIRE Agent SPIRE Agent eg. Vault, APIGateway, ADFS etc. Authenticated connection Identify workload Distribute trust bundles Destination
Minimize key leaks with secure introduction API Service Secret Store or Identity Broker SPIRE Agent SPIRE Agent eg. Vault, APIGateway, ADFS etc. Authenticated connection Identify workload Distribute trust bundles
Simplify workload AuthN and AuthZ with Service Mesh API Service Database SPIRE Agent SPIRE Agent Verify the infrastructure Verify workload Ambassador Proxy Ambassador Proxy mTLS or JWT authenticated connection
Simplify workload AuthN and AuthZ with Service Mesh API Service Database SPIRE Agent SPIRE Agent Verify the infrastructure Verify workload Ambassador Proxy Ambassador Proxy
Improving post-incident forensics with unified telemetry Billing Service SPIRE Agent Tracing Collector (eg. Jaeger) Metrics Collector (eg. Prometheus) Metrics Agent Log Collector (eg. Fluentd) Trace Lib Log Collector
CI/CD Pipeline Enforce and verify release pipelines Billing Service SPIRE Agent SPIRE Agent Passes attestation, is issued identity spiffe://acme.com/billing ● runs as user ‘billing-svc’ ● in the AWS security group sg-5c24f185”, and ● runs in a docker image that been signed by our build system’s private key. Billing Service Fails attestation, is issued identity Artifact Built Artifact Signed Artifact Built
Authenticate developer access (BeyondCorp) Jan’s Laptop spiffe://acme.com/developers /janc/macbook4 SSH SPIRE Agent YubiKey User IdP Remote Node SSH SPIRE Agent HSM spiffe://acme.com/developers/janc/macbook4 ● Has authenticated as ldap user janc ● Has authenticated with the YubiKey associated with macbook4 eg. LDAP
Service Mesh Secure Introduction Unified telemetry Enforcement of Software Supply Chain SPIFFE (API) Identity Plane (SPIRE) Envoy, LinkerD, nginx, gRPC Vault, Confidant, Knox Prometheus Grafana Jaeger TUF, Notary, Grafeas The Identity Plane becomes the unifying layer for infrastructure ...
Choose your own adventure time!
A day in the life of a SPIFFE ID (or, how SPIRE actually works)
SPIFFE Runtime Environment SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: k8s:ns:payments selector: k8s:sa:pay-svc selector: docker:image-id:442ca9
SPIFFE Runtime Environment SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: k8s:ns:payments selector: k8s:sa:pay-svc selector: docker:image-id:442ca9
Node attestation EC2 Instance Container SPIRE Agent Workload API SPIRE Server AWSInstance MetadataAPI 1. Node agent authenticates to the SPIRE Server, passes AWS Instance Identity Document Kubelet
EC2 Instance Node attestation Container SPIRE Agent Workload API SPIRE Server 2. List of valid SPIFFE IDs for the node, and selectors, returned Kubelet
EC2 Instance Workload attestation Container SPIRE Agent Workload API SPIRE Server 3. Workload requests identity 4. Node agent performs an out-of-band check of the workload process metadata, compares to known selectorswhoami() Kubelet
EC2 Instance SVID Bundle Issuance Container SPIRE Agent Workload API SPIRE Server 5. If match found, NA generates a key for the workload 6. NA sends certificate signing request based on that key to SPIRE Server Kubelet
EC2 Instance Kubelet SVID Bundle Issuance Container SPIRE Agent Workload API SPIRE Server 6. SPIRE server issues SVID (as well as certificates for any other workload the instance should support)
EC2 Instance Kubelet SVID Bundle Issuance Container SPIRE Agent Workload API SPIRE Server 7. Certificate bundle returned to the workload Kubelet
blog.scytale.io github.com/spiffe spiffe.slack.io SPIFFE in 5 minutes - bit.ly/2J9c3to SPIFFE in a real-world deployment - bit.ly/2Jd8BOm

Recommandé

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraSPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
Preferred Networks
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
Tatsuo Kudo
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Building Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFEBuilding Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFE
QAware GmbH
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
FIWARE
 
Azure Kubernetes Service 2019 ふりかえり
Azure Kubernetes Service 2019 ふりかえりAzure Kubernetes Service 2019 ふりかえり
Azure Kubernetes Service 2019 ふりかえり
Toru Makabe
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 

Recommandé

SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraSPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
Preferred Networks
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
Tatsuo Kudo
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Building Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFEBuilding Trust Between Modern Distributed Systems with SPIFFE
Building Trust Between Modern Distributed Systems with SPIFFE
QAware GmbH
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
FIWARE
 
Azure Kubernetes Service 2019 ふりかえり
Azure Kubernetes Service 2019 ふりかえりAzure Kubernetes Service 2019 ふりかえり
Azure Kubernetes Service 2019 ふりかえり
Toru Makabe
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Azure AD による Web API の 保護
Azure AD による Web API の 保護 Azure AD による Web API の 保護
Azure AD による Web API の 保護
junichi anno
 
OpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンスOpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンス
OpenID Foundation Japan
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service Mesh
All Things Open
 
OpenID Connect入門
OpenID Connect入門OpenID Connect入門
OpenID Connect入門
土岐 孝平
 
Kongの概要と導入事例
Kongの概要と導入事例Kongの概要と導入事例
Kongの概要と導入事例
briscola-tokyo
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要
Tatsuo Kudo
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
Torin Sandall
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
Masaru Kurahayashi
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
Adnan Rashid
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 
KeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについてKeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについて
Hiroyuki Wada
 
ID連携における仮名
ID連携における仮名ID連携における仮名
ID連携における仮名
Naohiro Fujie
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
ajessup
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
 

Contenu connexe

Tendances

Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 

Tendances (20)

SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Azure AD による Web API の 保護
Azure AD による Web API の 保護 Azure AD による Web API の 保護
Azure AD による Web API の 保護
 
OpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンスOpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンス
 
The Future of Service Mesh
The Future of Service MeshThe Future of Service Mesh
The Future of Service Mesh
 
OpenID Connect入門
OpenID Connect入門OpenID Connect入門
OpenID Connect入門
 
Kongの概要と導入事例
Kongの概要と導入事例Kongの概要と導入事例
Kongの概要と導入事例
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
KeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについてKeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについて
 
ID連携における仮名
ID連携における仮名ID連携における仮名
ID連携における仮名
 

Similaire à Cloud Native Identity with SPIFFE

Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
Netwax Lab
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
DataWorks Summit
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
Amazon Web Services
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
kurtvm
 
SkyeCORE - Rev Up Your OSGi Services!
SkyeCORE - Rev Up Your OSGi Services!SkyeCORE - Rev Up Your OSGi Services!
SkyeCORE - Rev Up Your OSGi Services!
Wayne Williams
 

Similaire à Cloud Native Identity with SPIFFE (20)

Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
AWS Serverless API Management - Meetup
AWS Serverless API Management - MeetupAWS Serverless API Management - Meetup
AWS Serverless API Management - Meetup
 
Externalized Spring Boot App Configuration
Externalized Spring Boot App ConfigurationExternalized Spring Boot App Configuration
Externalized Spring Boot App Configuration
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
 
Spring Boot & Spring Cloud on Pivotal Application Service
Spring Boot & Spring Cloud on Pivotal Application ServiceSpring Boot & Spring Cloud on Pivotal Application Service
Spring Boot & Spring Cloud on Pivotal Application Service
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
AWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxAWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptx
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
SkyeCORE - Rev Up Your OSGi Services!
SkyeCORE - Rev Up Your OSGi Services!SkyeCORE - Rev Up Your OSGi Services!
SkyeCORE - Rev Up Your OSGi Services!
 

Plus de Prabath Siriwardena

Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
Prabath Siriwardena
 

Plus de Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 

Dernier

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Dernier (20)

How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 

Cloud Native Identity with SPIFFE

  • 1. Cloud Native Identity Management Andrew Jessup, Scytale Inc.
  • 2. About me Assorted Australian Startups Andrew Jessup andrew@scytale.io @whenfalse
  • 3. Agenda Motivation SPIFFE and SPIRE Use cases In-depth, how SPIRE works (
  • 4. Mobile API Web Front End POS API TicketsSubscriptions Billing Members DB
  • 5. Firewall Web Front End Subscriptions Model 0: Rely on the network Source workload Destination workload
  • 6. Web Front End Subscriptions 4. Acknowledge * Or key/secret, signed nonce etc. 2. Supply username and password* with authentication handshake Accounts 1. Retrieve username and password from configuration Model 1: Destination workload authentication 3. Verify username and password ? ? Source workload Destination workload
  • 7. Model 2: Platform mediated identity Web Front End Subscriptions 4. Acknowledge 2. Send proof of identity with authentication handshake 1. Retrieve proof-of-identity from the platform 3. Verify source workload identity Platform (eg. AWS, or Kubernetes) Eg. AWS IAM, Kubernetes Service Accounts Privileged API Privileged API Source workload Destination workload
  • 8. Destination workload authentication Platform mediated identity SPIFFE API-driven credential rotation and distribution No Yes Yes One identity per workload No Yes Yes No credentials need to be deployed with the workload No Yes Yes Supports trust across different platforms platforms Yes No Yes
  • 9. GlueCon 2016 Joe Beda proposes SPIFFE KubeCon NA 2017 SPIFFE & SPIRE 0.1 are released April 2018 CNCF welcomes SPIFFE & SPIRE Circa 2005 Google rolls-out LOAS 11th USENIX Security Symposium (2002) Plan9 security design published
  • 10. The Inspiration for SPIFFE and SPIRE Google Application Layer Transport Security “The ALTS trust model has been tailored for cloud-like containerized applications. Identities are bound to entities instead of to a specific server name or host. This trust model facilitates seamless microservice replication, load balancing, and rescheduling across hosts.” “Secure authentication and authorization within Facebook’s infrastructure play important roles in protecting people using Facebook’s services. Enforcing security while maintaining a flexible and performant infrastructure can be challenging at Facebook’s scale, especially in the presence of varying layers of trust among our servers.” “During the startup, access to the long-lived credentials and short-lived credentials are provisioned to each instance. This credential bootstrap is done by Metatron, which is a tool at Netflix, which does credential management.”
  • 11. and
  • 12. A set of specifications that cover how a workload should retrieve and use it’s identity. ● SPIFFE ID ● SPIFFE Verifiable Identity Documents (SVIDs) ● The SPIFFE Workload API The SPIFFE Runtime Environment. Open-source software that implements the SPIFFE Workload API for a variety of platforms. Apache 2.0 license. Independent governance. Highly extensible through plug-ins. github.com/spiffe/spiffe github.com/spiffe/spire
  • 14. SPIFFE Verifiable Identity Document spiffe://acme.com/billing/payments Today only one form of SVID (X509-SVID). Other document types under consideration (including JWT-SVID) Typically short-lived
  • 15. Server SPIFFE Workload API Workload Workload API whoami() Workload whoami()
  • 16. SPIRE Server SPIRE Server SPIRE Agent A cross-platform implementation of the SPIFFE specifications
  • 17. SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: k8s:ns:payments selector: k8s:sa:pay-svc selector: docker:image-id:442ca9 Node Workload SPIRE Agent Workload API Workload
  • 18. Design Goals of SPIFFE and SPIRE ● Application identity driven. By building a security model rooted in a strong assertion of application identity, policies and practices become application- and business unit- oriented rather than infrastructure-oriented. ● Easily adoptable. Users should be able to leverage Emissary with little or no code change. The system should work well in dynamically orchestrated containerized environments. ● Federatable. It should be possible to use these identity mechanisms across business units and even organizations. ● Reliable. The single points of failures in the system should be minimized and the system should degrade gracefully when any single point of failure is down. ● Cloud and Container Ready. It should be possible to safely extend trust to entities running on to third party cloud providers such as Amazon Web Services and Microsoft Azure, and container orchestrators such as Cloud Foundry and Kubernetes.
  • 19. Security Goals of SPIFFE and SPIRE ● Fully automated and policy driven. Existing identity (particularly PKI) infrastructure is both complex and often requires “human trust”, which weakens delivery. Emissary is fully automated and should minimize manual key distribution. ● Minimal Knowledge. A compromised machine should only expose any secrets for workloads that happen to be running on that machine. ● Reliable. The single points of failures in the system should be minimized and the system should degrade gracefully when any SPOF is down. All “steady state” operations shouldn’t have requirements off of a specific node. ● Scoped trust roots. There should be no hardcoded, global trust roots as we see in the web browser world.
  • 20. SPIFFE Workload API Secure authentication amongst services mTLS JWT Identity for service mesh Bootstrap deployment for distributed systems gRPC Secret Stores Proxy Proxy SPIFFE Verifiable Identity Documents (SVIDs) Cloud platform attestation plug-ins OS attestation plug-ins Scheduler and PaaS attestation plug-ins HSM, TPM, Kerberos attestation plug-ins CA and secret store plug-ins
  • 21. Use cases How the identity plane becomes the unifying layer for infrastructure
  • 22. Turn-key, best practice authentication Source SPIRE Agent SPIRE Agent eg. Vault, APIGateway, ADFS etc. Authenticated connection Identify workload Distribute trust bundles Destination
  • 23. Minimize key leaks with secure introduction API Service Secret Store or Identity Broker SPIRE Agent SPIRE Agent eg. Vault, APIGateway, ADFS etc. Authenticated connection Identify workload Distribute trust bundles
  • 24. Simplify workload AuthN and AuthZ with Service Mesh API Service Database SPIRE Agent SPIRE Agent Verify the infrastructure Verify workload Ambassador Proxy Ambassador Proxy mTLS or JWT authenticated connection
  • 25. Simplify workload AuthN and AuthZ with Service Mesh API Service Database SPIRE Agent SPIRE Agent Verify the infrastructure Verify workload Ambassador Proxy Ambassador Proxy
  • 26. Improving post-incident forensics with unified telemetry Billing Service SPIRE Agent Tracing Collector (eg. Jaeger) Metrics Collector (eg. Prometheus) Metrics Agent Log Collector (eg. Fluentd) Trace Lib Log Collector
  • 27. CI/CD Pipeline Enforce and verify release pipelines Billing Service SPIRE Agent SPIRE Agent Passes attestation, is issued identity spiffe://acme.com/billing ● runs as user ‘billing-svc’ ● in the AWS security group sg-5c24f185”, and ● runs in a docker image that been signed by our build system’s private key. Billing Service Fails attestation, is issued identity Artifact Built Artifact Signed Artifact Built
  • 28. Authenticate developer access (BeyondCorp) Jan’s Laptop spiffe://acme.com/developers /janc/macbook4 SSH SPIRE Agent YubiKey User IdP Remote Node SSH SPIRE Agent HSM spiffe://acme.com/developers/janc/macbook4 ● Has authenticated as ldap user janc ● Has authenticated with the YubiKey associated with macbook4 eg. LDAP
  • 29. Service Mesh Secure Introduction Unified telemetry Enforcement of Software Supply Chain SPIFFE (API) Identity Plane (SPIRE) Envoy, LinkerD, nginx, gRPC Vault, Confidant, Knox Prometheus Grafana Jaeger TUF, Notary, Grafeas The Identity Plane becomes the unifying layer for infrastructure ...
  • 31. A day in the life of a SPIFFE ID (or, how SPIRE actually works)
  • 32. SPIFFE Runtime Environment SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: k8s:ns:payments selector: k8s:sa:pay-svc selector: docker:image-id:442ca9
  • 33. SPIFFE Runtime Environment SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: k8s:ns:payments selector: k8s:sa:pay-svc selector: docker:image-id:442ca9
  • 34. Node attestation EC2 Instance Container SPIRE Agent Workload API SPIRE Server AWSInstance MetadataAPI 1. Node agent authenticates to the SPIRE Server, passes AWS Instance Identity Document Kubelet
  • 35. EC2 Instance Node attestation Container SPIRE Agent Workload API SPIRE Server 2. List of valid SPIFFE IDs for the node, and selectors, returned Kubelet
  • 36. EC2 Instance Workload attestation Container SPIRE Agent Workload API SPIRE Server 3. Workload requests identity 4. Node agent performs an out-of-band check of the workload process metadata, compares to known selectorswhoami() Kubelet
  • 37. EC2 Instance SVID Bundle Issuance Container SPIRE Agent Workload API SPIRE Server 5. If match found, NA generates a key for the workload 6. NA sends certificate signing request based on that key to SPIRE Server Kubelet
  • 38. EC2 Instance Kubelet SVID Bundle Issuance Container SPIRE Agent Workload API SPIRE Server 6. SPIRE server issues SVID (as well as certificates for any other workload the instance should support)
  • 39. EC2 Instance Kubelet SVID Bundle Issuance Container SPIRE Agent Workload API SPIRE Server 7. Certificate bundle returned to the workload Kubelet
  • 40. blog.scytale.io github.com/spiffe spiffe.slack.io SPIFFE in 5 minutes - bit.ly/2J9c3to SPIFFE in a real-world deployment - bit.ly/2Jd8BOm