Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Security in the Context of
Distributed Computing
Who am I?
Solutions Architect
For DeARX
Based in our Cape Town office
Christhonie Geldenhuys
Topics
A practical view based on our experience with distributed computing
► A look at modern distributed systems
► Authen...
An evolution in component size
Source: Tiempo Development
And an evolution in location
Monolithic to Microservices
Source: Tiempo Development
So how does this impact security?
Key considerations remain the same
► Who is accessing
the system?
Authentication
► What can they do?
Authorization
► When/...
Authentication
Traditional monolithic authentication
Typical application level
implementation of role base
access control
Traditional approach cause duplication
Legacy User DB
Active Directory
App 1
App 2
We still see many examples of this!
Traditional approach cause duplication
Active Directory
Application 1
Application 2
This is much better.
Authentication as a service
Use a “Trusted 3rd
party”
Back-end servers
Central authentication mechanism
Provide a single mechanism
for identity management
and authentication.
Integrate applicat...
Benefits of this approach
► A single mechanism for authentication
► Common and shared across all application
► User inform...
Single Sign-On
Single Sign-On application have the following characteristics;
► Static, well known URL – i.e. http://logon...
Implementation considerations
► Users and Groups now become a
central responsibility
► Roles remain an application
concern...
Social Login – Use cases
► End-users – Removes the risk to create yet another account
► Occasional or temporary workers – ...
Identity information and POPI
What is POPI
► Protection of Personal Information Act will regulate the Processing of
Personal Information. 
► Personal In...
Personal information as a service
What if…
► We can access personal data from a central source
► Information is stored onc...
Personal information capture
► Initial user / customer information is
captured as part of the registration
process.
► Addi...
Personal information distribution
Obtaining the user consent is one
of the fundamental requirements
of personal informatio...
Support in WSO2 Identity Server
Consent Management
► Provides self-help profile creation, user provisioning to other syste...
User account management by WSO2 IS
Authorization
OAuth to the rescue
WSO2 Identity Server includes
support for the popular OAuth
standards.
API Manager as a first line of defence
API Manager help offloads checking tokens at the point of ingress.
Who is this? – Access tokens
When using Access Tokens…
We might want to check who is using this token;
► For display of us...
Access token lookup
► Use API to validate/lookup
token claims.
► Cache token for the validity
period.
► Store principle an...
Who is this? - JWT
Access Token or JWT?
Access Token
Benefits
► Small, simple
► Ideal for smaller number of
sessions and “chatty” interfaces....
Trust your services
It is vital to verify the communication path and authenticity of your identity /
authentication infras...
Which OAuth flow / grant type?
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
Use the online decision tree to det...
Rate limiting
Rate limiting – Why and how
► Limit access to APIs using the
various rate limiting filters.
► Absolute limits or support f...
WSO2 Throttling Policies
Summary
► Authentication as a service
► A seamless experience for the user,
across multiple applications
► Identity as a s...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computing Environment
Prochain SlideShare
Chargement dans…5
×

[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computing Environment

104 vues

Publié le

This deck explores modern distributed systems, authorization, authentication, identity management, and rate limiting.

Publié dans : Technologie
  • Soyez le premier à commenter

[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computing Environment

  1. 1. Security in the Context of Distributed Computing
  2. 2. Who am I? Solutions Architect For DeARX Based in our Cape Town office Christhonie Geldenhuys
  3. 3. Topics A practical view based on our experience with distributed computing ► A look at modern distributed systems ► Authentication ► Creating a seamless experience ► Leveraging Social login ► Additional factors ► Identity Management ► A single view ► Personal data and consent ► Authorisation ► Rate limiting or throttling
  4. 4. An evolution in component size Source: Tiempo Development
  5. 5. And an evolution in location
  6. 6. Monolithic to Microservices Source: Tiempo Development
  7. 7. So how does this impact security?
  8. 8. Key considerations remain the same ► Who is accessing the system? Authentication ► What can they do? Authorization ► When/how often can they do it? Throttling
  9. 9. Authentication
  10. 10. Traditional monolithic authentication Typical application level implementation of role base access control
  11. 11. Traditional approach cause duplication Legacy User DB Active Directory App 1 App 2 We still see many examples of this!
  12. 12. Traditional approach cause duplication Active Directory Application 1 Application 2 This is much better.
  13. 13. Authentication as a service Use a “Trusted 3rd party” Back-end servers
  14. 14. Central authentication mechanism Provide a single mechanism for identity management and authentication. Integrate applications with the Identity server.
  15. 15. Benefits of this approach ► A single mechanism for authentication ► Common and shared across all application ► User information in one place ► Easy to maintain ► Can leverage proven security standards Using an Identity Server provides; ► Central login mechanism ► Customised registration flow ► Customised approval flows ► Advanced authentication techniques
  16. 16. Single Sign-On Single Sign-On application have the following characteristics; ► Static, well known URL – i.e. http://logon.acme.com ► Authentication session is maintained at this URL; ► Using cookies to identify the session ► Redirect mechanisms are used to redirect to and from this app Benefits ► This enables the authentication session to span multiple application. ► Login once for a range of applications.
  17. 17. Implementation considerations ► Users and Groups now become a central responsibility ► Roles remain an application concern ► Share information via API or claims. How do we separate the various identity objects?
  18. 18. Social Login – Use cases ► End-users – Removes the risk to create yet another account ► Occasional or temporary workers – i.e. contractors, not requiring the benefits corporate-wide access control groups / roles
  19. 19. Identity information and POPI
  20. 20. What is POPI ► Protection of Personal Information Act will regulate the Processing of Personal Information.  ► Personal Information broadly means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.) and includes, but is not limited to: ► contact details: email, telephone, address etc. ► demographic information: age, gender, race, birth date, ethnicity etc. ► history: employment, financial, educational, criminal, medical history ► biometric information: blood type etc. ► opinions of and about the person ► private correspondence etc. ► Processing means broadly anything that can be done with the Personal Information, including collection, usage, storage, dissemination, etc.
  21. 21. Personal information as a service What if… ► We can access personal data from a central source ► Information is stored once. ► Easy to add, change or remove in one place. ► Central access control ► Provide a customer self-help portal to view or change data. ► Get user content to determine who can use it.
  22. 22. Personal information capture ► Initial user / customer information is captured as part of the registration process. ► Additional user information can also be stored here over time.
  23. 23. Personal information distribution Obtaining the user consent is one of the fundamental requirements of personal information regulation. WSO2 Identity Server facilitates this through its Consent Management features. 
  24. 24. Support in WSO2 Identity Server Consent Management ► Provides self-help profile creation, user provisioning to other systems, sharing of user attributes through SSO, and identity federation are fully based on user consent ► Users can review, modify, and revoke previously given consent via the self-care user portal or RESTful Consent API ► Consent API can also be used to integrate WSO2 IS consent management capabilities with existing applications ► WSO2 IS can be used to manage consent of any 3rd party application via the RESTful Consent API
  25. 25. User account management by WSO2 IS
  26. 26. Authorization
  27. 27. OAuth to the rescue WSO2 Identity Server includes support for the popular OAuth standards.
  28. 28. API Manager as a first line of defence API Manager help offloads checking tokens at the point of ingress.
  29. 29. Who is this? – Access tokens When using Access Tokens… We might want to check who is using this token; ► For display of user name perhaps ► For additional authorization decisions ► Per operation, per business record, etc.
  30. 30. Access token lookup ► Use API to validate/lookup token claims. ► Cache token for the validity period. ► Store principle and claims as part of cache. Token validation lookup
  31. 31. Who is this? - JWT
  32. 32. Access Token or JWT? Access Token Benefits ► Small, simple ► Ideal for smaller number of sessions and “chatty” interfaces. Drawbacks ► Require lookup ► Mitigated through caching JWT Benefits ► Self contained, stateless ► Verification can be self contained, or via lookup (remember to cache) Drawbacks ► Large (sometimes larger than payload). Not ideal for; ► “Chatty” APIs ► Expensive networks, i.e. Mobile, Satellite, IoT
  33. 33. Trust your services It is vital to verify the communication path and authenticity of your identity / authentication infrastructure. Identity your infrastructure; ► Use HTTPS! ► Check the certificates! Consider using certificate chains:
  34. 34. Which OAuth flow / grant type? https://auth0.com/docs/api-auth/which-oauth-flow-to-use Use the online decision tree to determine which OAuth flow is best for your application;
  35. 35. Rate limiting
  36. 36. Rate limiting – Why and how ► Limit access to APIs using the various rate limiting filters. ► Absolute limits or support for burst traffic. ► API manager continuously monitors the traffic and limits. ► API suspension is implemented when limits are reached. ► Rather stop them at the gate than try to deal with load while under load. ► Suspension returns pre-defined error codes (customisable) ► API auto resume after predefined period(s).
  37. 37. WSO2 Throttling Policies
  38. 38. Summary ► Authentication as a service ► A seamless experience for the user, across multiple applications ► Identity as a service ► User/customer information in one place. ► Controlled access to that information. ► Authorization ► A mechanism to provide access to resources. ► Rate limiting ► To protect our systems from over-use and abuse.

×