Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment

ssuserbeb7c0 75 views 30 slides Oct 11, 2024
Slide 1
Slide 1 of 30
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30

About This Presentation

All Day DevOps 2024

Size: 2.19 MB
Language: en
Added: Oct 11, 2024
Slides: 30 pages

Slide Content

Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment All Day DevOps 2024 Hitachi, Ltd. OSS Solution Center 10/11/2024 Yoshiyuki Tabata

1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 1 4. Exploring Best Practices for Implementing Authn and Authz

Speaker Specialist in API authorization Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields Contributor to OSS related to authentication, authorization, and API management Keycloak (IAM OSS) 3scale (API management OSS) Other activities Speaker at events such as KubeCon , Apidays , Open Source Summit, etc. Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata Senior OSS Consultant at Hitachi, Ltd. CNCF Ambassador / Cloud Native Community Japan organizer / Cloud Native Security Japan founder LinkedIn: @ytabata , X: @yo_tabata , GitHub: @y-tabata

1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 3 4. Exploring Best Practices for Implementing Authn and Authz

What is Authentication / Authorization Authentication (Authn) is the process of verifying an entity's identity. Authorization (Authz) is the process of verifying that a requested action or service is approved for a specific entity. entities resources / APIs request Authentication Who/What does request resources? Authorization Can the entity take some action regarding resources?

Authn and Authz in OWASP Top 10 API Security Risks The top 3 security risks are regarding " Authn/Authz ". * OWASP Top 10 API Security Risks - 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/ Broken Object Level Authorization Broken Object Property Level Authorization Broken Function Level Authorization Broken Authentication Unrestricted Access to Sensitive Business Flows Security Misconfiguration Unrestricted Resource Consumption Server Side Request Forgery Improper Inventory Management Unsafe Consumption of APIs 1 2 3 4 6 7 8 9 10 5

Authorization in OWASP Top 10 API Security Risks Authorization is the most significant security risk, with 3 risks ranking in the top 5. #1 Broken Object Level Authorization Must not allow user 101 to obtain user 102's resources. #3 Broken Object Property Level Authorization Must not allow a general user to change sensitive object properties like "rank". #5 Broken Function Level Authorization Must not allow a general user to call administrator function. User 101 GET /users/ 102 PUT /users/101 { "rank": "gold" } GET / admin /users/all

1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 7 4. Exploring Best Practices for Implementing Authn and Authz

Various Standards fo r Authentication This year marks 10 years since OpenID Connect 1.0 was published. In recent years, various standards have been published to address various attacks and social needs, and more will likely increase in the future. Standards: OSS: … OIDF standardi z es IETF standardi z es OASIS standardi z es W3C standardi z es … SAML 2.0 Web Authentication OpenID Connect Core 1.0 RFC6749: OAuth 2.0 extend FAPI 1.0 FAPI 2.0 OAuth 2.1 OID4VCI OpenID Connect Discovery 1.0 RFC 7636: PKCE RFC 6750: Bearer Token RFC 9449: DPoP RFC 7662: Token Introspection RFC 8693: Token Exchange OpenID Connect DCR 1.0 RFC 8705: OAuth MTLS RFC 8628: Device Flow CIBA FAPI-CIBA JARM

No Standards and Various OSS for Authorization There is no standard and there are a lot of excellent OSS. Currently, OIDF AuthZEN WG is working to develop standards to address this situation. No standards for communicating authorization information … Standards: OSS:

1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 10 4. Exploring Best Practices for Implementing Authn and Authz

Current Trend of Authentication In a cloud-native environment, not only User Authentication like OIDC, but also Workload Authentication is becoming increasingly important. In today's world, with an increasing number of complex software functions being built and deployed as workloads, IETF Workload Identity in Multi System Environments (WIMSE) WG was established in 2024 and is developing standards for workload authentication. Current Active Internet-Drafts Date Description WIMSE Service to Service Authentication 2024-08-15 Describes protocols for two workloads to verify each other's identity. Workload Identity in a Multi System Environment (WIMSE) Architecture 2024-07-08 Describes workload identity and its use cases. Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments 2024-07-08 Describes OAuth 2.0 client authentication method in workload environments utilizing service account token volume projection and RFC7523.

Current Trend of Authorization Authorization is recognized as the most important security risk, and while there is a demand for dynamic and fine-grained authorization schemes. OIDF Authorization Exchange ( AuthZEN ) WG was established in 2023 and is developing standards for authorization. Current Drafts Date Description Authorization API 1.0 2024-09-15 Describes API specification between Policy Decision Points (PDP) and Policy Enforcement Points (PEP).

1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 13 4. Exploring Best Practices for Implementing Authn and Authz

Best Practice of Authentication (User Authentication) Assess the adverse impact of failures and choose the appropriate user authentication methods among the many available, following NIST SP 800-63 Digital Identity Guidelines . Revision 4 of NIST SP 800-63 is currently available as a draft. Authenticator Assurance Levels (AAL) Permitted Authentication AAL1 single-factor authentication like password authentication AAL2 multi-factor authentication like synced passkey based on W3C Web Authentication ( WebAuthn ) AAL3 multi-factor cryptographic authentication like device-bound passkey based on WebAuthn

Best Practice of Authentication (User Authentication) User authentication does not need to be implemented individually in the workload but is typically delegated to an IdP such as Keycloak . When delegating user authentication, choose the appropriate federation protocol, following NIST SP 800-63 . Federation Assurance Levels (FAL) Federation Protocols FAL1 OIDC implicit flow SAML Web SSO profile FAL2 OIDC authorization code flow SAML artifact binding profile FAL3 OIDC holder-of-key ID token (no standard) SAML Holder-of-Key profile

Best Practice of Authentication (User Authentication) When adopting OIDC, more specific implementation will be decided concerning OAuth 2.0 Security Best Current Practice , which summarizes the latest security recommendations for OAuth 2.0. OIDC has a high affinity for cloud-native environments and is often adopted because it is based on OAuth 2.0, the standard for API protection. Threat examples Mitigations Cross-Site Request Forgery (CSRF) RFC7636: Proof Key for Code Exchange (PKCE) Misuse of Stolen Access Tokens RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (OAuth MTLS) RFC9449: OAuth 2.0 Demonstrating Proof of Possession ( DPoP )

Node Node Best Practice of Authentication (Workload Authentication) The current mainstream is mTLS authentication using X.509 certificates with a SPIFFE -compliant implementation such as SPIRE . Some ways to interact with SPIRE Agent include implementing its client with SPIFFE Library , using SPIRE Helper utility, or using Envoy Proxy . Workload Workload SPIRE Agent SPIRE Agent SPIRE Server mTLS x.509 certificates x.509 certificates workload identities workload identit ies

Best Practice of Authorization Separate authorization logic from application logic using the P*P architecture defined in XACML and NIST SP 800-162 . By separating the authorization logic, workloads are freed from having to keep up with the complexity of authorization conditions as the service grows. entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3 . authorization decision

Best Practice of Authorization Depending on your use case, choose the PDP authorization model between Attribute-Based Access Control (ABAC) and Relationship-Based Access Control ( ReBAC ) . entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3 . authorization decision

Best Practice of Authorization Depending on your use case, choose the PDP authorization model between Attribute-Based Access Control (ABAC) and Relationship-Based Access Control ( ReBAC ) . ABAC (Policy as Code) ReBAC (Policy as Graph) Features Good at very fine-grained authorization , including depending on dynamic attributes such as time and location. Good at authorization using complex hierarchical relationships . Use case example Managers who are in APAC can view Trade Confidential files during business hours. Users who are assigned the Member role of the Development team will also be granted the Edit role for all files in that folder if the Development team is the parent of that folder. Representative implementation Open Policy Agent (OPA) OpenFGA

Best Practice of Authorization Interaction between PDP and PEP is implemented following OIDF AuthZEN WG Authorization API 1.0 . Since this specification is still a draft, it is possible to break changes, so it is necessary to keep a close eye on trends. entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3 . authorization decision

Best Practice of Authorization Obtain user identities used for authorization following RFC7662: OAuth 2.0 Token Introspection . Access token added to Token Introspection request is obtained from API request. entities resources / APIs 1. API request w/ access token (following RFC6750: OAuth 2.0 Bearer Token Usage ) Authorization Server 2 . Token Introspection request w/ access token (following RFC7662 )

In a cloud-native environment, the workload may need to interact with others. In this case, obtain a token following RFC8693: OAuth 2.0 Token Exchange and use it within a trusted domain. For details on this interaction, refer to Transaction Tokens , a draft of the IETF oauth WG. Trusted Domain Best Practice of Authorization entities 1. API request w/ access token Authorization Server 2 . Token Exchange request w/ access token Workload Workload 4 . API request w/ new token 3. Token Exchange response w/ new token

Trusted Domain A If workloads are distributed across multiple trusted domains, obtain a token for the other trusted domain following RFC8693 and RFC7523: JWT Profile for OAuth 2.0 Authorization Grants . For details on this interaction, refer to OAuth Identity and Authorization Chaining Across Domains , a draft of the IETF oauth WG. Trusted Domain B Best Practice of Authorization entities 1. API request w/ access token Authorization Server Workload Workload 6. API request w/ new access token Authorization Server 2 . Token Exchange request w/ access token 3. Token Exchange response w/ authz grant JWT 4 . Token request w/ authz grant JWT 5. Token response w/ new access token

Summary of Best Practice Authentication User Authentication NIST SP 800-63 Digital Identity Guidelines (AAL and FAL) OAuth 2.0 Security Best Current Practice Workload Authentication SPIFFE Authorization Architecture: P*P architecture (XACML / NIST SP 800-162) PDP and PEP interaction: Authorization API 1.0 Authorization Model: ABAC / ReBAC User Identity Propagation External to Internal RFC6750: OAuth 2.0 Bearer Token Usage RFC7662: OAuth 2.0 Token Introspection Internal to Internal (Same Trusted Domain) RFC8693: OAuth 2.0 Token Exchange Transaction Tokens Internal to Internal (Distributed across Multiple Trusted Domains) RFC8693: OAuth 2.0 Token Exchange RFC7523: JWT Profile for OAuth 2.0 Authorization Grants OAuth Identity and Authorization Chaining Across Domains

Let’s Join CNCF IAM White Paper PJ and TAG Security APAC! We are currently working on a project to write a white paper on Identity and Access Management (IAM) to discuss best practices for authentication and authorization such as those introduced in this session. If you are interested, don't hesitate to get in touch with us! https://github.com/cncf/tag-security/issues/1332 The CNCF Security Technical Advisory Group (TAG Security) APAC region meetings have started every other week from August 21st! This is in a more friendly time zone for the security freaks in attendance today, so please join us! https://zoom-lfx.platform.linuxfoundation.org/meetings/cncf?view=week

Trademarks OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. X is a trademark or registered trademark of X Corp. in the United States and other countries. Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.

Yoshiyuki Tabata 10/11/2024 Hitachi, Ltd. OSS Solution Center END Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment 28
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 75
  • Slides 30
  • Age 417 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category