Security is ubiquitous and integral throughout the entire lifecycle of an application right from the design and implementation to deployment and operations. Whether you build software for enterprises, mobile, or internal microservices, security is important. To that end, Identity and access management is the key to the security and the software infrastructure.Establishing user's identities before they can access resources is a key security requirement when building software applications and the capability of enabling single-sign-on would be a desirable feature. For Identity and Access Management Standards like SAML, OIDC, and SPIFFE help us solve identity and authentication which answers the most important question of "who you are". Security is best delegated as no one wants to re-invent the wheel, so for Identity Management Keycloak which is an open source product helps us achieve our Identity management solutions. Keycloak is an identity provider that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network. This talk will walk through how we are using Keycloak to achieve solve the IAM security in Vantage which is our Data Analytics Platform and how we are achieving single-sign-on which is one of the most desirable side effects of Identity Management which will help users gain access control for multiple related and independent software systems in a seamless manner.
Data Con LA 2019 - One (Key) Ring to Rule Them All: Unified Identity Management for Vantage by Shweta Shetty
1. 1
One (Key) Ring to Rule Them
All
Unified Identity and Access Management
Shweta Shetty
Teradata
Aug 17th 2019
2. 2
$whoami
• I am a Technical Lead at Teradata
• I am currently focusing on improving the Identity
and Access management for developers and
customers in future versions of Teradata product.
• I co-founded inPHYnity which teaches high
school physics to high achieving students.
8. 8
Key Problem to Solve
• We need to provide data
• Securely
• Single Sign On
• all the way to database server
• all the way to TensorFlow running on
analytic nodes
• MFA enabled database
• Developer Experience
15. 15
Base Protocol
Identity layer on top
What OpenId Connect adds
• ID Token
• User Info endpoint
• Standard set of scopes
• Standardized implementation
19. 19
Multi-Factor Authentication
LDAP
Single Sign On
Identity BrokeringBrute Force Protection
Password Policies
Federation
Email Verification
Captcha
Reset Credentials
Central User Management
Central access management
Lets talk about api failure or breaches. Lets stop and think about how API breaches happen or how security breaches happen. There is too many to list- even if we limit to last 2 years. They are catastrophic And they are getting bigger and bigger. I don’t just mean with number of customers affected but the type of data affected. My favorite one is tinder. The amusing thing about tinder was they did not have any authentication built in to it . So you could send messages as someone else. It’s a silly use case- but you could cause a lot of problem with it. Let me talk about this -
For starters take into consideration any person – Myself for example .I am by most fundamental definition an entity. In my capacity I am able to think , speak , teach , work and so on. However people around me don’t perceive me as entity . At work they see me as their colleague, at home I am parent to my kids , at my inphynity school I am perceived as a teacher. The different subsets of attributes that people perceived formed my identities. For some people I am a teacher , for some others I am Indian classical dancer, but for some I am just a colleague and for my bank I am a customer with signature and account number. In terms of analyzing this in the software application , just like me – an application is a entity that exists on its own, but has multiple identities . For Single page application consuming this application its identity would be a internet domain , a TLS cert , For database the identity of the application would be set of credentials like username and password and so on.
For example, if you go to the bank and try to withdraw money from your account, the clerk might ask you for an ID (an o cial document) to check who you are. Along the same lines, if you buy a ight ticket, you might need to use a passport to prove you are the person entitled to that ticket before hopping on the plane . In contrast, authorization refers to the process of verifying what entities can access, or what actions they can perform. For a concrete example, imagine a situation where you buy a ticket for a show. In this case, more o en than not, the establishment will not be interested in your identity (i.e., on who you are). What they care about is whether you are authorized or not to attend the show.
What is important for you to understand here is that authentication can lead to authorization but that the opposite is not true. Although proof of identity might be enough for you to get access to something (i.e., to be authorized to achieve something), having authorization cannot be used to identify an entity (like in the example where you would buy a ticket for a show).
like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they u
Chances are you have logged into applications like Spotify / Pinterest using “Login with Facebook” button.- then you know what I am talking about . As a user you really don’t care how SSO works but what you do care is how many times you have entered your username and password and be thankful for a smoother experience and that you have to remember fewer logins and passwords.
like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they pretty much had access to your gmail using your username and password. I am pretty sure you all are thinking that it’s a very bad idea to do this.
like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they pretty much had access to your gmail using your username and password. I am pretty sure you all are thinking that it’s a very bad idea to do this.
like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they u
like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they pretty much had access to your gmail using your username and password. I am pretty sure you all are thinking that it’s a very bad idea to do this.
Its not a randomly generated token – it’s a self contained token – it has payload and its signed . The JWT is signed with a private key of the identity provider.
Lets talk about the complexities of modern Authentication – Lets ask ourselves a question - how complex is authentication - you would say I could do authentication having a table with username with hashed password ? How about – forbidding automatic registrations, how about integrating with social network – how about connecting to external user store , how about single sign on , how about MFA for example smart card .
Let ask another question - Do we really want to implement any of these – NO – does not make sense to re invent the wheel. Luckily there exist an approach which has been vetted through by the community – and existed in world before. The approach is to deploy a separate entity which would do one and only one job . We integrate with it preferably with the open and the standard protocol and we will let it do its job . We DELEGATE The Identity and access management
Delegate Security
There are lot of identity solutions in the world – either cloud based or on prem , either commercial or free and open source. Why Keycloak? - well, because it either implements all of the above out of the box or extensible enough to allow for relative and comparitivley easy implementation if you missed something. And is backed by Red Hat
like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they u