Data Con LA 2019 - One (Key) Ring to Rule Them All: Unified Identity Management for Vantage by Shweta Shetty
•
1 gefällt mir•279 views
Security is ubiquitous and integral throughout the entire lifecycle of an application right from the design and implementation to deployment and operations. Whether you build software for enterprises, mobile, or internal microservices, security is important. To that end, Identity and access management is the key to the security and the software infrastructure.Establishing user's identities before they can access resources is a key security requirement when building software applications and the capability of enabling single-sign-on would be a desirable feature. For Identity and Access Management Standards like SAML, OIDC, and SPIFFE help us solve identity and authentication which answers the most important question of "who you are". Security is best delegated as no one wants to re-invent the wheel, so for Identity Management Keycloak which is an open source product helps us achieve our Identity management solutions. Keycloak is an identity provider that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network. This talk will walk through how we are using Keycloak to achieve solve the IAM security in Vantage which is our Data Analytics Platform and how we are achieving single-sign-on which is one of the most desirable side effects of Identity Management which will help users gain access control for multiple related and independent software systems in a seamless manner.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Data Con LA 2019 - One (Key) Ring to Rule Them All: Unified Identity Management for Vantage by Shweta Shetty
Ähnlich wie Data Con LA 2019 - One (Key) Ring to Rule Them All: Unified Identity Management for Vantage by Shweta Shetty (20)
Mehr von Data Con LA
Mehr von Data Con LA (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Data Con LA 2019 - One (Key) Ring to Rule Them All: Unified Identity Management for Vantage by Shweta Shetty
- 1. 1 One (Key) Ring to Rule Them All Unified Identity and Access Management Shweta Shetty Teradata Aug 17th 2019
- 2. 2 $whoami • I am a Technical Lead at Teradata • I am currently focusing on improving the Identity and Access management for developers and customers in future versions of Teradata product. • I co-founded inPHYnity which teaches high school physics to high achieving students.
- 3. 3 Agenda ©2019 Teradata • Why API Security? • Level Setting • Why Single Sign On? • Standard Protocols • Identity Provider • Key Takeaways
- 4. 4 Why API Security ? ©2019 Teradata
- 5. 5 Entity vs. Identity ©2019 Teradata entity refers to a thing that exists as an individual unit while identity is a set of attributes that you can use to distinguish this entity within a context.
- 6. 6 Authentication vs. Authorization ©2019 Teradata IdentityEntity
- 7. 7 4 Elements of API Security ©2019 Teradata AuthN Confirm the Identity of the user AuthZ Secure and control client and user access Throttling Limit information flow Audit Monitor the traffic and Compliance
- 8. 8 Key Problem to Solve • We need to provide data • Securely • Single Sign On • all the way to database server • all the way to TensorFlow running on analytic nodes • MFA enabled database • Developer Experience
- 9. 9 Analytical Ecosystem Analytics Platform Co-Processors Customer Solutions UIs TD Applications Single Sign-On Platform Services Teradata Landscape
- 10. 10 Why Single Sign On?
- 12. 12 OAuth 2.0 in action ©2019 Teradata
- 13. 13 Its not for Authentication and not for Authorization OAuth is a scalable delegation protocol It’s a framework for users to authorize applications to act on their behalf OAuth 2.0 ©2019 Teradata
- 14. 14 OAuth Abstract Flow ©2019 Teradata
- 15. 15 Base Protocol Identity layer on top What OpenId Connect adds • ID Token • User Info endpoint • Standard set of scopes • Standardized implementation
- 16. 16 One token to rule them all ©2019 Teradata
- 19. 19 Multi-Factor Authentication LDAP Single Sign On Identity BrokeringBrute Force Protection Password Policies Federation Email Verification Captcha Reset Credentials Central User Management Central access management
- 20. 20
- 21. 21 Industry wide Identity Provider ©2019 Teradata
- 22. 22 Key Takeaways ©2019 Teradata • API security is not an after thought , left shift and make security your first and foremost tenant • Stick to standards • Delegate security as much as possible. • Single Sign On isn’t just about user experience but also about security and seamless integration • Think like a bad hacker!
- 23. 23 Thank you.Thank you. ©2019 Teradata
Hinweis der Redaktion
- Lets talk about api failure or breaches. Lets stop and think about how API breaches happen or how security breaches happen. There is too many to list- even if we limit to last 2 years. They are catastrophic And they are getting bigger and bigger. I don’t just mean with number of customers affected but the type of data affected. My favorite one is tinder. The amusing thing about tinder was they did not have any authentication built in to it . So you could send messages as someone else. It’s a silly use case- but you could cause a lot of problem with it. Let me talk about this -
- For starters take into consideration any person – Myself for example .I am by most fundamental definition an entity. In my capacity I am able to think , speak , teach , work and so on. However people around me don’t perceive me as entity . At work they see me as their colleague, at home I am parent to my kids , at my inphynity school I am perceived as a teacher. The different subsets of attributes that people perceived formed my identities. For some people I am a teacher , for some others I am Indian classical dancer, but for some I am just a colleague and for my bank I am a customer with signature and account number. In terms of analyzing this in the software application , just like me – an application is a entity that exists on its own, but has multiple identities . For Single page application consuming this application its identity would be a internet domain , a TLS cert , For database the identity of the application would be set of credentials like username and password and so on.
- For example, if you go to the bank and try to withdraw money from your account, the clerk might ask you for an ID (an o cial document) to check who you are. Along the same lines, if you buy a ight ticket, you might need to use a passport to prove you are the person entitled to that ticket before hopping on the plane . In contrast, authorization refers to the process of verifying what entities can access, or what actions they can perform. For a concrete example, imagine a situation where you buy a ticket for a show. In this case, more o en than not, the establishment will not be interested in your identity (i.e., on who you are). What they care about is whether you are authorized or not to attend the show. What is important for you to understand here is that authentication can lead to authorization but that the opposite is not true. Although proof of identity might be enough for you to get access to something (i.e., to be authorized to achieve something), having authorization cannot be used to identify an entity (like in the example where you would buy a ticket for a show).
- like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they u
- Chances are you have logged into applications like Spotify / Pinterest using “Login with Facebook” button.- then you know what I am talking about . As a user you really don’t care how SSO works but what you do care is how many times you have entered your username and password and be thankful for a smoother experience and that you have to remember fewer logins and passwords.
- like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they pretty much had access to your gmail using your username and password. I am pretty sure you all are thinking that it’s a very bad idea to do this.
- like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they pretty much had access to your gmail using your username and password. I am pretty sure you all are thinking that it’s a very bad idea to do this.
- like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they u
- like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they pretty much had access to your gmail using your username and password. I am pretty sure you all are thinking that it’s a very bad idea to do this.
- Its not a randomly generated token – it’s a self contained token – it has payload and its signed . The JWT is signed with a private key of the identity provider.
- Lets talk about the complexities of modern Authentication – Lets ask ourselves a question - how complex is authentication - you would say I could do authentication having a table with username with hashed password ? How about – forbidding automatic registrations, how about integrating with social network – how about connecting to external user store , how about single sign on , how about MFA for example smart card . Let ask another question - Do we really want to implement any of these – NO – does not make sense to re invent the wheel. Luckily there exist an approach which has been vetted through by the community – and existed in world before. The approach is to deploy a separate entity which would do one and only one job . We integrate with it preferably with the open and the standard protocol and we will let it do its job . We DELEGATE The Identity and access management
- Delegate Security
- There are lot of identity solutions in the world – either cloud based or on prem , either commercial or free and open source. Why Keycloak? - well, because it either implements all of the above out of the box or extensible enough to allow for relative and comparitivley easy implementation if you missed something. And is backed by Red Hat
- like when you let a random application post something on Facebook as if it was you. Before we had Oauth – when facebook was becoming popular – facebook had the feature for finding friends – how did they do that – ofcourse best possible option is to use your email . They had a screen where they let people login to your email and they u