Suche senden
Hochladen
Lightweight Zero-trust Network Implementation and Transition with Keycloak and NGINX
•
Als PPTX, PDF herunterladen
•
2 gefällt mir
•
656 views
Hitachi, Ltd. OSS Solution Center.
Folgen
Open Source Summit Japan 2021
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 39
Jetzt herunterladen
Empfohlen
Introducing NGINX App Protect (Japanese Webinar)
Introducing NGINX App Protect (Japanese Webinar)
NGINX, Inc.
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
Hitachi, Ltd. OSS Solution Center.
Introduction to Istio Service Mesh
Introduction to Istio Service Mesh
Georgios Andrianakis
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
Turja Narayan Chaudhuri
Service mesh
Service mesh
Arnab Mitra
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
apidays
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
LibbySchulze
Empfohlen
Introducing NGINX App Protect (Japanese Webinar)
Introducing NGINX App Protect (Japanese Webinar)
NGINX, Inc.
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
Hitachi, Ltd. OSS Solution Center.
Introduction to Istio Service Mesh
Introduction to Istio Service Mesh
Georgios Andrianakis
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
Turja Narayan Chaudhuri
Service mesh
Service mesh
Arnab Mitra
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
apidays
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
LibbySchulze
OpenStack Architecture
OpenStack Architecture
Mirantis
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
The Complete Guide to Service Mesh
The Complete Guide to Service Mesh
Aspen Mesh
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Yuichi Nakamura
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
Michelle Holley
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
Demystifying Service Mesh
Demystifying Service Mesh
Mitchell Pronschinske
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Dinis Cruz
Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
Secure your app with keycloak
Secure your app with keycloak
Guy Marom
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
Learning how AWS implement AWS VPC CNI
Learning how AWS implement AWS VPC CNI
HungWei Chiu
Microservices With Istio Service Mesh
Microservices With Istio Service Mesh
Natanael Fonseca
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
FIDO Alliance
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Edureka!
Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
Comparison of Current Service Mesh Architectures
Comparison of Current Service Mesh Architectures
Mirantis
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
Weitere ähnliche Inhalte
Was ist angesagt?
OpenStack Architecture
OpenStack Architecture
Mirantis
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
The Complete Guide to Service Mesh
The Complete Guide to Service Mesh
Aspen Mesh
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Yuichi Nakamura
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
Michelle Holley
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
Demystifying Service Mesh
Demystifying Service Mesh
Mitchell Pronschinske
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Dinis Cruz
Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
Secure your app with keycloak
Secure your app with keycloak
Guy Marom
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
Learning how AWS implement AWS VPC CNI
Learning how AWS implement AWS VPC CNI
HungWei Chiu
Microservices With Istio Service Mesh
Microservices With Istio Service Mesh
Natanael Fonseca
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
FIDO Alliance
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Edureka!
Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
Comparison of Current Service Mesh Architectures
Comparison of Current Service Mesh Architectures
Mirantis
Was ist angesagt?
(20)
OpenStack Architecture
OpenStack Architecture
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
The Complete Guide to Service Mesh
The Complete Guide to Service Mesh
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
Demystifying Service Mesh
Demystifying Service Mesh
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Building secure applications with keycloak
Building secure applications with keycloak
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Secure your app with keycloak
Secure your app with keycloak
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Learning how AWS implement AWS VPC CNI
Learning how AWS implement AWS VPC CNI
Microservices With Istio Service Mesh
Microservices With Istio Service Mesh
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Alphorm.com Formation Nouveautés Windows Server 2016
Alphorm.com Formation Nouveautés Windows Server 2016
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Comparison of Current Service Mesh Architectures
Comparison of Current Service Mesh Architectures
Ähnlich wie Lightweight Zero-trust Network Implementation and Transition with Keycloak and NGINX
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
Apache con@home 2021_sha
Apache con@home 2021_sha
Hitachi, Ltd. OSS Solution Center.
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
IRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and Ethereum
IRJET Journal
Securing RESTful API
Securing RESTful API
Muhammad Zbeedat
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Codit
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
API Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
WEB API Gateway
WEB API Gateway
Kumaresh Chandra Baruri
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
CA API Management
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Hitachi, Ltd. OSS Solution Center.
Ähnlich wie Lightweight Zero-trust Network Implementation and Transition with Keycloak and NGINX
(20)
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
Apache con@home 2021_sha
Apache con@home 2021_sha
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
IRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and Ethereum
Securing RESTful API
Securing RESTful API
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
API Security in a Microservice Architecture
API Security in a Microservice Architecture
WEB API Gateway
WEB API Gateway
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Mehr von Hitachi, Ltd. OSS Solution Center.
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
Hitachi, Ltd. OSS Solution Center.
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
Hitachi, Ltd. OSS Solution Center.
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
Hitachi, Ltd. OSS Solution Center.
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Hitachi, Ltd. OSS Solution Center.
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
Hitachi, Ltd. OSS Solution Center.
NGINXでの認可について考える
NGINXでの認可について考える
Hitachi, Ltd. OSS Solution Center.
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
Hitachi, Ltd. OSS Solution Center.
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
Hitachi, Ltd. OSS Solution Center.
Keycloakのステップアップ認証について
Keycloakのステップアップ認証について
Hitachi, Ltd. OSS Solution Center.
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
Hitachi, Ltd. OSS Solution Center.
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
Hitachi, Ltd. OSS Solution Center.
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
Hitachi, Ltd. OSS Solution Center.
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hitachi, Ltd. OSS Solution Center.
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
Hitachi, Ltd. OSS Solution Center.
Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介
Hitachi, Ltd. OSS Solution Center.
Node-REDからREST APIに接続
Node-REDからREST APIに接続
Hitachi, Ltd. OSS Solution Center.
Node-RED v1.3新機能紹介
Node-RED v1.3新機能紹介
Hitachi, Ltd. OSS Solution Center.
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
Hitachi, Ltd. OSS Solution Center.
Mehr von Hitachi, Ltd. OSS Solution Center.
(20)
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
NGINXでの認可について考える
NGINXでの認可について考える
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
Keycloakのステップアップ認証について
Keycloakのステップアップ認証について
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介
Node-REDからREST APIに接続
Node-REDからREST APIに接続
Node-RED v1.3新機能紹介
Node-RED v1.3新機能紹介
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
Kürzlich hochgeladen
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
hans926745
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Kürzlich hochgeladen
(20)
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Lightweight Zero-trust Network Implementation and Transition with Keycloak and NGINX
1.
© Hitachi, Ltd.
2021. All rights reserved. Lightweight Zero-trust Network Implementation and Transition with Keycloak and NGINX Open Source Summit Japan 2021 Hitachi, Ltd. OSS Solution Center Yoshiyuki Tabata
2.
1 © Hitachi, Ltd.
2021. All rights reserved. About the speaker • Consultant of API system For example, building a high-security banking API system. • Contributor of 3scale (OSS of API Management) Developed features around security and access control. “Edge Limiting”, “RBAC”, “OAuth MTLS”, … • Contributor of Keycloak (OSS of Identity Management) Developed features required for API use cases based on OAuth/OIDC. “Token Revocation”, “Refresh token setting per client”, … Yoshiyuki Tabata Software Engineer OSS Solution Center, Hitachi, Ltd. GitHub: @y-tabata
3.
2 © Hitachi, Ltd.
2021. All rights reserved. Session Overview (1/3) API Gateway Authorization Server Client App Resource Server Resource Server - In the traditional API system, the security boundary between the public network and the private network is clear, so we only needed to focus on it. Security Boundary Expose API! Call API Delegate Authentication and Authorization Build API system by following OAuth 2.0 the de facto standard of API security private network public network
4.
3 © Hitachi, Ltd.
2021. All rights reserved. - In the world of microservice, various services expose their APIs, it's much difficult to define a security boundary between the public network and the private network. Session Overview (2/3) Authorization Server Client App Call API Delegate Authentication and Authorization Expose API! Expose API! Expose API! Expose API! Expose API! Expose API! Expose API! Call API Call API Call API Call API Call API Call API Call API Build API system by following OAuth 2.0 the de facto standard of API security
5.
4 © Hitachi, Ltd.
2021. All rights reserved. zero-trust network - So we need to consider introducing "zero-trust network" to secure each service independently (per service/pod). Session Overview (3/3) Client App Call API Call API Call API Call API Call API Call API security boundary security boundary security boundary security boundary security boundary security boundary security boundary security boundary We propose Lightweight zero-trust network implementation typical way to achieve zero-trust network is with service mesh, but it needs rich resources for its rich features it affects the architecture a lot
6.
© Hitachi, Ltd.
2021. All rights reserved. Contents 5 1. What is zero-trust network? 2. How to achieve the underlying technology behind zero-trust network 3. Transition from traditional security boundary definition to per service/pod definition 4. Additional topic 1: How to achieve east-west traffic 5. Additional topic 2: How to resolve chokepoint issue of Policy Decision Point
7.
© Hitachi, Ltd.
2021. All rights reserved. Contents 6 1. What is zero-trust network? 2. How to achieve the underlying technology behind zero-trust network 3. Transition from traditional security boundary definition to per service/pod definition 4. Additional topic 1: How to achieve east-west traffic 5. Additional topic 2: How to resolve chokepoint issue of Policy Decision Point
8.
7 © Hitachi, Ltd.
2021. All rights reserved. - To treat the system internal network the same as the public network. - The underlying technology behind zero-trust network is JWT validation mutual TLS What is zero-trust network? - Underlying technology Source: Istio (https://istio.io/latest/docs/concepts/security/) Istio only requires mTLS in the system internal network, but JWT validation is said to be also needed among API security professionals. Require mTLS and JWT validation in the public network.
9.
8 © Hitachi, Ltd.
2021. All rights reserved. - In the context of OAuth 2.0, what the JWT (presented during an API call) means is OAuth 2.0 Access Token. - Access token is issued by an authorization server as representing an authorization. Underlying technology 1 - JWT validation API Gateway Authorization Server Client App 3. Call API w/ Access Token (JWT) 2. Issue Access Token after Authentication and Authorization Typical OAuth 2.0 authorization code flow 1. Delegate Authentication and Authorization - Generally, validate JWT with authorization server, i.e. following Token Introspection: RFC 7662. - What validate: Signature: check the JWT is not tampered Expiry: check the JWT is not expired Scope: check the client was authorized to call the API Audience: check the resource server (API GW) is intended to return the response Token Introspection
10.
9 © Hitachi, Ltd.
2021. All rights reserved. during TLS handshake - As the same as authenticating the server using a server certificate, authenticate the client using a client certificate. Underlying technology 2 - mutual TLS API Gateway Client App presenting the client certificate presenting the server certificate verify client certificate using trusted CA certificates
11.
10 © Hitachi, Ltd.
2021. All rights reserved. - In the context of OAuth 2.0, OAuth 2.0 Mutual-TLS Client Certificate-Bound Access Tokens (hereinafter OAuth MTLS) is defined in RFC 8705. - OAuth MTLS prevents access token theft. Underlying technology 2’ - OAuth MTLS (RFC 8705) API Gateway Client App - verify client certificate using trusted CA certificates - verify the hash of client certificate equals one in the Access Token Authorization Server 3. Call API w/ Access Token (JWT) (present client certificate during TLS handshake) 2. Issue Access Token (Access Token includes hash of client certificate) 1. Delegate AuthN/AuthZ (present client certificate during TLS handshake)
12.
11 © Hitachi, Ltd.
2021. All rights reserved. - Extending token introspection, resource server can delegate client certificate check to authorization server. Underlying technology 2’ - OAuth MTLS (RFC 8705) API Gateway Client App delegate client certificate check to authorization server Authorization Server 3. Call API w/ Access Token (JWT) (present client certificate during TLS handshake) 2. Issue Access Token (Access Token includes hash of client certificate) 1. Delegate AuthN/AuthZ (present client certificate during TLS handshake) mTLS OAuth MTLS manage trusted CA certificates Both authorization server and resource server (API GW) Authorization server only prevents access token theft No Yes If you publish your API to a large number of unspecified clients on the public network, OAuth MTLS may suitable.
13.
© Hitachi, Ltd.
2021. All rights reserved. Contents 12 1. What is zero-trust network? 2. How to achieve the underlying technology behind zero-trust network 3. Transition from traditional security boundary definition to per service/pod definition 4. Additional topic 1: How to achieve east-west traffic 5. Additional topic 2: How to resolve chokepoint issue of Policy Decision Point
14.
13 © Hitachi, Ltd.
2021. All rights reserved. - We use Keycloak as Authorization Server, NGINX as API Gateway. What OSS do we use? NGINX (API Gateway) Keycloak (Authorization Server) Client App 3. Call API w/ Access Token (JWT) 2. Issue Access Token after Authentication and Authorization 1. Delegate Authentication and Authorization Token Introspection
15.
14 © Hitachi, Ltd.
2021. All rights reserved. - Keycloak is an identity management OSS. - Keycloak provides OAuth 2.0 authorization server features. What is Keycloak? Major features Supports OAuth 2.0 / OpenID Connect and SAML Can be linked with LDAP and Active Directory Also supports social login with such as GitHub ID management and authentication social login (Identity Brokering) ID federation corresponding to major standards (Including OAuth 2.0 authorization server) Keycloak LDAP Active Directory RDB OpenID Connect SAML GitHub Twitter Facebook
16.
15 © Hitachi, Ltd.
2021. All rights reserved. - Keycloak supports Token Introspection as a standard feature. - NGINX supports ngx_http_auth_request_module module which implements client authorization based on the result of a subrequest. If the subrequest returns a 2xx response code, access is allowed. If it returns 401 or 403, access is denied with the corresponding error code. How to achieve JWT validation NGINX Keycloak Client App 3. Call API w/ Access Token (JWT) 2. Issue Access Token after Authentication and Authorization 1. Delegate Authentication and Authorization NGINX delegates JWT validation to Keycloak send introspection request to Keycloak's token introspection endpoint proxy to resource server if access token is active deny access if access token is not active Token Introspection
17.
16 © Hitachi, Ltd.
2021. All rights reserved. - NGINX supports ssl_verify_client syntax which enables verification of client certificates. Trusted CA certificates are specified in ssl_client_certificate syntax. How to achieve mTLS during TLS handshake NGINX Client App presenting the client certificate presenting the server certificate verify client certificate using trusted CA certificates
18.
17 © Hitachi, Ltd.
2021. All rights reserved. - NGINX supports optional_no_ca parameter in ssl_verify_client syntax, which requests client certificate but does not require it to be signed by a trusted CA certificate. This is intended for use in cases when a service that is external to NGINX performs the actual certificate verification. - $ssl_client_escaped_cert variable returns client certificate in the PEM format for an established SSL connection. How to achieve OAuth MTLS NGINX Client App send access token and client certificate to token introspection endpoint Keycloak 3. Call API w/ Access Token (JWT) (present client certificate during TLS handshake) 2. Issue Access Token (Access Token includes hash of client certificate) 1. Delegate AuthN/AuthZ (present client certificate during TLS handshake) Token Introspection by using SPI, we can extend token introspection to check client certificate at Keycloak
19.
© Hitachi, Ltd.
2021. All rights reserved. Contents 18 1. What is zero-trust network? 2. How to achieve the underlying technology behind zero-trust network 3. Transition from traditional security boundary definition to per service/pod definition 4. Additional topic 1: How to achieve east-west traffic 5. Additional topic 2: How to resolve chokepoint issue of Policy Decision Point
20.
19 © Hitachi, Ltd.
2021. All rights reserved. - So far, we explained how to use Keycloak and NGINX to achieve the underlying technology behind zero-trust network. - From here, we make the grain size of security boundary finer. Security boundary transition scenario NGINX Keycloak Client App Resource Server Resource Server Security Boundary Expose API! Call API Delegate Authentication and Authorization private network public network
21.
20 © Hitachi, Ltd.
2021. All rights reserved. - First of all, lifting the existing system to the world of containers. - Compared to cloud services, in NGINX, this API Gateway lifting is very easy because we can reuse the NGINX conf file, for example, using server-snippet and location-snippet annotations, or using custom resources named VirtualServer. Step 1: Change API Gateway to NGINX Ingress Controller NGINX Ingress Controller Keycloak Client App Resource Server Resource Server Security Boundary Call API Delegate Authentication and Authorization private network public network
22.
21 © Hitachi, Ltd.
2021. All rights reserved. Security Boundary Security Boundary - This step is useful if the resource server's service takes a little time to be modified. - Again we can reuse the NGINX conf file. - To pass through client certificates at NGINX Ingress Controller, we use custom resources named TransportServer to configure stream context. Step 2: Shift security boundary to per service NGINX Ingress Controller Keycloak Client App Proxy Service Proxy Service Call API Delegate Authentication and Authorization Resource Server Resource Server
23.
22 © Hitachi, Ltd.
2021. All rights reserved. Security Boundary Security Boundary - Achieve so-called sidecar. - Again we can reuse the NGINX conf file and we can reuse TransportServer setting too. - API call is first sent to proxy container, and if all checks are passed, proxy to resource server container. Step 3: Shift security boundary to per pod NGINX Ingress Controller Keycloak Client App Call API Delegate Authentication and Authorization Resource Server Resource Server container Proxy container
24.
© Hitachi, Ltd.
2021. All rights reserved. Contents 23 1. What is zero-trust network? 2. How to achieve the underlying technology behind zero-trust network 3. Transition from traditional security boundary definition to per service/pod definition 4. Additional topic 1: How to achieve east-west traffic 5. Additional topic 2: How to resolve chokepoint issue of Policy Decision Point
25.
24 © Hitachi, Ltd.
2021. All rights reserved. - So far, we targeted north-south traffic, i.e. traffic from client to resource server, from external to internal. How to achieve east-west traffic NGINX Ingress Controller Keycloak Client App Call API Delegate Authentication and Authorization Resource Server Resource Server container Proxy container
26.
25 © Hitachi, Ltd.
2021. All rights reserved. - So far, we targeted north-south traffic, i.e. traffic from client to resource server, from external to internal. - How to achieve east-west traffic, i.e. traffic from internal to internal? - For example, when the resource server wants to get resources from other services. How to achieve east-west traffic NGINX Ingress Controller Keycloak Client App Call API Delegate Authentication and Authorization Another Service Resource Server container Proxy container ? Resource Server
27.
26 © Hitachi, Ltd.
2021. All rights reserved. - So far, we targeted north-south traffic, i.e. traffic from client to resource server, from external to internal. - How to achieve east-west traffic, i.e. traffic from internal to internal? - For example, when the resource server wants to get resources from other services. - In this case, resource server container should send a request using again the proxy container. How to achieve east-west traffic NGINX Ingress Controller Keycloak Client App Call API Delegate Authentication and Authorization Another Service Resource Server container Proxy container Resource Server
28.
27 © Hitachi, Ltd.
2021. All rights reserved. - To validate JWT, the proxy container must send JWT. Option A: send the same access token which client sent Option B: send the different access token getting from authorization server by following OAuth 2.0 Token Exchange: RFC 8693 - Both options, need to get user's consent. How to achieve JWT validation (east-west traffic) Proxy container Another Service Resource Server container Keycloak Option A: same Access Token Option B: different Access Token Token Exchange AT AT AT AT AT’ AT’
29.
28 © Hitachi, Ltd.
2021. All rights reserved. - Audience check is very important for this case. - Without Audience check, user's resources may be provided to malicious service. How to achieve JWT validation (east-west traffic) Another Service Malicious Service Client App may redirect access token to other services without user's consent AT AT must validate Audience to check this service is intended to return the response
30.
29 © Hitachi, Ltd.
2021. All rights reserved. - As same in the case of north-south traffic, there are 2 methods, mTLS and OAuth MTLS. - Different in the case of north-south traffic, the requesting parties are limited, so mTLS may be enough. (OAuth MTLS may be over-engineered.) - We can add client certificate and key with proxy_ssl_certificate syntax and proxy_ssl_certificate_key syntax. How to achieve mTLS (east-west traffic) during TLS handshake presenting the client certificate presenting the server certificate verify client certificate using trusted CA certificates Proxy container Another Service
31.
© Hitachi, Ltd.
2021. All rights reserved. Contents 30 1. What is zero-trust network? 2. How to achieve the underlying technology behind zero-trust network 3. Transition from traditional security boundary definition to per service/pod definition 4. Additional topic 1: How to achieve east-west traffic 5. Additional topic 2: How to resolve chokepoint issue of Policy Decision Point
32.
31 © Hitachi, Ltd.
2021. All rights reserved. - As the number of API calls increases, Keycloak may become a chokepoint of this architecture, because Keycloak is accessed every time API calls. - In Zero Trust Architecture, NIST SP 800-207, Keycloak is PE (Policy Engine), and NGINX is PEP (Policy Enforcement Point) + PA (Policy Administrator). - From here, we consider how to reduce the load of PE. Where is the chokepoint? Client App PEP + PA Keycloak 3. Call API w/ Access Token (JWT) (present client certificate during TLS handshake) 2. Issue Access Token (Access Token includes hash of client certificate) 1. Delegate AuthN/AuthZ (present client certificate during TLS handshake) Token Introspection PE NGINX
33.
32 © Hitachi, Ltd.
2021. All rights reserved. - Considering using Open Policy Agent (OPA), the defacto standard OSS of PE (Policy Engine). Option A: cache token introspection responses Option B: make OPA act as PE and Keycloak act as PIP (Policy Information Point) How to reduce the load of PE (Keycloak) Client App Keycloak 3. Call API w/ Access Token (JWT) (present client certificate during TLS handshake) 2. Issue Access Token (Access Token includes hash of client certificate) 1. Delegate AuthN/AuthZ (present client certificate during TLS handshake) Token Introspection NGINX OPA +
34.
33 © Hitachi, Ltd.
2021. All rights reserved. - Caching token introspection responses, we can reduce the access frequency to Keycloak. - Even if the access token is revoked at Keycloak, it's not revoked at resource server immediately, so the access token lifespan should be proper short value. Option A: Cache token introspection responses Client App Keycloak 3. Call API w/ Access Token (JWT) (present client certificate during TLS handshake) 2. Issue Access Token (Access Token includes hash of client certificate) 1. Delegate AuthN/AuthZ (present client certificate during TLS handshake) NGINX OPA 4. Delegate JWT validation MongoDB 5. Check cache 7. Save result 6. Token Introspection (if cache miss)
35.
34 © Hitachi, Ltd.
2021. All rights reserved. - OPA container becomes PE completely, and Keycloak becomes PIP, only provides information for decisions to grant access. Option B: Make OPA act as PE and Keycloak act as PIP Client App Keycloak 3. Call API w/ Access Token (JWT) (present client certificate during TLS handshake) 2. Issue Access Token (Access Token includes hash of client certificate) 1. Delegate AuthN/AuthZ (present client certificate during TLS handshake) I. Notify resource (User, Client, Key, …) and operation (Create, Update, Delete, …) NGINX OPA 4. Delegate JWT validation MongoDB 5. Check data II. Save data Converter OPA by using SPI, we can extend event listener feature to notify operation to converter
36.
35 © Hitachi, Ltd.
2021. All rights reserved. - Option B is an ideal implementation, but it is expensive to implement. - Option A, on the other hand, has the security concern that access token revocation cannot be synchronized immediately, although the implementation cost is minimal. - A hybrid proposal may be the most acceptable implementation. caches the results of token introspection synchronizes only token revocation notifications How to reduce the load of PE (Keycloak) Option A: cache token introspection responses Option B: make OPA act as PE and Keycloak act as PIP need to prepare Converter No Yes implement SPI No Yes synchronize access token revocation immediately No Yes
37.
36 © Hitachi, Ltd.
2021. All rights reserved. Summary • The underlying technology behind zero-trust network is JWT validation and mTLS. OAuth MTLS (RFC 8705) is forwards-compatible with mTLS. • By using Keycloak and NGINX, we can achieve the underlying technology, and transit from traditional security boundary definition to per service/pod definition smoothly. Not only north-south traffic but also east-west traffic can be covered. • By using OPA, we can reduce the load of Keycloak (PE).
38.
37 © Hitachi, Ltd.
2021. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Facebook is a registered trademark of Facebook, Inc. • Twitter is a registered trademark of Twitter, Inc. • The Kubernetes logo is a registered trademark of The Linux Foundation. • Red Hat, and 3scale are registered trademarks of Red Hat, Inc. in the United States and other countries. • NGINX is a trademark of F5 Networks, Inc. in the U.S. and in certain other countries. • Istio is a trademark or registered trademark of Google LLC. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
Jetzt herunterladen