Secure, Collaborative IAM
Combined Session
Friday, June 07, 2024 13:30—14:30
Location: B 07-08
Friday, June 07, 2024 13:30—14:30
Location: B 07-08
Stolen secrets and credentials are one of the most common ways for attackers to move laterally and maintain persistence in cloud environments.
Modern cloud deployments employ secrets management systems such as KMS to protect key materials at rest and avoid leaking keys or credentials in source code or other build artifacts. However, secrets are unprotected at runtime, so any vulnerability or compromise of a service could lead to credential theft.
This talk will propose an architecture that, in conjunction with a secret manager, tokenizes secrets and rewrites requests at runtime. Through this approach, application code never directly interacts with key material. Additionally, it enforces stringent access control rules based on Open Policy Agent (OPA) policies for accessing secrets, significantly reducing the blast radius in the event of a security breach.
The proliferation of micro-services along with the changing threat landscape means it is no longer possible to rely on network segmentation to establish a secure permitter while allowing broad access between services inside the perimeter. As a result, we have to assume that the attackers are inside the perimeter and apply fine grained authorization at the microservice level to ensure least privilege access based on the context of each transaction. This context includes details of the transaction, the user, other services, or workloads in the call chain as well as the trust domains in which the services operate.
The good news is that there are two new complimentary standards being developed in the IETF OAuth working group that provide a standardised mechanism for preserving transaction context. The Transaction Tokens draft provides a mechanism for preserving context for fine grained authorization decisions within a trust domain, while Identity Chaining across Trust Domains provides a mechanism for preserving that context even when crossing trust boundaries. In this session we will provide an overview of these two emerging standards and describe how they are used to enable fine grained authorization in microservices.
Collaborative Networks have been widely used in business models for modern manufacturing to support today’s fast-moving innovations and complex supply chains. Managing different levels of trust efficiently and securely in Collaborative Networks is critical for productization and time-to-market.
Enabling trust in digital interactions requires the right balance between security and user experience. By combining the lessons learned from the user experience of consumer identity; mission-critical identity proofing and identity validation in financial services; and data privacy regulation compliance across regulated markets, a brand new approach of secure identity management across all industries has been on the rise.
Collaborative Networks (suppliers, partners, distributors, brokers etc.) have a very diverse set of users with varying security, privacy and user experience needs. Discover how to strike that balance to harness the true power of collaboration!
