Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Auth in a Serverless World

Andreas Grimm
September 06, 2019

Practical Auth in a Serverless World

It became essential for businesses to protect their applications, services and customer data from attackers. If you want to stay competitive, knowing how to efficiently and easily apply security and auth while being aware of the most common pitfalls is key in today's serverless world.
Traditional machine-to-machine auth approaches where you can rely on a stateful environment fall short in a modern serverless and thus stateless world.
After a short recap of some auth fundamentals, you'll learn how to efficiently apply authentication to Azure Functions without compromising security.

Andreas Grimm

September 06, 2019
Tweet

More Decks by Andreas Grimm

Other Decks in Technology

Transcript

  1. @_andreasgrimm Akelius (Berlin office) Real Estate Internal Business Software 2/3

    K8S, 1/3 serverless IAM Architecture / Security DDD & EventStorming Community
  2. @_andreasgrimm Agenda Serverless My Serverless Story Serverless & Auth Auth

    Fundamentals Protect a Serverless API Access an API from FaaS
  3. @_andreasgrimm – Gojko Adzic (@gojkoadzic) “Serverless is without servers like

    WiFi is without wires. With WiFi there are still wires (e.g. router attached to cable modem), but you don't care about them anymore.”
  4. @_andreasgrimm Your code is being scheduled ... by a scheduler

    you don't own. not true for Kubernetes (self-hosted & managed)
  5. @_andreasgrimm Storage Amazon S3 / Azure Blob Storage Amazon DynamoDB

    / Azure Cosmos DB AWS AppSync Amazon Athena
  6. @_andreasgrimm Messaging Amazon SNS / Azure EventGrid Amazon SQS /

    Azure ServiceBus Google Cloud PubSub Amazon EventBridge
  7. @_andreasgrimm Self-Hosted IDPs (IDP = Identity Provider) How to scale?

    No SLAs "Pager Duty" -> Soenke's list "Total Cost of Ownership"
  8. @_andreasgrimm Auth Examples -> Auth0 (IDP) Azure Functions (FaaS) Azure

    API Management (API Gateway) Cloudflare Workers (API Gateway) Azure KeyVault (Security Management System) Azure Managed Identities (IAM for cloud resources)
  9. @_andreasgrimm JWT Validation in Function App "Function App": - Group

    of functions deployed together - Sharing one identity
  10. @_andreasgrimm Why use Key Vault? secret-less access, based on identity

    enables key rotation ideal for "stateless" environments
  11. @_andreasgrimm Summary - JWT Validation On Top of API key

    - Use Central SMS (Secrets Management System, e.g. Key Vault) - Cache Tokens (In-Memory &) in SMS - SMS Enables Key Rotation
  12. @_andreasgrimm ___________.__ __ \__ ___/| |__ _____ ____ | |

    __ ______ | | | | \\__ \ / \| |/ / / ___/ | | | Y \/ __ \| | \ < \___ \ |____| |___| (____ /___| /__|_ \/____ > \/ \/ \/ \/ \/ ___( ) ( _) (_ __)) (( _____) (_________)----' _/ / / _/ _/ / / __/ _/ / /__/ // /' - Twitter: @_andreasgrimm - LinkedIn: linkedin.com/in/andreas-grimm/ - Blog: andreasgrimm.com - Meetups: @DDDBER, @FullstackJS, Serverless Berlin