Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Native! Open Source. OAuth OIDC]

Transcript

1. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 10. 11.

   23

2. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 Dora Militaru

   Developer Relations Engineer Fastly Greg Hamer Principal Developer Evangelist Backblaze Trust in Every Byte Securing Edge Workflows with Fastly Compute +

3. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 20 Agenda

   • Backblaze + Fastly Together • OAuth/OIDC Overview • Introduction to the Sample Application • Demonstration ◦ End User Experience ◦ Application Logic (Fastly Compute) • Questions & Answers

4. BACKBLAZE TECH DAY ‘23 21 • Backblaze B2 is world

   class cloud storage • Fastly is a world class edge cloud platform • Backblaze and Fastly have been partners since 2020 • Free Egress! No cost for moving data between Backblaze B2 and Fastly • Backblaze B2 storage costs 1/5th of other world class cloud storage vendors +

5. BACKBLAZE TECH DAY ‘23 22 • Data security is imperative,

   as is enabling access to the data • Customers come to Backblaze B2 to for durability and reliable access • Backblaze B2 supports: ◦ Public buckets ◦ Private buckets • Public buckets are excellent for data that allows anonymous access • Private buckets require systems for authentication and authorization in order for contents to be accessed +

6. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 Central Challenge:

   Serving data out of a private bucket Private

7. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 Central Challenge:

   Serving data out of a private bucket Solution: Federated login Private

8. BACKBLAZE TECH DAY ‘23 25 Application Overview • Cloud native

   ◦ Backblaze B2 ◦ Fastly ◦ Okta • Source code on Github including detailed README.md • Application is simple but infinitely scalable ◦ 2 users ◦ 2 groups ◦ 2 secure documents ◦ 1 key pair for bucket access • Serverless Fastly Compute • UI via a simple JavaScript single-page application (SPA)

9. BACKBLAZE TECH DAY ‘23 26 Resources Documentation + Source Code

   • Reference Architecture • Use Cases • Proof of Concept Application

10. BACKBLAZE TECH DAY ‘23 27 Resources Fastly.com • Reference Architecture

    ◦ Article: Simplifying authentication with OAuth at the edge https://www.fastly.com/blog/simplifying-authentication-with-oauth-at-the-edge • Use Cases ◦ Article: Building on top of OAuth at the edge https://www.fastly.com/blog/building-on-top-of-oauth-at-the-edge ▪ Paywalls and other advanced authorization decisions ▪ Granular access control for static content ▪ Upgrading access with incremental authorization ▪ Blocking abusive users

11. BACKBLAZE TECH DAY ‘23 28 Resources Shared Link • bit.ly/edge9

    Demo URL • https://b2-rbac.edgecompute.app/ Github.com - Proof of Concept Application • Project: Role-Based Access Control at the Edge https://github.com/backblaze-b2-samples/fastly-compute-rust-rbac

12. BACKBLAZE TECH DAY ‘23 29 Fastly Network Map (2023 September)

    277 Tbps Global Edge Capacity As of 06/30/2023

13. BACKBLAZE TECH DAY ‘23 30 Fastly Compute Performant 100x faster

    startup times and high vCPU code execution Scalable Runs globally at all Fastly POPs Secure Full isolation for each request Fast execution close to end users Instant global deployment

14. BACKBLAZE TECH DAY ‘23 31 Fastly’s Edge Cloud Platform Benefits

    of Compute running on Fastly: • Faster request-response performance • Caching • DDoS and WAF • Realtime observability, metrics and monitoring • Logging

15. BACKBLAZE TECH DAY ‘23 32 #1 most critical web application

    security risk in 2023: Broken Object Level Authorization #2: Broken Authentication Access Security OWASP Top 10 API Security Risks – 2023 – https://owasp.org/API-Security/editions/2023/en/0x11-t10/

16. BACKBLAZE TECH DAY ‘23 33 Access Security and Fastly Compute

    For best performance and manageability, this access security architecture: • Provides authorization close to the end-user – fast and distributed • Is isolated from the rest of the system - autonomous • Is implemented and maintained by security professionals – secure • Is easy to integrate with existing and future applications

17. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 OAuth/OIDC Overview

18. BACKBLAZE TECH DAY ‘23 35 Roles in OAuth Source: OAuth:

    When Things Go Wrong by Aaron Parecki, Okta Inc., Senior Security Architect

19. BACKBLAZE TECH DAY ‘23 36 Demo from End User Perspective

    Demo Url: https://devweek2023-demo.edgecompute.app/ User Application Identity Provider IdP Origin Fastly Compute Private

20. BACKBLAZE TECH DAY ‘23 37 Proxy Access via Fastly -

    Physical View Our code is deployed to every Fastly POP. Fastly routes requests to the closest POP to the user. Identity Provider Backblaze B2

21. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 Proof of

    Concept Demo

22. BACKBLAZE TECH DAY ‘23 39 Use Case in Demonstration •

    Role-Based Access Control to resources in Backblaze B2 ◦ authN - Authentication • Login via Okta as IdP using OpenID Connect • authZ - Authorization ◦ Implemented in Fastly Compute (serverless edge) ◦ Rules: ▪ Allow read access to files in the “root” of the B2 bucket to any authenticated user (thru group Everyone) ▪ Allow additional read access to files in B2 bucket “subdirectories” based on group membership and where the group name matches a subdirectory’s name

23. BACKBLAZE TECH DAY ‘23 40 Sample App Demo • User

    experience view ◦ In web browser ◦ Console open for developer view of cookies • Fastly CLI ◦ Console open for developer view of log-tail including: ▪ stout and stderr output ▪ Near real-time

24. BACKBLAZE TECH DAY ‘23 41 Proof of Concept Demo

25. BACKBLAZE TECH DAY ‘23 42 Resources Shared Link • bit.ly/edge9

    Demo URL • https://b2-rbac.edgecompute.app/ Github.com - Proof of Concept Application • Project: Role-Based Access Control at the Edge https://github.com/backblaze-b2-samples/fastly-compute-rust-rbac

26. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 Q&A

27. BACKBLAZE TECH DAY ‘23 BACKBLAZE TECH DAY ‘23 Thank You