No content

WHAT’S IN IT FOR ME 1. Conventional vs. zero trust architecture 2. User identity vs. machine identity 3. Platform example vs. application example 4.What should I use in my project? 

3 HI • Damjan Gjurovski • Software all-rounder J • Set up Keycloak and zero trust in a large developer platform, worked on some Keycloak plugins 

CONVENTIONAL VS. ZERO TRUST ARCHITECTURE 1 

5 PERIMETER- BASED SECURITY • Network perimeter • DMZ and internal zone • Trust those inside the zone • Check all entry points 

6 ZERO TRUST • Push security controls down • Always verify authentication and authorization • Follow the principle of least privilege 

7 THE ROOT OF TRUST PROBLEM • Turtles all the way down • Who compiles the compiler https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf 

USER IDENTITY VS. MACHINE IDENTITY 2 

9 USER IDENTITY • User accounts • Groups, roles, permissions bound to work roles • Least privilege according to current task/role https://gist.github.com/angelo-v/e0208a18d455e2e6ea3c40ad637aac53 

10 MACHINE IDENTITY • Service accounts • Groups and permissions bound to use-case, type or network perimeter • Least privilege is difficult 

PLATFORM EXAMPLE VS. APPLICATION EXAMPLE 3 

12 THE PLATFORM • Keycloak • JWTs • Identity federation • Istio • OAuth proxy • OPA • Vault • Kubernetes • GCP 

13 PLATFORM 

14 THE APPLICATION • Keycloak • OPA • Vault • Kubernetes 

WHAT SHOULD I USE IN MY PROJECT 4 

16 THIS IS THE WAY • Use Keycloak J • Use zero trust • Reconsider JWTs • Prioritize user identities 

17 WANT TO KEEP THE DISCUSSION GOING? MESSAGE ME ON LINKEDIN!