Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Zero trust architecture with Keycloak
Search
Posedio
PRO
June 12, 2024
Programming
0
190
Zero trust architecture with Keycloak
Posedio
PRO
June 12, 2024
Tweet
Share
More Decks by Posedio
See All by Posedio
API First revisited - where did we take a left turn?
posedio
PRO
0
29
Solving Multi-Tenant Challenges: Apache Airflow and Cloud Composer in Action
posedio
PRO
0
18
Contract testing with Java
posedio
PRO
0
18
Flink in two nutshells
posedio
PRO
0
17
Taming the Codebase: Strategies for Refactoring Legacy Code
posedio
PRO
0
13
Access & Usage Policies and Enforcement: Challenges and Solutions
posedio
PRO
0
13
The Future of Data Sharing
posedio
PRO
0
54
Is your spring boot application in Kubernetes secure?
posedio
PRO
0
63
Site Reliability Engineering: Getting C-Level Support
posedio
PRO
0
18
Other Decks in Programming
See All in Programming
Recoilを剥がしている話
kirik
5
7.2k
テストケースの名前はどうつけるべきか?
orgachem
PRO
0
160
コンテナをたくさん詰め込んだシステムとランタイムの変化
makihiro
1
150
17年周年のWebアプリケーションにTanStack Queryを導入する / Implementing TanStack Query in a 17th Anniversary Web Application
saitolume
0
250
CloudflareStack でRAGに入門
asahiiwm
0
100
Beyond ORM
77web
8
1.2k
テストコード文化を0から作り、変化し続けた組織
kazatohiei
2
1.5k
ゆるやかにgolangci-lintのルールを強くする / Kyoto.go #56
utgwkk
2
450
fs2-io を試してたらバグを見つけて直した話
chencmd
0
240
20年もののレガシープロダクトに 0からPHPStanを入れるまで / phpcon2024
hirobe1999
0
820
GitHubで育つ コラボレーション文化 : ニフティでのインナーソース挑戦事例 - 2024-12-16 GitHub Universe 2024 Recap in ZOZO
niftycorp
PRO
0
120
StarlingMonkeyを触ってみた話 - 2024冬
syumai
3
280
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Being A Developer After 40
akosma
87
590k
Keith and Marios Guide to Fast Websites
keithpitt
410
22k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
910
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.6k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
3
170
Unsuck your backbone
ammeep
669
57k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Scaling GitHub
holman
459
140k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
Transcript
None
WHAT’S IN IT FOR ME 1. Conventional vs. zero trust
architecture 2. User identity vs. machine identity 3. Platform example vs. application example 4.What should I use in my project?
3 HI • Damjan Gjurovski • Software all-rounder J •
Set up Keycloak and zero trust in a large developer platform, worked on some Keycloak plugins
CONVENTIONAL VS. ZERO TRUST ARCHITECTURE 1
5 PERIMETER- BASED SECURITY • Network perimeter • DMZ and
internal zone • Trust those inside the zone • Check all entry points
6 ZERO TRUST • Push security controls down • Always
verify authentication and authorization • Follow the principle of least privilege
7 THE ROOT OF TRUST PROBLEM • Turtles all the
way down • Who compiles the compiler https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
USER IDENTITY VS. MACHINE IDENTITY 2
9 USER IDENTITY • User accounts • Groups, roles, permissions
bound to work roles • Least privilege according to current task/role https://gist.github.com/angelo-v/e0208a18d455e2e6ea3c40ad637aac53
10 MACHINE IDENTITY • Service accounts • Groups and permissions
bound to use-case, type or network perimeter • Least privilege is difficult
PLATFORM EXAMPLE VS. APPLICATION EXAMPLE 3
12 THE PLATFORM • Keycloak • JWTs • Identity federation
• Istio • OAuth proxy • OPA • Vault • Kubernetes • GCP
13 PLATFORM
14 THE APPLICATION • Keycloak • OPA • Vault •
Kubernetes
WHAT SHOULD I USE IN MY PROJECT 4
16 THIS IS THE WAY • Use Keycloak J •
Use zero trust • Reconsider JWTs • Prioritize user identities
17 WANT TO KEEP THE DISCUSSION GOING? MESSAGE ME ON
LINKEDIN!