Zero trust architecture with Keycloak

Transcript

1. None

2. WHAT’S IN IT FOR ME 1. Conventional vs. zero trust

   architecture 2. User identity vs. machine identity 3. Platform example vs. application example 4.What should I use in my project?

3. 3 HI • Damjan Gjurovski • Software all-rounder J •

   Set up Keycloak and zero trust in a large developer platform, worked on some Keycloak plugins

4. CONVENTIONAL VS. ZERO TRUST ARCHITECTURE 1

5. 5 PERIMETER- BASED SECURITY • Network perimeter • DMZ and

   internal zone • Trust those inside the zone • Check all entry points

6. 6 ZERO TRUST • Push security controls down • Always

   verify authentication and authorization • Follow the principle of least privilege

7. 7 THE ROOT OF TRUST PROBLEM • Turtles all the

   way down • Who compiles the compiler https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

8. USER IDENTITY VS. MACHINE IDENTITY 2

9. 9 USER IDENTITY • User accounts • Groups, roles, permissions

   bound to work roles • Least privilege according to current task/role https://gist.github.com/angelo-v/e0208a18d455e2e6ea3c40ad637aac53

10. 10 MACHINE IDENTITY • Service accounts • Groups and permissions

    bound to use-case, type or network perimeter • Least privilege is difficult

11. PLATFORM EXAMPLE VS. APPLICATION EXAMPLE 3

12. 12 THE PLATFORM • Keycloak • JWTs • Identity federation

    • Istio • OAuth proxy • OPA • Vault • Kubernetes • GCP

13. 13 PLATFORM

14. 14 THE APPLICATION • Keycloak • OPA • Vault •

    Kubernetes

15. WHAT SHOULD I USE IN MY PROJECT 4

16. 16 THIS IS THE WAY • Use Keycloak J •

    Use zero trust • Reconsider JWTs • Prioritize user identities

17. 17 WANT TO KEEP THE DISCUSSION GOING? MESSAGE ME ON

    LINKEDIN!