Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Zero trust architecture with Keycloak
Search
Posedio
PRO
June 12, 2024
Programming
0
420
Zero trust architecture with Keycloak
Posedio
PRO
June 12, 2024
Tweet
Share
More Decks by Posedio
See All by Posedio
Unsealing Vault
posedio
PRO
0
8
Modern data observability
posedio
PRO
0
14
Lost Jobs, Zombie Tasks and AirFlow Nightmares: A debugging Deep Dive
posedio
PRO
0
33
Designing Zero Trust Systems
posedio
PRO
0
25
Platform user's remorse
posedio
PRO
0
130
Go KonMari on your SQL
posedio
PRO
0
23
Rolling out digital receipts on GCP infrastructure
posedio
PRO
0
20
API First revisited - where did we take a left turn?
posedio
PRO
0
64
Solving Multi-Tenant Challenges: Apache Airflow and Cloud Composer in Action
posedio
PRO
0
58
Other Decks in Programming
See All in Programming
Django Ninja による API 開発効率化とリプレースの実践
kashewnuts
0
940
Introducing ReActionView: A new ActionView-Compatible ERB Engine @ Kaigi on Rails 2025, Tokyo, Japan
marcoroth
3
920
あなたの知らない「動画広告」の世界 - iOSDC Japan 2025
ukitaka
0
390
私達はmodernize packageに夢を見るか feat. go/analysis, go/ast / Go Conference 2025
kaorumuta
2
490
タスクの特性や不確実性に応じた最適な作業スタイルの選択(ペアプロ・モブプロ・ソロプロ)と実践 / Optimal Work Style Selection: Pair, Mob, or Solo Programming.
honyanya
3
140
SpecKitでどこまでできる? コストはどれくらい?
leveragestech
0
530
クラシルを支える技術と組織
rakutek
0
190
Conquering Massive Traffic Spikes in Ruby Applications with Pitchfork
riseshia
0
150
フロントエンド開発に役立つクライアントプログラム共通のノウハウ / Universal client-side programming best practices for frontend development
nrslib
7
3.9k
階層構造を表現するデータ構造とリファクタリング 〜1年で10倍成長したプロダクトの変化と課題〜
yuhisatoxxx
3
920
Breaking Up with Big ViewModels — Without Breaking Your Architecture (droidcon Berlin 2025)
steliosf
PRO
1
330
私はどうやって技術力を上げたのか
yusukebe
43
17k
Featured
See All Featured
Why Our Code Smells
bkeepers
PRO
339
57k
The Straight Up "How To Draw Better" Workshop
denniskardys
237
140k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
32
2.2k
Scaling GitHub
holman
463
140k
Agile that works and the tools we love
rasmusluckow
331
21k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Faster Mobile Websites
deanohume
310
31k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.7k
Code Reviewing Like a Champion
maltzj
525
40k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
890
Transcript
None
WHAT’S IN IT FOR ME 1. Conventional vs. zero trust
architecture 2. User identity vs. machine identity 3. Platform example vs. application example 4.What should I use in my project?
3 HI • Damjan Gjurovski • Software all-rounder J •
Set up Keycloak and zero trust in a large developer platform, worked on some Keycloak plugins
CONVENTIONAL VS. ZERO TRUST ARCHITECTURE 1
5 PERIMETER- BASED SECURITY • Network perimeter • DMZ and
internal zone • Trust those inside the zone • Check all entry points
6 ZERO TRUST • Push security controls down • Always
verify authentication and authorization • Follow the principle of least privilege
7 THE ROOT OF TRUST PROBLEM • Turtles all the
way down • Who compiles the compiler https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
USER IDENTITY VS. MACHINE IDENTITY 2
9 USER IDENTITY • User accounts • Groups, roles, permissions
bound to work roles • Least privilege according to current task/role https://gist.github.com/angelo-v/e0208a18d455e2e6ea3c40ad637aac53
10 MACHINE IDENTITY • Service accounts • Groups and permissions
bound to use-case, type or network perimeter • Least privilege is difficult
PLATFORM EXAMPLE VS. APPLICATION EXAMPLE 3
12 THE PLATFORM • Keycloak • JWTs • Identity federation
• Istio • OAuth proxy • OPA • Vault • Kubernetes • GCP
13 PLATFORM
14 THE APPLICATION • Keycloak • OPA • Vault •
Kubernetes
WHAT SHOULD I USE IN MY PROJECT 4
16 THIS IS THE WAY • Use Keycloak J •
Use zero trust • Reconsider JWTs • Prioritize user identities
17 WANT TO KEEP THE DISCUSSION GOING? MESSAGE ME ON
LINKEDIN!