Hitachi, Ltd. OSS Solution Center., profile picture
Uploaded byHitachi, Ltd. OSS Solution Center.
PPTX, PDF83 views

Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment

The document discusses best practices for implementing authentication (authn) and authorization (authz) in cloud-native environments, emphasizing their importance and current trends. It outlines security risks related to authn/authz as per OWASP, standards for user and workload authentication, and various authorization models like attribute-based and relationship-based access control. Additionally, it provides recommendations based on NIST guidelines and mentions ongoing projects related to identity and access management.

Download to read offline
© Hitachi, Ltd. 2024. All rights reserved. Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment All Day DevOps 2024 Hitachi, Ltd. OSS Solution Center 10/11/2024 Yoshiyuki Tabata
2 © Hitachi, Ltd. 2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
3 © Hitachi, Ltd. 2024. All rights reserved. Speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as KubeCon, Apidays, Open Source Summit, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Senior OSS Consultant at Hitachi, Ltd.  CNCF Ambassador / Cloud Native Community Japan organizer / Cloud Native Security Japan founder  LinkedIn: @ytabata, X: @yo_tabata, GitHub: @y-tabata
4 © Hitachi, Ltd. 2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
5 © Hitachi, Ltd. 2024. All rights reserved. What is Authentication / Authorization Authentication (Authn) is the process of verifying an entity's identity. Authorization (Authz) is the process of verifying that a requested action or service is approved for a specific entity. entities resources / APIs request Authentication Who/What does request resources? Authorization Can the entity take some action regarding resources?
6 © Hitachi, Ltd. 2024. All rights reserved. Authn and Authz in OWASP Top 10 API Security Risks The top 3 security risks are regarding "Authn/Authz". * OWASP Top 10 API Security Risks - 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/ Broken Object Level Authorization Broken Object Property Level Authorization Broken Function Level Authorization Broken Authentication Unrestricted Access to Sensitive Business Flows Security Misconfiguration Unrestricted Resource Consumption Server Side Request Forgery Improper Inventory Management Unsafe Consumption of APIs 1 2 3 4 6 7 8 9 10 5
7 © Hitachi, Ltd. 2024. All rights reserved. Authorization in OWASP Top 10 API Security Risks Authorization is the most significant security risk, with 3 risks ranking in the top 5. #1 Broken Object Level Authorization Must not allow user 101 to obtain user 102's resources. #3 Broken Object Property Level Authorization Must not allow a general user to change sensitive object properties like "rank". #5 Broken Function Level Authorization Must not allow a general user to call administrator function. User 101 GET /users/102 PUT /users/101 {"rank": "gold"} GET /admin/users/all
8 © Hitachi, Ltd. 2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
9 © Hitachi, Ltd. 2024. All rights reserved. Various Standards for Authentication This year marks 10 years since OpenID Connect 1.0 was published. In recent years, various standards have been published to address various attacks and social needs, and more will likely increase in the future. Standards: OSS: … OIDF standardizes IETF standardizes OASIS standardizes W3C standardizes … SAML 2.0 Web Authentication OpenID Connect Core 1.0 RFC6749: OAuth 2.0 extend FAPI 1.0 FAPI 2.0 OAuth 2.1 OID4VCI OpenID Connect Discovery 1.0 RFC 7636: PKCE RFC 6750: Bearer Token RFC 9449: DPoP RFC 7662: Token Introspection RFC 8693: Token Exchange OpenID Connect DCR 1.0 RFC 8705: OAuth MTLS RFC 8628: Device Flow CIBA FAPI-CIBA JARM
10 © Hitachi, Ltd. 2024. All rights reserved. No Standards and Various OSS for Authorization There is no standard and there are a lot of excellent OSS. Currently, OIDF AuthZEN WG is working to develop standards to address this situation. No standards for communicating authorization information … Standards: OSS:
11 © Hitachi, Ltd. 2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
12 © Hitachi, Ltd. 2024. All rights reserved. Current Trend of Authentication In a cloud-native environment, not only User Authentication like OIDC, but also Workload Authentication is becoming increasingly important. In today's world, with an increasing number of complex software functions being built and deployed as workloads, IETF Workload Identity in Multi System Environments (WIMSE) WG was established in 2024 and is developing standards for workload authentication. Current Active Internet-Drafts Date Description WIMSE Service to Service Authentication 2024-08-15 Describes protocols for two workloads to verify each other's identity. Workload Identity in a Multi System Environment (WIMSE) Architecture 2024-07-08 Describes workload identity and its use cases. Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments 2024-07-08 Describes OAuth 2.0 client authentication method in workload environments utilizing service account token volume projection and RFC7523.
13 © Hitachi, Ltd. 2024. All rights reserved. Current Trend of Authorization Authorization is recognized as the most important security risk, and while there is a demand for dynamic and fine-grained authorization schemes. OIDF Authorization Exchange (AuthZEN) WG was established in 2023 and is developing standards for authorization. Current Drafts Date Description Authorization API 1.0 2024-09-15 Describes API specification between Policy Decision Points (PDP) and Policy Enforcement Points (PEP).
14 © Hitachi, Ltd. 2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
15 © Hitachi, Ltd. 2024. All rights reserved. Best Practice of Authentication (User Authentication) Assess the adverse impact of failures and choose the appropriate user authentication methods among the many available, following NIST SP 800-63 Digital Identity Guidelines. Revision 4 of NIST SP 800-63 is currently available as a draft. Authenticator Assurance Levels (AAL) Permitted Authentication AAL1 single-factor authentication like password authentication AAL2 multi-factor authentication like synced passkey based on W3C Web Authentication (WebAuthn) AAL3 multi-factor cryptographic authentication like device-bound passkey based on WebAuthn
16 © Hitachi, Ltd. 2024. All rights reserved. Best Practice of Authentication (User Authentication) User authentication does not need to be implemented individually in the workload but is typically delegated to an IdP such as Keycloak. When delegating user authentication, choose the appropriate federation protocol, following NIST SP 800-63. Federation Assurance Levels (FAL) Federation Protocols FAL1 OIDC implicit flow SAML Web SSO profile FAL2 OIDC authorization code flow SAML artifact binding profile FAL3 OIDC holder-of-key ID token (no standard) SAML Holder-of-Key profile
17 © Hitachi, Ltd. 2024. All rights reserved. Best Practice of Authentication (User Authentication) When adopting OIDC, more specific implementation will be decided concerning OAuth 2.0 Security Best Current Practice, which summarizes the latest security recommendations for OAuth 2.0. OIDC has a high affinity for cloud-native environments and is often adopted because it is based on OAuth 2.0, the standard for API protection. Threat examples Mitigations Cross-Site Request Forgery (CSRF) RFC7636: Proof Key for Code Exchange (PKCE) Misuse of Stolen Access Tokens RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (OAuth MTLS) RFC9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
18 © Hitachi, Ltd. 2024. All rights reserved. Node Node Best Practice of Authentication (Workload Authentication) The current mainstream is mTLS authentication using X.509 certificates with a SPIFFE-compliant implementation such as SPIRE. Some ways to interact with SPIRE Agent include implementing its client with SPIFFE Library, using SPIRE Helper utility, or using Envoy Proxy. Workload Workload SPIRE Agent SPIRE Agent SPIRE Server mTLS x.509 certificates x.509 certificates workload identities workload identities
19 © Hitachi, Ltd. 2024. All rights reserved. Best Practice of Authorization Separate authorization logic from application logic using the P*P architecture defined in XACML and NIST SP 800-162. By separating the authorization logic, workloads are freed from having to keep up with the complexity of authorization conditions as the service grows. entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3. authorization decision
20 © Hitachi, Ltd. 2024. All rights reserved. Best Practice of Authorization Depending on your use case, choose the PDP authorization model between Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC). entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3. authorization decision
21 © Hitachi, Ltd. 2024. All rights reserved. Best Practice of Authorization Depending on your use case, choose the PDP authorization model between Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC). ABAC (Policy as Code) ReBAC (Policy as Graph) Features Good at very fine-grained authorization, including depending on dynamic attributes such as time and location. Good at authorization using complex hierarchical relationships. Use case example Managers who are in APAC can view Trade Confidential files during business hours. Users who are assigned the Member role of the Development team will also be granted the Edit role for all files in that folder if the Development team is the parent of that folder. Representative implementation Open Policy Agent (OPA) OpenFGA
22 © Hitachi, Ltd. 2024. All rights reserved. Best Practice of Authorization Interaction between PDP and PEP is implemented following OIDF AuthZEN WG Authorization API 1.0. Since this specification is still a draft, it is possible to break changes, so it is necessary to keep a close eye on trends. entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3. authorization decision
23 © Hitachi, Ltd. 2024. All rights reserved. Best Practice of Authorization Obtain user identities used for authorization following RFC7662: OAuth 2.0 Token Introspection. Access token added to Token Introspection request is obtained from API request. entities resources / APIs 1. API request w/ access token (following RFC6750: OAuth 2.0 Bearer Token Usage) Authorization Server 2. Token Introspection request w/ access token (following RFC7662)
24 © Hitachi, Ltd. 2024. All rights reserved. In a cloud-native environment, the workload may need to interact with others. In this case, obtain a token following RFC8693: OAuth 2.0 Token Exchange and use it within a trusted domain. For details on this interaction, refer to Transaction Tokens, a draft of the IETF oauth WG. Trusted Domain Best Practice of Authorization entities 1. API request w/ access token Authorization Server 2. Token Exchange request w/ access token Workload Workload 4. API request w/ new token 3. Token Exchange response w/ new token
25 © Hitachi, Ltd. 2024. All rights reserved. Trusted Domain A If workloads are distributed across multiple trusted domains, obtain a token for the other trusted domain following RFC8693 and RFC7523: JWT Profile for OAuth 2.0 Authorization Grants. For details on this interaction, refer to OAuth Identity and Authorization Chaining Across Domains, a draft of the IETF oauth WG. Trusted Domain B Best Practice of Authorization entities 1. API request w/ access token Authorization Server Workload Workload 6. API request w/ new access token Authorization Server 2. Token Exchange request w/ access token 3. Token Exchange response w/ authz grant JWT 4. Token request w/ authz grant JWT 5. Token response w/ new access token
26 © Hitachi, Ltd. 2024. All rights reserved. Summary of Best Practice  Authentication  User Authentication  NIST SP 800-63 Digital Identity Guidelines (AAL and FAL)  OAuth 2.0 Security Best Current Practice  Workload Authentication  SPIFFE  Authorization  Architecture: P*P architecture (XACML / NIST SP 800-162)  PDP and PEP interaction: Authorization API 1.0  Authorization Model: ABAC / ReBAC  User Identity Propagation  External to Internal  RFC6750: OAuth 2.0 Bearer Token Usage  RFC7662: OAuth 2.0 Token Introspection  Internal to Internal (Same Trusted Domain)  RFC8693: OAuth 2.0 Token Exchange  Transaction Tokens  Internal to Internal (Distributed across Multiple Trusted Domains)  RFC8693: OAuth 2.0 Token Exchange  RFC7523: JWT Profile for OAuth 2.0 Authorization Grants  OAuth Identity and Authorization Chaining Across Domains
27 © Hitachi, Ltd. 2024. All rights reserved. Let’s Join CNCF IAM White Paper PJ and TAG Security APAC! We are currently working on a project to write a white paper on Identity and Access Management (IAM) to discuss best practices for authentication and authorization such as those introduced in this session. If you are interested, don't hesitate to get in touch with us! https://github.com/cncf/tag-security/issues/1332 The CNCF Security Technical Advisory Group (TAG Security) APAC region meetings have started every other week from August 21st! This is in a more friendly time zone for the security freaks in attendance today, so please join us! https://zoom-lfx.platform.linuxfoundation.org/meetings/cncf?view=week
28 © Hitachi, Ltd. 2024. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • X is a trademark or registered trademark of X Corp. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
© Hitachi, Ltd. 2024. All rights reserved. Yoshiyuki Tabata 10/11/2024 Hitachi, Ltd. OSS Solution Center END Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment 29
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment

More Related Content

PDF
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Mastering Authorization: Integrating Authentication and Authorization Data in...
byHitachi, Ltd. OSS Solution Center.
 
PDF
Implementing Authorization
byTorin Sandall
 
PDF
Implementing security requirements for banking API system using Open Source ...
byYuichi Nakamura
 
PPTX
Challenge to Implementing "Scalable" Authorization with Keycloak
byHitachi, Ltd. OSS Solution Center.
 
PDF
Guide of authentication and authorization for cloud native applications with ...
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
byPing Identity
 
PDF
Who’s Knocking? Identity for APIs, Web and Mobile
byNordic APIs
 
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
byHitachi, Ltd. OSS Solution Center.
 
Mastering Authorization: Integrating Authentication and Authorization Data in...
byHitachi, Ltd. OSS Solution Center.
 
Implementing Authorization
byTorin Sandall
 
Implementing security requirements for banking API system using Open Source ...
byYuichi Nakamura
 
Challenge to Implementing "Scalable" Authorization with Keycloak
byHitachi, Ltd. OSS Solution Center.
 
Guide of authentication and authorization for cloud native applications with ...
byHitachi, Ltd. OSS Solution Center.
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
byPing Identity
 
Who’s Knocking? Identity for APIs, Web and Mobile
byNordic APIs
 

Similar to Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment

PPTX
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Implementing security and availability requirements for banking API system us...
byHitachi, Ltd. OSS Solution Center.
 
PDF
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
byTatsuo Kudo
 
PPTX
Securing ap is oauth and fine grained access control
byAaronLieberman5
 
PPTX
Better Together: JWT and Hashi Vault in Modern Apps
byShrivatsa Upadhye
 
PDF
Distributed Authorization with Open Policy Agent.pdf
byNordic APIs
 
PDF
KubeConRecap_nakamura.pdf
byHitachi, Ltd. OSS Solution Center.
 
PDF
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
byapidays
 
PPTX
Cloud Identity Management
byDamian T. Gordon
 
PDF
Authentication vs Authorization: Understanding the Key Differences
byKevin Mathew
 
PPTX
Identity Management: Using OIDC to Empower the Next-Generation Apps
byTom Freestone
 
PDF
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
byapidays
 
PDF
GHC18 Abstract - API Security, a Grail Quest
byPaulaPaulSlides
 
PPTX
Microservices security - jpmc tech fest 2018
byMOnCloud
 
PPTX
The New Venn of Access Control in the API-Mobile-IOT Era
byForgeRock
 
PDF
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
byWSO2
 
PPTX
Externalizing Authorization in Micro Services world
bySitaraman Lakshminarayanan
 
PPTX
Codemash-2017
byKevin Cody
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
PDF
LiveCast: API Security 101
byNordic APIs
 
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
byHitachi, Ltd. OSS Solution Center.
 
Implementing security and availability requirements for banking API system us...
byHitachi, Ltd. OSS Solution Center.
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
byTatsuo Kudo
 
Securing ap is oauth and fine grained access control
byAaronLieberman5
 
Better Together: JWT and Hashi Vault in Modern Apps
byShrivatsa Upadhye
 
Distributed Authorization with Open Policy Agent.pdf
byNordic APIs
 
KubeConRecap_nakamura.pdf
byHitachi, Ltd. OSS Solution Center.
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
byapidays
 
Cloud Identity Management
byDamian T. Gordon
 
Authentication vs Authorization: Understanding the Key Differences
byKevin Mathew
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
byTom Freestone
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
byapidays
 
GHC18 Abstract - API Security, a Grail Quest
byPaulaPaulSlides
 
Microservices security - jpmc tech fest 2018
byMOnCloud
 
The New Venn of Access Control in the API-Mobile-IOT Era
byForgeRock
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
byWSO2
 
Externalizing Authorization in Micro Services world
bySitaraman Lakshminarayanan
 
Codemash-2017
byKevin Cody
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
LiveCast: API Security 101
byNordic APIs
 

More from Hitachi, Ltd. OSS Solution Center.

PPTX
Why Assertion-based Access Token is preferred to Handle-based one?
byHitachi, Ltd. OSS Solution Center.
 
PPTX
What API Specifications and Tools Help Engineers to Construct a High-Security...
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Security Considerations for API Gateway Aggregation
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Hitachi’s Keycloak Journey - Evolution of Business and Community
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
byHitachi, Ltd. OSS Solution Center.
 
PDF
KubeCon + CloudNativeCon North America セキュリティ周りrecap
byHitachi, Ltd. OSS Solution Center.
 
PPTX
NGINXをBFF (Backend for Frontend)として利用した話
byHitachi, Ltd. OSS Solution Center.
 
PDF
API認可を支えるKeycloakの基本と設計の考え方 ~ OAuth/OIDCによるAPI保護のベストプラクティス ~
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Keycloakのステップアップ認証について
byHitachi, Ltd. OSS Solution Center.
 
PDF
Let’s Join Cloud Native Computing Foundation TAG Security APAC!
byHitachi, Ltd. OSS Solution Center.
 
PDF
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
byHitachi, Ltd. OSS Solution Center.
 
PPTX
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
byHitachi, Ltd. OSS Solution Center.
 
PPTX
KeycloakでAPI認可に入門する
byHitachi, Ltd. OSS Solution Center.
 
PPTX
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
byHitachi, Ltd. OSS Solution Center.
 
PDF
Authentication and Authorization of The Latest Keycloak
byHitachi, Ltd. OSS Solution Center.
 
PPTX
NGINXでの認可について考える
byHitachi, Ltd. OSS Solution Center.
 
PDF
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
byHitachi, Ltd. OSS Solution Center.
 
PDF
IDガバナンス&管理の基礎
byHitachi, Ltd. OSS Solution Center.
 
PPTX
CloudNativeSecurityCon North America 2024 Overview
byHitachi, Ltd. OSS Solution Center.
 
Why Assertion-based Access Token is preferred to Handle-based one?
byHitachi, Ltd. OSS Solution Center.
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
byHitachi, Ltd. OSS Solution Center.
 
Security Considerations for API Gateway Aggregation
byHitachi, Ltd. OSS Solution Center.
 
Hitachi’s Keycloak Journey - Evolution of Business and Community
byHitachi, Ltd. OSS Solution Center.
 
Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
byHitachi, Ltd. OSS Solution Center.
 
KubeCon + CloudNativeCon North America セキュリティ周りrecap
byHitachi, Ltd. OSS Solution Center.
 
NGINXをBFF (Backend for Frontend)として利用した話
byHitachi, Ltd. OSS Solution Center.
 
API認可を支えるKeycloakの基本と設計の考え方 ~ OAuth/OIDCによるAPI保護のベストプラクティス ~
byHitachi, Ltd. OSS Solution Center.
 
Keycloakのステップアップ認証について
byHitachi, Ltd. OSS Solution Center.
 
Let’s Join Cloud Native Computing Foundation TAG Security APAC!
byHitachi, Ltd. OSS Solution Center.
 
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
byHitachi, Ltd. OSS Solution Center.
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
byHitachi, Ltd. OSS Solution Center.
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
byHitachi, Ltd. OSS Solution Center.
 
KeycloakでAPI認可に入門する
byHitachi, Ltd. OSS Solution Center.
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
byHitachi, Ltd. OSS Solution Center.
 
Authentication and Authorization of The Latest Keycloak
byHitachi, Ltd. OSS Solution Center.
 
NGINXでの認可について考える
byHitachi, Ltd. OSS Solution Center.
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
byHitachi, Ltd. OSS Solution Center.
 
IDガバナンス&管理の基礎
byHitachi, Ltd. OSS Solution Center.
 
CloudNativeSecurityCon North America 2024 Overview
byHitachi, Ltd. OSS Solution Center.
 

Recently uploaded

PDF
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
PPTX
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
PDF
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
PPTX
Integration Everywhere - Supercharge Your AI Agents with Custom Connectors.pptx
byEric Shupps
 
PDF
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PDF
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
PDF
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
PDF
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
PPTX
Artificial Intelligence lecture slides.pptx
bymaimelabernard6
 
PDF
Computer Virus and their classifications ppt
byignitedminds222
 
PDF
The Invisible Threads: How 'Connection' Builds the Smartest Organizations. By...
byTheta Prime Institute, Cheyenne, Wyoming, USA.
 
PPTX
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
DOCX
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
PDF
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
PPTX
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PDF
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
Integration Everywhere - Supercharge Your AI Agents with Custom Connectors.pptx
byEric Shupps
 
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
Log-based anomaly detection using BiLSTM-Autoencoder
byMohammed BEKKOUCHE
 
Artificial Intelligence lecture slides.pptx
bymaimelabernard6
 
Computer Virus and their classifications ppt
byignitedminds222
 
The Invisible Threads: How 'Connection' Builds the Smartest Organizations. By...
byTheta Prime Institute, Cheyenne, Wyoming, USA.
 
Taming Time in PHP: Best Practices and Gotchas at Longhorn PHP 2025
byScott Keck-Warren
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 

Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment

  • 1.
    © Hitachi, Ltd.2024. All rights reserved. Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment All Day DevOps 2024 Hitachi, Ltd. OSS Solution Center 10/11/2024 Yoshiyuki Tabata
  • 2.
    2 © Hitachi, Ltd.2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
  • 3.
    3 © Hitachi, Ltd.2024. All rights reserved. Speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as KubeCon, Apidays, Open Source Summit, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Senior OSS Consultant at Hitachi, Ltd.  CNCF Ambassador / Cloud Native Community Japan organizer / Cloud Native Security Japan founder  LinkedIn: @ytabata, X: @yo_tabata, GitHub: @y-tabata
  • 4.
    4 © Hitachi, Ltd.2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
  • 5.
    5 © Hitachi, Ltd.2024. All rights reserved. What is Authentication / Authorization Authentication (Authn) is the process of verifying an entity's identity. Authorization (Authz) is the process of verifying that a requested action or service is approved for a specific entity. entities resources / APIs request Authentication Who/What does request resources? Authorization Can the entity take some action regarding resources?
  • 6.
    6 © Hitachi, Ltd.2024. All rights reserved. Authn and Authz in OWASP Top 10 API Security Risks The top 3 security risks are regarding "Authn/Authz". * OWASP Top 10 API Security Risks - 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/ Broken Object Level Authorization Broken Object Property Level Authorization Broken Function Level Authorization Broken Authentication Unrestricted Access to Sensitive Business Flows Security Misconfiguration Unrestricted Resource Consumption Server Side Request Forgery Improper Inventory Management Unsafe Consumption of APIs 1 2 3 4 6 7 8 9 10 5
  • 7.
    7 © Hitachi, Ltd.2024. All rights reserved. Authorization in OWASP Top 10 API Security Risks Authorization is the most significant security risk, with 3 risks ranking in the top 5. #1 Broken Object Level Authorization Must not allow user 101 to obtain user 102's resources. #3 Broken Object Property Level Authorization Must not allow a general user to change sensitive object properties like "rank". #5 Broken Function Level Authorization Must not allow a general user to call administrator function. User 101 GET /users/102 PUT /users/101 {"rank": "gold"} GET /admin/users/all
  • 8.
    8 © Hitachi, Ltd.2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
  • 9.
    9 © Hitachi, Ltd.2024. All rights reserved. Various Standards for Authentication This year marks 10 years since OpenID Connect 1.0 was published. In recent years, various standards have been published to address various attacks and social needs, and more will likely increase in the future. Standards: OSS: … OIDF standardizes IETF standardizes OASIS standardizes W3C standardizes … SAML 2.0 Web Authentication OpenID Connect Core 1.0 RFC6749: OAuth 2.0 extend FAPI 1.0 FAPI 2.0 OAuth 2.1 OID4VCI OpenID Connect Discovery 1.0 RFC 7636: PKCE RFC 6750: Bearer Token RFC 9449: DPoP RFC 7662: Token Introspection RFC 8693: Token Exchange OpenID Connect DCR 1.0 RFC 8705: OAuth MTLS RFC 8628: Device Flow CIBA FAPI-CIBA JARM
  • 10.
    10 © Hitachi, Ltd.2024. All rights reserved. No Standards and Various OSS for Authorization There is no standard and there are a lot of excellent OSS. Currently, OIDF AuthZEN WG is working to develop standards to address this situation. No standards for communicating authorization information … Standards: OSS:
  • 11.
    11 © Hitachi, Ltd.2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
  • 12.
    12 © Hitachi, Ltd.2024. All rights reserved. Current Trend of Authentication In a cloud-native environment, not only User Authentication like OIDC, but also Workload Authentication is becoming increasingly important. In today's world, with an increasing number of complex software functions being built and deployed as workloads, IETF Workload Identity in Multi System Environments (WIMSE) WG was established in 2024 and is developing standards for workload authentication. Current Active Internet-Drafts Date Description WIMSE Service to Service Authentication 2024-08-15 Describes protocols for two workloads to verify each other's identity. Workload Identity in a Multi System Environment (WIMSE) Architecture 2024-07-08 Describes workload identity and its use cases. Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments 2024-07-08 Describes OAuth 2.0 client authentication method in workload environments utilizing service account token volume projection and RFC7523.
  • 13.
    13 © Hitachi, Ltd.2024. All rights reserved. Current Trend of Authorization Authorization is recognized as the most important security risk, and while there is a demand for dynamic and fine-grained authorization schemes. OIDF Authorization Exchange (AuthZEN) WG was established in 2023 and is developing standards for authorization. Current Drafts Date Description Authorization API 1.0 2024-09-15 Describes API specification between Policy Decision Points (PDP) and Policy Enforcement Points (PEP).
  • 14.
    14 © Hitachi, Ltd.2024. All rights reserved. 1. Importance of Authentication and Authorization 2. Difficulty to Implement Authentication and Authorization 3. Current Trends of Authentication and Authorization Contents 4. Exploring Best Practices for Implementing Authn and Authz
  • 15.
    15 © Hitachi, Ltd.2024. All rights reserved. Best Practice of Authentication (User Authentication) Assess the adverse impact of failures and choose the appropriate user authentication methods among the many available, following NIST SP 800-63 Digital Identity Guidelines. Revision 4 of NIST SP 800-63 is currently available as a draft. Authenticator Assurance Levels (AAL) Permitted Authentication AAL1 single-factor authentication like password authentication AAL2 multi-factor authentication like synced passkey based on W3C Web Authentication (WebAuthn) AAL3 multi-factor cryptographic authentication like device-bound passkey based on WebAuthn
  • 16.
    16 © Hitachi, Ltd.2024. All rights reserved. Best Practice of Authentication (User Authentication) User authentication does not need to be implemented individually in the workload but is typically delegated to an IdP such as Keycloak. When delegating user authentication, choose the appropriate federation protocol, following NIST SP 800-63. Federation Assurance Levels (FAL) Federation Protocols FAL1 OIDC implicit flow SAML Web SSO profile FAL2 OIDC authorization code flow SAML artifact binding profile FAL3 OIDC holder-of-key ID token (no standard) SAML Holder-of-Key profile
  • 17.
    17 © Hitachi, Ltd.2024. All rights reserved. Best Practice of Authentication (User Authentication) When adopting OIDC, more specific implementation will be decided concerning OAuth 2.0 Security Best Current Practice, which summarizes the latest security recommendations for OAuth 2.0. OIDC has a high affinity for cloud-native environments and is often adopted because it is based on OAuth 2.0, the standard for API protection. Threat examples Mitigations Cross-Site Request Forgery (CSRF) RFC7636: Proof Key for Code Exchange (PKCE) Misuse of Stolen Access Tokens RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (OAuth MTLS) RFC9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
  • 18.
    18 © Hitachi, Ltd.2024. All rights reserved. Node Node Best Practice of Authentication (Workload Authentication) The current mainstream is mTLS authentication using X.509 certificates with a SPIFFE-compliant implementation such as SPIRE. Some ways to interact with SPIRE Agent include implementing its client with SPIFFE Library, using SPIRE Helper utility, or using Envoy Proxy. Workload Workload SPIRE Agent SPIRE Agent SPIRE Server mTLS x.509 certificates x.509 certificates workload identities workload identities
  • 19.
    19 © Hitachi, Ltd.2024. All rights reserved. Best Practice of Authorization Separate authorization logic from application logic using the P*P architecture defined in XACML and NIST SP 800-162. By separating the authorization logic, workloads are freed from having to keep up with the complexity of authorization conditions as the service grows. entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3. authorization decision
  • 20.
    20 © Hitachi, Ltd.2024. All rights reserved. Best Practice of Authorization Depending on your use case, choose the PDP authorization model between Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC). entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3. authorization decision
  • 21.
    21 © Hitachi, Ltd.2024. All rights reserved. Best Practice of Authorization Depending on your use case, choose the PDP authorization model between Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC). ABAC (Policy as Code) ReBAC (Policy as Graph) Features Good at very fine-grained authorization, including depending on dynamic attributes such as time and location. Good at authorization using complex hierarchical relationships. Use case example Managers who are in APAC can view Trade Confidential files during business hours. Users who are assigned the Member role of the Development team will also be granted the Edit role for all files in that folder if the Development team is the parent of that folder. Representative implementation Open Policy Agent (OPA) OpenFGA
  • 22.
    22 © Hitachi, Ltd.2024. All rights reserved. Best Practice of Authorization Interaction between PDP and PEP is implemented following OIDF AuthZEN WG Authorization API 1.0. Since this specification is still a draft, it is possible to break changes, so it is necessary to keep a close eye on trends. entities (subjects) resources / APIs (objects) 1. unauthorized request Policy Enforcement Point (PEP) 4. authorized request Policy Decision Point (PDP) Policy Information Point (PIP) Policy Administration Point (PAP) authorization policies data 2. authorization delegation 3. authorization decision
  • 23.
    23 © Hitachi, Ltd.2024. All rights reserved. Best Practice of Authorization Obtain user identities used for authorization following RFC7662: OAuth 2.0 Token Introspection. Access token added to Token Introspection request is obtained from API request. entities resources / APIs 1. API request w/ access token (following RFC6750: OAuth 2.0 Bearer Token Usage) Authorization Server 2. Token Introspection request w/ access token (following RFC7662)
  • 24.
    24 © Hitachi, Ltd.2024. All rights reserved. In a cloud-native environment, the workload may need to interact with others. In this case, obtain a token following RFC8693: OAuth 2.0 Token Exchange and use it within a trusted domain. For details on this interaction, refer to Transaction Tokens, a draft of the IETF oauth WG. Trusted Domain Best Practice of Authorization entities 1. API request w/ access token Authorization Server 2. Token Exchange request w/ access token Workload Workload 4. API request w/ new token 3. Token Exchange response w/ new token
  • 25.
    25 © Hitachi, Ltd.2024. All rights reserved. Trusted Domain A If workloads are distributed across multiple trusted domains, obtain a token for the other trusted domain following RFC8693 and RFC7523: JWT Profile for OAuth 2.0 Authorization Grants. For details on this interaction, refer to OAuth Identity and Authorization Chaining Across Domains, a draft of the IETF oauth WG. Trusted Domain B Best Practice of Authorization entities 1. API request w/ access token Authorization Server Workload Workload 6. API request w/ new access token Authorization Server 2. Token Exchange request w/ access token 3. Token Exchange response w/ authz grant JWT 4. Token request w/ authz grant JWT 5. Token response w/ new access token
  • 26.
    26 © Hitachi, Ltd.2024. All rights reserved. Summary of Best Practice  Authentication  User Authentication  NIST SP 800-63 Digital Identity Guidelines (AAL and FAL)  OAuth 2.0 Security Best Current Practice  Workload Authentication  SPIFFE  Authorization  Architecture: P*P architecture (XACML / NIST SP 800-162)  PDP and PEP interaction: Authorization API 1.0  Authorization Model: ABAC / ReBAC  User Identity Propagation  External to Internal  RFC6750: OAuth 2.0 Bearer Token Usage  RFC7662: OAuth 2.0 Token Introspection  Internal to Internal (Same Trusted Domain)  RFC8693: OAuth 2.0 Token Exchange  Transaction Tokens  Internal to Internal (Distributed across Multiple Trusted Domains)  RFC8693: OAuth 2.0 Token Exchange  RFC7523: JWT Profile for OAuth 2.0 Authorization Grants  OAuth Identity and Authorization Chaining Across Domains
  • 27.
    27 © Hitachi, Ltd.2024. All rights reserved. Let’s Join CNCF IAM White Paper PJ and TAG Security APAC! We are currently working on a project to write a white paper on Identity and Access Management (IAM) to discuss best practices for authentication and authorization such as those introduced in this session. If you are interested, don't hesitate to get in touch with us! https://github.com/cncf/tag-security/issues/1332 The CNCF Security Technical Advisory Group (TAG Security) APAC region meetings have started every other week from August 21st! This is in a more friendly time zone for the security freaks in attendance today, so please join us! https://zoom-lfx.platform.linuxfoundation.org/meetings/cncf?view=week
  • 28.
    28 © Hitachi, Ltd.2024. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • X is a trademark or registered trademark of X Corp. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
  • 29.
    © Hitachi, Ltd.2024. All rights reserved. Yoshiyuki Tabata 10/11/2024 Hitachi, Ltd. OSS Solution Center END Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native Environment 29