SlideShare a Scribd company logo

Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

Yahoo Developer Network, profile picture
Yahoo Developer Network

The document discusses Athenz, an open-source system for service authentication and authorization created by Yahoo, that provides secure identity via short-lived x.509 certificates and fine-grained role-based access control. It explains how Athenz integrates with Istio to enhance multi-cloud service management, offering benefits like automatic load balancing, secure service-to-service communication, and centralized access control. Future plans include productionizing Athenz's x.509 certificate provisioning and developing Docker images and Helm charts for easier setup.

Technology
Related topics:
Information Security
1 of 31
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Athenz with Istio: Single Access Control Model in Cloud Infrastructures
Agenda • What is Athenz? • Service Authentication • Authorization • Multi-cloud in Yahoo Japan • How do we integrate with Istio? • Why Istio? • Benefit of using Athenz with Istio
About • Tatsuya Yano • Platform Developer, Yahoo Japan Corporation • Contributor to Athenz • Open Source Summit Japan (https://sched.co/FDjp)
Athenz: Open Source System Created by Yahoo Inc. • Service Authentication • Provide secure identity in the form short lived x.509 certificate to every workload / service in modern environments • Authorization • Provides fine-grained Role Based Access Control (RBAC)
Service Authentication
Authentication • User Authentication • AD / LDAP / Kerberos / etc • Service Authentication • Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Headless/Automation users • Shared secrets • Mutual TLS with x.509 certificates
Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Zero-trust security • Short Lived Certificates
Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callback-based verification model. Providers OpenStack Kubernetes Screwdriver Amazon EC2 AWS ECS AWS Lambda
Bootstrapping Athenz Identity
Authorization
Athenz Data Model
Domain data example (YAML)
Authorization - Centralized Access Control
Authorization - Decentralized Access Control
Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.
Athenz in Yahoo Japan
How do we integrate with Istio?
Why use Istio? • Automatic load balancing. • Fine-grained control of traffic behavior. • A pluggable policy layer and configuration API. • Automatic metrics, logs, and traces for all traffic. • Secure service-to-service communication. Referred from: https://istio.io/docs/concepts/what-is-istio/
Benefits of using Athenz with Istio • Istio is in CNCF landscape. • Service mesh strongly supports microservices architecture. + • Athenz enables single access control model in multi cloud.
Basics of Istio Mixer
Example integration: Athenz Istio Mixer adapter Referred from: https://istio.io/blog/2017/adapter-model/
Example integration: Athenz Istio Mixer adapter
Other use-case: Simplified mTLS authN/Z using Istio/Athenz
Simplified mTLS authN/Z using Istio/Athenz Athenz Istio Auth Controller Kubernetes API Fetch role/policy information from Athenz Setup a watch on namespaces Create/update/delete Istio CRs - ServiceRole and ServiceRolebinding based on fetched Athenz data Athenz Istio Auth Controller translates Athenz defined roles/policies into Istio CRs - ServiceRole and ServiceRolebinding Watch ServiceRole and ServiceRoleBinding https://github.com/yahoo/k8s-athenz-istio-auth
Prototype Demo
Future plans •Currently • On Premises and AWS Provisioning •Planned • Provide Athenz servers with Docker images • Helm charts • Productionize Athenz x509 certificate provisioning • Productionize the authorization flow using Istio Envoy
Resources • Website : http://www.athenz.io • Github: https://github.com/yahoo/athenz • Slack Channel: https://athenz.slack.com/ • Discussion Group: • Google Group: Athenz-Users • Questions or Comments: • Tatsuya Yano: tatyano@yahoo-corp.jp
Join Ushttp://www.athenz.io
Thank you
Q & A
Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

More Related Content

PDF
Athenz - The Open-Source Solution to Provide Access Control in Dynamic Infras...
Yahoo Developer Network
 
PPTX
Azure network and infrastructure
Phi Huynh
 
PPTX
JECRC iWeekend Cloud Day
jecrciweekend
 
PPTX
Cybera Summit
Everett Toews
 
PPTX
Advanced development with Windows Azure
Thomas Robbins
 
PPTX
Azure Operational Insight Preview
Igor Puhalo
 
PPTX
Cloud Native London - 2019: What is a Service Mesh, and if I Get One Will it ...
Elton Stoneman
 
PPTX
Best Practices to Secure Your Kubernetes Cluster
Stefano Tempesta
 
Athenz - The Open-Source Solution to Provide Access Control in Dynamic Infras...
Yahoo Developer Network
 
Azure network and infrastructure
Phi Huynh
 
JECRC iWeekend Cloud Day
jecrciweekend
 
Cybera Summit
Everett Toews
 
Advanced development with Windows Azure
Thomas Robbins
 
Azure Operational Insight Preview
Igor Puhalo
 
Cloud Native London - 2019: What is a Service Mesh, and if I Get One Will it ...
Elton Stoneman
 
Best Practices to Secure Your Kubernetes Cluster
Stefano Tempesta
 

What's hot (20)

PPT
24 Hours Of Exchange Server 2007 ( Part 15 Of 24)
Harold Wong
 
PPTX
Azure Service Bus
BizTalk360
 
PPTX
Azure Service Bus Overview
BizTalk360
 
PPTX
Deployment options for Kentico CMS on Windows Azure
Thomas Robbins
 
PDF
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
DevClub_lv
 
PPTX
Meetup CNCF Torino - Amazon EKS March 29th 2019
Massimo Ferre'
 
PPTX
Webservice security considerations and measures
Maarten Smeets
 
PPTX
Windows Azure
Nour Khouja
 
PDF
Docker + App Container = ocp
Apcera
 
PPTX
An Intro to AS4, the Successor of AS2
BizTalk360
 
PPTX
Cloud Bursting with A10 Lightning ADS
Akshay Mathur
 
PPTX
Microsoft DirectAccess Remote Access (VPN) with Windows 10 and Server 2012
Kemp
 
PPTX
Azure IAAS architecture with High Availability for beginners and developers -...
Malleswar Reddy
 
PDF
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
DevClub_lv
 
PPTX
Azure Microservices in Practice - Radu Vunvulea ITCamp Community Timisoara 07...
Radu Vunvulea
 
PPTX
Manage and Operate Azure Stack Hub Stamps at Scale
Ravi C Kolandaiswamy
 
PPTX
Techniques for scaling application with security and visibility in cloud
Akshay Mathur
 
PPT
Windows Server 2008
Luis Quiroz
 
PPTX
Azure virtual network
Lalit Rawat
 
PPTX
MicroService Architecture
Md. Hasan Basri (Angel)
 
24 Hours Of Exchange Server 2007 ( Part 15 Of 24)
Harold Wong
 
Azure Service Bus
BizTalk360
 
Azure Service Bus Overview
BizTalk360
 
Deployment options for Kentico CMS on Windows Azure
Thomas Robbins
 
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
DevClub_lv
 
Meetup CNCF Torino - Amazon EKS March 29th 2019
Massimo Ferre'
 
Webservice security considerations and measures
Maarten Smeets
 
Windows Azure
Nour Khouja
 
Docker + App Container = ocp
Apcera
 
An Intro to AS4, the Successor of AS2
BizTalk360
 
Cloud Bursting with A10 Lightning ADS
Akshay Mathur
 
Microsoft DirectAccess Remote Access (VPN) with Windows 10 and Server 2012
Kemp
 
Azure IAAS architecture with High Availability for beginners and developers -...
Malleswar Reddy
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
DevClub_lv
 
Azure Microservices in Practice - Radu Vunvulea ITCamp Community Timisoara 07...
Radu Vunvulea
 
Manage and Operate Azure Stack Hub Stamps at Scale
Ravi C Kolandaiswamy
 
Techniques for scaling application with security and visibility in cloud
Akshay Mathur
 
Windows Server 2008
Luis Quiroz
 
Azure virtual network
Lalit Rawat
 
MicroService Architecture
Md. Hasan Basri (Angel)
 
Ad

Similar to Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan (6)

PDF
Athenz introduction
Dũng Lê
 
PPTX
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
 
PPTX
Manging Container Deployments at Scale
Mofizur Rahman
 
PDF
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Codemotion
 
PDF
Istio: Using nginMesh as the service proxy
Lee Calcote
 
PDF
Securing Microservices with Istio
Daniel Berg
 
Athenz introduction
Dũng Lê
 
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
 
Manging Container Deployments at Scale
Mofizur Rahman
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Codemotion
 
Istio: Using nginMesh as the service proxy
Lee Calcote
 
Securing Microservices with Istio
Daniel Berg
 
Ad

More from Yahoo Developer Network (20)

PDF
Developing Mobile Apps for Performance - Swapnil Patel, Verizon Media
Yahoo Developer Network
 
PDF
Athenz & SPIFFE, Tatsuya Yano, Yahoo Japan
Yahoo Developer Network
 
PDF
CICD at Oath using Screwdriver
Yahoo Developer Network
 
PDF
Big Data Serving with Vespa - Jon Bratseth, Distinguished Architect, Oath
Yahoo Developer Network
 
PPTX
How @TwitterHadoop Chose Google Cloud, Joep Rottinghuis, Lohit VijayaRenu
Yahoo Developer Network
 
PDF
The Future of Hadoop in an AI World, Milind Bhandarkar, CEO, Ampool
Yahoo Developer Network
 
PPTX
Apache YARN Federation and Tez at Microsoft, Anupam Upadhyay, Adrian Nicoara,...
Yahoo Developer Network
 
PPTX
Containerized Services on Apache Hadoop YARN: Past, Present, and Future, Shan...
Yahoo Developer Network
 
PDF
HDFS Scalability and Security, Daryn Sharp, Senior Engineer, Oath
Yahoo Developer Network
 
PPTX
Hadoop {Submarine} Project: Running deep learning workloads on YARN, Wangda T...
Yahoo Developer Network
 
PDF
Moving the Oath Grid to Docker, Eric Badger, Oath
Yahoo Developer Network
 
PDF
Architecting Petabyte Scale AI Applications
Yahoo Developer Network
 
PDF
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
Yahoo Developer Network
 
PPTX
Jun 2017 HUG: YARN Scheduling – A Step Beyond
Yahoo Developer Network
 
PDF
Jun 2017 HUG: Large-Scale Machine Learning: Use Cases and Technologies
Yahoo Developer Network
 
PPTX
February 2017 HUG: Slow, Stuck, or Runaway Apps? Learn How to Quickly Fix Pro...
Yahoo Developer Network
 
PPTX
February 2017 HUG: Exactly-once end-to-end processing with Apache Apex
Yahoo Developer Network
 
PPTX
February 2017 HUG: Data Sketches: A required toolkit for Big Data Analytics
Yahoo Developer Network
 
PDF
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
Yahoo Developer Network
 
PPTX
October 2016 HUG: Architecture of an Open Source RDBMS powered by HBase and ...
Yahoo Developer Network
 
Developing Mobile Apps for Performance - Swapnil Patel, Verizon Media
Yahoo Developer Network
 
Athenz & SPIFFE, Tatsuya Yano, Yahoo Japan
Yahoo Developer Network
 
CICD at Oath using Screwdriver
Yahoo Developer Network
 
Big Data Serving with Vespa - Jon Bratseth, Distinguished Architect, Oath
Yahoo Developer Network
 
How @TwitterHadoop Chose Google Cloud, Joep Rottinghuis, Lohit VijayaRenu
Yahoo Developer Network
 
The Future of Hadoop in an AI World, Milind Bhandarkar, CEO, Ampool
Yahoo Developer Network
 
Apache YARN Federation and Tez at Microsoft, Anupam Upadhyay, Adrian Nicoara,...
Yahoo Developer Network
 
Containerized Services on Apache Hadoop YARN: Past, Present, and Future, Shan...
Yahoo Developer Network
 
HDFS Scalability and Security, Daryn Sharp, Senior Engineer, Oath
Yahoo Developer Network
 
Hadoop {Submarine} Project: Running deep learning workloads on YARN, Wangda T...
Yahoo Developer Network
 
Moving the Oath Grid to Docker, Eric Badger, Oath
Yahoo Developer Network
 
Architecting Petabyte Scale AI Applications
Yahoo Developer Network
 
Introduction to Vespa – The Open Source Big Data Serving Engine, Jon Bratseth...
Yahoo Developer Network
 
Jun 2017 HUG: YARN Scheduling – A Step Beyond
Yahoo Developer Network
 
Jun 2017 HUG: Large-Scale Machine Learning: Use Cases and Technologies
Yahoo Developer Network
 
February 2017 HUG: Slow, Stuck, or Runaway Apps? Learn How to Quickly Fix Pro...
Yahoo Developer Network
 
February 2017 HUG: Exactly-once end-to-end processing with Apache Apex
Yahoo Developer Network
 
February 2017 HUG: Data Sketches: A required toolkit for Big Data Analytics
Yahoo Developer Network
 
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
Yahoo Developer Network
 
October 2016 HUG: Architecture of an Open Source RDBMS powered by HBase and ...
Yahoo Developer Network
 

Recently uploaded (20)

PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
A Presentation on Artificial Intelligence
memembruh336
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Teaching material agriculture food technology
LiaRayya
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
KodekX | Application Modernization Development
KodekX
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 

Athenz with Istio - Single Access Control Model in Cloud Infrastructures, Tatsuya Yano, Yahoo Japan

  • 1. Athenz with Istio: Single Access Control Model in Cloud Infrastructures
  • 2. Agenda • What is Athenz? • Service Authentication • Authorization • Multi-cloud in Yahoo Japan • How do we integrate with Istio? • Why Istio? • Benefit of using Athenz with Istio
  • 3. About • Tatsuya Yano • Platform Developer, Yahoo Japan Corporation • Contributor to Athenz • Open Source Summit Japan (https://sched.co/FDjp)
  • 4. Athenz: Open Source System Created by Yahoo Inc. • Service Authentication • Provide secure identity in the form short lived x.509 certificate to every workload / service in modern environments • Authorization • Provides fine-grained Role Based Access Control (RBAC)
  • 6. Authentication • User Authentication • AD / LDAP / Kerberos / etc • Service Authentication • Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Headless/Automation users • Shared secrets • Mutual TLS with x.509 certificates
  • 7. Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Zero-trust security • Short Lived Certificates
  • 8. Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callback-based verification model. Providers OpenStack Kubernetes Screwdriver Amazon EC2 AWS ECS AWS Lambda
  • 15. Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.
  • 17. How do we integrate with Istio?
  • 18. Why use Istio? • Automatic load balancing. • Fine-grained control of traffic behavior. • A pluggable policy layer and configuration API. • Automatic metrics, logs, and traces for all traffic. • Secure service-to-service communication. Referred from: https://istio.io/docs/concepts/what-is-istio/
  • 19. Benefits of using Athenz with Istio • Istio is in CNCF landscape. • Service mesh strongly supports microservices architecture. + • Athenz enables single access control model in multi cloud.
  • 21. Example integration: Athenz Istio Mixer adapter Referred from: https://istio.io/blog/2017/adapter-model/
  • 23. Other use-case: Simplified mTLS authN/Z using Istio/Athenz
  • 24. Simplified mTLS authN/Z using Istio/Athenz Athenz Istio Auth Controller Kubernetes API Fetch role/policy information from Athenz Setup a watch on namespaces Create/update/delete Istio CRs - ServiceRole and ServiceRolebinding based on fetched Athenz data Athenz Istio Auth Controller translates Athenz defined roles/policies into Istio CRs - ServiceRole and ServiceRolebinding Watch ServiceRole and ServiceRoleBinding https://github.com/yahoo/k8s-athenz-istio-auth
  • 26. Future plans •Currently • On Premises and AWS Provisioning •Planned • Provide Athenz servers with Docker images • Helm charts • Productionize Athenz x509 certificate provisioning • Productionize the authorization flow using Istio Envoy
  • 27. Resources • Website : http://www.athenz.io • Github: https://github.com/yahoo/athenz • Slack Channel: https://athenz.slack.com/ • Discussion Group: • Google Group: Athenz-Users • Questions or Comments: • Tatsuya Yano: tatyano@yahoo-corp.jp
  • 30. Q & A