[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computing Environment
2 likes292 views
The document outlines key aspects of security in distributed computing, focusing on authentication, authorization, and rate limiting. It discusses modern approaches like authentication as a service, social login, and identity management through centralized systems. Additionally, it emphasizes the importance of user consent under the Protection of Personal Information Act (POPI) and explores consent management features in WSO2 Identity Server.
![[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computing Environment](https://image.slidesharecdn.com/wso2integrationsummitjohannesburg2019-securityinadistributedcomputingenvironment-190611095639/85/WSO2-Integration-Summit-Johannesburg-2019-Security-in-a-Distributed-Computing-Environment-4-320.jpg)
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computing Environment
- 1. Security in the Context of Distributed Computing
- 2. Who am I? Solutions Architect For DeARX Based in our Cape Town office Christhonie Geldenhuys
- 3. Topics A practical view based on our experience with distributed computing ► A look at modern distributed systems ► Authentication ► Creating a seamless experience ► Leveraging Social login ► Additional factors ► Identity Management ► A single view ► Personal data and consent ► Authorisation ► Rate limiting or throttling
- 5. An evolution in component size Source: Tiempo Development
- 6. And an evolution in location
- 7. Monolithic to Microservices Source: Tiempo Development
- 8. So how does this impact security?
- 9. Key considerations remain the same ► Who is accessing the system? Authentication ► What can they do? Authorization ► When/how often can they do it? Throttling
- 10. Authentication
- 11. Traditional monolithic authentication Typical application level implementation of role base access control
- 12. Traditional approach cause duplication Legacy User DB Active Directory App 1 App 2 We still see many examples of this!
- 13. Traditional approach cause duplication Active Directory Application 1 Application 2 This is much better.
- 14. Authentication as a service Use a “Trusted 3rd party” Back-end servers
- 15. Central authentication mechanism Provide a single mechanism for identity management and authentication. Integrate applications with the Identity server.
- 16. Benefits of this approach ► A single mechanism for authentication ► Common and shared across all application ► User information in one place ► Easy to maintain ► Can leverage proven security standards Using an Identity Server provides; ► Central login mechanism ► Customised registration flow ► Customised approval flows ► Advanced authentication techniques
- 17. Single Sign-On Single Sign-On application have the following characteristics; ► Static, well known URL – i.e. http://logon.acme.com ► Authentication session is maintained at this URL; ► Using cookies to identify the session ► Redirect mechanisms are used to redirect to and from this app Benefits ► This enables the authentication session to span multiple application. ► Login once for a range of applications.
- 18. Implementation considerations ► Users and Groups now become a central responsibility ► Roles remain an application concern ► Share information via API or claims. How do we separate the various identity objects?
- 19. Social Login – Use cases ► End-users – Removes the risk to create yet another account ► Occasional or temporary workers – i.e. contractors, not requiring the benefits corporate-wide access control groups / roles
- 20. Identity information and POPI
- 21. What is POPI ► Protection of Personal Information Act will regulate the Processing of Personal Information. ► Personal Information broadly means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.) and includes, but is not limited to: ► contact details: email, telephone, address etc. ► demographic information: age, gender, race, birth date, ethnicity etc. ► history: employment, financial, educational, criminal, medical history ► biometric information: blood type etc. ► opinions of and about the person ► private correspondence etc. ► Processing means broadly anything that can be done with the Personal Information, including collection, usage, storage, dissemination, etc.
- 22. Personal information as a service What if… ► We can access personal data from a central source ► Information is stored once. ► Easy to add, change or remove in one place. ► Central access control ► Provide a customer self-help portal to view or change data. ► Get user content to determine who can use it.
- 23. Personal information capture ► Initial user / customer information is captured as part of the registration process. ► Additional user information can also be stored here over time.
- 24. Personal information distribution Obtaining the user consent is one of the fundamental requirements of personal information regulation. WSO2 Identity Server facilitates this through its Consent Management features.
- 25. Support in WSO2 Identity Server Consent Management ► Provides self-help profile creation, user provisioning to other systems, sharing of user attributes through SSO, and identity federation are fully based on user consent ► Users can review, modify, and revoke previously given consent via the self-care user portal or RESTful Consent API ► Consent API can also be used to integrate WSO2 IS consent management capabilities with existing applications ► WSO2 IS can be used to manage consent of any 3rd party application via the RESTful Consent API
- 26. User account management by WSO2 IS
- 27. Authorization
- 28. OAuth to the rescue WSO2 Identity Server includes support for the popular OAuth standards.
- 29. API Manager as a first line of defence API Manager help offloads checking tokens at the point of ingress.
- 30. Who is this? – Access tokens When using Access Tokens… We might want to check who is using this token; ► For display of user name perhaps ► For additional authorization decisions ► Per operation, per business record, etc.
- 31. Access token lookup ► Use API to validate/lookup token claims. ► Cache token for the validity period. ► Store principle and claims as part of cache. Token validation lookup
- 32. Who is this? - JWT
- 33. Access Token or JWT? Access Token Benefits ► Small, simple ► Ideal for smaller number of sessions and “chatty” interfaces. Drawbacks ► Require lookup ► Mitigated through caching JWT Benefits ► Self contained, stateless ► Verification can be self contained, or via lookup (remember to cache) Drawbacks ► Large (sometimes larger than payload). Not ideal for; ► “Chatty” APIs ► Expensive networks, i.e. Mobile, Satellite, IoT
- 34. Trust your services It is vital to verify the communication path and authenticity of your identity / authentication infrastructure. Identity your infrastructure; ► Use HTTPS! ► Check the certificates! Consider using certificate chains:
- 35. Which OAuth flow / grant type? https://auth0.com/docs/api-auth/which-oauth-flow-to-use Use the online decision tree to determine which OAuth flow is best for your application;
- 36. Rate limiting
- 37. Rate limiting – Why and how ► Limit access to APIs using the various rate limiting filters. ► Absolute limits or support for burst traffic. ► API manager continuously monitors the traffic and limits. ► API suspension is implemented when limits are reached. ► Rather stop them at the gate than try to deal with load while under load. ► Suspension returns pre-defined error codes (customisable) ► API auto resume after predefined period(s).
- 39. Summary ► Authentication as a service ► A seamless experience for the user, across multiple applications ► Identity as a service ► User/customer information in one place. ► Controlled access to that information. ► Authorization ► A mechanism to provide access to resources. ► Rate limiting ► To protect our systems from over-use and abuse.