Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Click here to load reader
-
Upload
manageiq -
Category
Technology
-
view
119 -
download
2
description
Transcript of Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Security: Trusting Identities
IntroductionsAlberto Bellottigithub: abellotti
Keenan Brockgithub: kbrocktwitter: @kbrock
Overview
● Definition● Mechanics● Components of the system● Goals● Demo● Future
Definition: Identity and Trust
● Authentication○ What is your identity?
● Authorization○ What do I trust you to do?
● Auditing○ What did you actually do?
Goals: Identity and Trust
● Fewer copies● Simpler definitions● Leverage existing definitions
○ identity stores○ trust profiles
Goals: Desired Results
● Simplify appliance configuration● Simplify access for users (SSO)● More secure system
Accessing Auth* sources
PostgresVmdb
Amazon
ReST
IdM/LdapKerberos LDAP
Apache
sssd/pamkerberos
UI/WS Workers
LdapLDAP
AD
ApplianceConsole
/etc/passwdTerminal
Aws Client
KDC
Appliance
IdM
Mechanics?
● Client○ Provides identity
● Server○ Has a copy of identity○ Fetch stored identity○ grant trust
What is a Client and Server
a system or component that calls another
● User● Computer● Component
Mechanics: Client’s Identity
● Password● Kerberos ticket (keytab)● IP Address● Client side certificates*● Saml (SSO)*
* future
Mechanics - Copy of Identity
● plaintext● md5● aes - symmetric cipher (v2_key)● id_rsa.pub
Goal: protect the identity
Mechanics - Fetch Identity
● Postgres table (e.g.: pg_shadow, users)● host based (firewall)● Filesystem (e.g.: /etc/passwd)● LDAP (AD, IdM)● Kerberos (IdM)*● Amazon (IAM)● Certificate Authority** generated remotely, stored locally
Accessing Auth* sources
PostgresVmdb
Amazon
ReST
IdM/LdapKerberos LDAP
Apache
sssd/pamkerberos
UI/WS Workers
LdapLDAP
AD
ApplianceConsole
/etc/passwdTerminal
Aws Client
KDC
Appliance
IdM
Mechanics - Grant Trust
● same password or md5● correct ip / user● ticket has correct origin
IdM/Kerberos SSO Demo
● External Authentication● Web-UI Login● ReST API access● Web-UI SSO Login
All using IPA credentials
Going forward
● Tighter Authorization of components● Moving LDAP/AD configuration to
console/Apache● Leveraging Apache/IdM
○ AD○ SAML○ 2-Factor Authentication