Practical IAM & CIAM
Combined Session
Thursday, June 06, 2024 11:00—12:00
Location: B 07-08
Thursday, June 06, 2024 11:00—12:00
Location: B 07-08
Stolen secrets and credentials are one of the most common ways for attackers to move laterally and maintain persistence in cloud environments.
Modern cloud deployments employ secrets management systems such as KMS to protect key materials at rest and avoid leaking keys or credentials in source code or other build artifacts. However, secrets are unprotected at runtime, so any vulnerability or compromise of a service could lead to credential theft.
This talk will propose an architecture that, in conjunction with a secret manager, tokenizes secrets and rewrites requests at runtime. Through this approach, application code never directly interacts with key material. Additionally, it enforces stringent access control rules based on Open Policy Agent (OPA) policies for accessing secrets, significantly reducing the blast radius in the event of a security breach.
In a world where authorization is externalised, ownership often still relies with decentralised application teams to allow for organisational scalability. Autonomy of these teams is important so that they can move fast. Zalando has 2000+ inhouse applications owned by 100s of engineering teams who will use externalised authorization. Each of these teams will write their own authorization policies as code using Open Policy Agent.
This talk will share insights into how we started treating authorization artefacts similar to other application development artefacts. The focus will be on building blocks and safeguards that enable engineering teams to take authorization policies through the development life cycle.
There is no good or bad Level of Assurance to root any CIAM upon. It all depends on the business and the risks. A unique mix of business, legal, IT security, technical, and CX skills is required to discover, define, and communicate requirements for customer authentication methods. The correct balance between these factors brings peace of mind and enablement to the business. Hear some highlights of If P&C Insurance's journey of defining and enforcing a Level of Assurance aligned with realities of insurance enterprise.