Athenz- The Open-Source Solution to Provide Access Control in Dynamic Infrastructures

Athenz: The Open-Source Solution to Provide Access Control in Dynamic Infrastructures Tatsuya Yano / Yahoo Japan Corporation

Athenz: Open Source System Created by Yahoo Inc. • Service Authentication – Provide secure identity in the form x.509 certificate to every workload / service in modern environments • Authorization – Provides fine-grained Role Based Access Control (RBAC)

Service Authentication 3

Authentication • User Authentication – AD / LDAP / Okta / etc • Service Authentication – Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Mutual TLS with x.509 certificates

Why does this matter? • Many persistent large scale infrastructure problems are rooted in identity and policy – – – – Network ACL complexity Federated “Single” Sign On (SSO) systems Headless/Automation users Shared secrets

Certificate Based Authentication • Every instance / service in your cloud has its own identity • Stronger security by Mutual TLS Authentication • Short Lived Certificates

Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callbackbased verification model. Providers OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda

Bootstrapping Athenz Identity

Authorization 9

Athenz Data Model

Single source of truth • • Most infrastructures in Cloud computing environments (e.g. Kubernetes, OpenStack, AWS, etc) have their own system of access control. Athenz provides interface to integrate with each infrastructure to run multi environments with a single access control model. Cloud computing environments OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda

Authorization - Centralized Access Control

Authorization - Decentralized Access Control

Demo 14

Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.

Future plans • To support SPIFFE ID in SAN field of x509 certificate • To integrate with Istio envoy for authorization

Resources • Athenz Website : http://www.athenz.io • Athenz Github: https://github.com/yahoo/athenz • Athenz Slack Channel: https://athenz.slack.com/ • Athenz Discussion Groups: – • Google Group: Athenz-Users Questions or Comments: – Tatsuya Yano: [email protected]

• http://www.athenz.io/
• https://github.com/yahoo/athenz
• https://athenz.slack.com/
• https://groups.google.com/forum/#!forum/athenz-users

Join US http://www.athenz.io

• http://www.athenz.io

Q&A 19