Zero Trust Security With Athenz
If we assume all networks to be hostile, then we require transport encryption for all traffic. Operating in a hostile environment requires that clients authenticate the services they talk to, just as services need to authenticate the clients connecting to it; mutual authentication becomes mandatory. Authentication by itself is not sufficient though,authenticated clients require explicit authorization to be allowed to perform actions, and authorization needs to always be limited to the least privilege required.
At Oath, we have developed and open sourced a service authentication and role-based authorization system called Athenz (http://www.athenz.io/) to address the core zero trust principals. We are using Athenz to bootstrap our instances deployed in both private and public clouds with service identities in the form of short-lived x.509 certificates that allow one service to securely communicate with another. At Oath, every instance powered by Athenz identities in the form of a short-lived x.509 certificate, at scale. This allows one service to securely communicate with another.
In this talk, we will discuss Athenz, its integration with OpenStack, Kubernetes, AWS for RBAC, identity provisioning, and how it enables Zero Trust.