Authentication and authorization for humans is, more or less, a solved problem. However, how do you trust the identity of the hosts (instances) in your cloud? How can you be assured that in a world of man-in-the-middle attacks (arp spoofing, dns cache poisoning, etc) that a given instance really is who it claims to be? And how can we do this without requiring any manual intervention on the part of a human.
At Oath, we’ve leveraged the power of Open Source to solve exactly this problem. We have developed and open sourced a service authentication and authorization system called Athenz. By leveraging the strengths of OpenStack and Athenz, we’ve created a solution called ‘Copper Argos’ to provide attestable identity in the form of a unique short lived x509 and SSH host certificate for every single instance in our cloud. In this talk we will describe the value and design of this system and its components as well as the potential it unlocks.
About the speakers
James Penick, IaaS/Cloud Architect, 13 years at Oath designing and building infrastructure with an eye on practical solutions for security and scale. Ric Allinson, VP IaaS, 12 years at Oath building industry leading solutions for Search, Big Data, Presentation & Messaging Platforms, Membership, Edge, and Infrastructure.
Together they've seen things you people wouldn't believe. NFS mounts spanning oceans. We've watched lead power junction blocks glitter and melt near a Hadoop cluster calculating pi. We share our experiences so those moments will not be lost in time, like tears in rain. Time to dynamically build infrastructure.