Dates
Conferences
Tags
Sort by:
Most recent
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Frederick Kautz
2023-04-21
tldr - powered by Generative AI
The presentation discusses the importance of establishing trust in computer systems and processes, and challenges the concept of 'zero trust' by suggesting that it should be renamed to 'zero implicit trust' to make it explicit.
- Understanding the context of a system is important in determining how much to spend on defending it and what the value of the thing being defended is
- Establishing trust in the foundation of a system is crucial before building on top of it
- Developing a framework for trust involves asking questions about what is being trusted and why, and what the consequences are if that trust is violated
- The blast radius of an incident should be kept small to minimize the impact of a breach or failure
- The concept of 'zero trust' should be renamed to 'zero implicit trust' to make it explicit that something is being trusted and to encourage proper analysis and risk assessment
Conference: Global AppSec San Francisco 2022
Authors: Niclas Kjellin
2022-11-18
A little trust goes a long way, or so they say. The fundamentals of any resilient network, be it human or digital, starts with trust, where entities can authenticate themselves and others and communicate securely.Traditionally, a digital network uses the X.509 certificate standard and application-specific solutions to build trust and secure communication. Dime (Data Integrity Message Envelope) is an alternative open data format used to build trust and share data securely within networks of any size and shape. Dime envelopes contain encoded information, including verifiable claims by the sending party and application-specific data. In addition, using digital signatures and end-to-end encryption ensures that data cannot be altered or read by unauthorized parties. Some of the covered topics:- Trust-based networks – public key-based authentication to provide trust between entities- Message wrapping – end-to-end encryption to securely deliver data- Cryptographic linking – link items cryptographically for proof-building- Signature tags – to prove reception, processing, or verification of an itemAlthough there is no need to have deep secure engineering knowledge to get going with Dime, this talk aims to go through the underlying concepts, which will help to avoid common pitfalls and enable you to build more secure applications. The presentation uses real code examples to support and explain each concept further. Human readability and ease of use are at the heart of Dime, drawing on ideas from other formats such as JWT, PASETO, and Branco.As many use cases exist, including IoT, instant messaging, and banking apps, Dime may be crucial to your plans to take over the world (with your subsequent app success). At the very least, it will work through and strengthen your (digital) trust issues.
Conference: Cloud Native SecurityCon North America 2022
Authors: Steve Judd
2022-10-25
tldr - powered by Generative AI
The importance of understanding and assuring the trustworthiness of external dependencies in software applications
- Modern software components contain a selection of external dependencies whose provenance is unknown
- Assuring the trustworthiness of dependencies is often ignored by organizations and their engineering teams
- Efficient, automated pipelines can be used to audit dependencies for vulnerabilities and license obligations, assess them against the organization’s security policies, and ultimately provide the ability to control which dependencies can be used and deployed within the organization
Conference: CloudOpen 2022
Authors: Andrew Martin
2022-06-21
tldr - powered by Generative AI
The presentation discusses the concept of workload identity and its importance in securing cloud native systems. It explores the limitations of traditional authentication mechanisms and proposes the use of dynamic credentials and hardware roots of trust.
- Historically, identifiers such as IP addresses, passwords, and certificates were used for authentication, but they are no longer effective in dynamic cloud native systems.
- Workload identity is a way for workloads to prove their identity without the need for a secret.
- A trusted third party is needed to issue identities, and identity documents should be short-lived and verifiable through cryptography.
- TPMs, Keylime, and trusted execution environments can provide stronger guarantees of identity and integrity.
- Spire and Spiffy are useful tools for managing workload identity in more complex environments.
Conference: KubeCon + CloudNativeCon Europe 2022
Authors: Ric Featherstone
2022-05-20
tldr - powered by Generative AI
The presentation discusses the importance of machine identity and workload identity in securing cloud native systems. It explores the issues with traditional authentication mechanisms and proposes solutions using open source implementations and technologies.
- Historically, identifiers such as IP addresses, passwords, and certificates were used for authentication, but they are no longer effective in a dynamic cloud native system.
- Machine identity and workload identity are crucial for securing cloud native systems.
- Secrets management and access control rely on workload identity or secret zero.
- Cloud credentials can be obtained using OpenID Connect (OIDC) and can be used for authorization.
- SPIFFY and SPIRE provide an identity framework for workload identity and machine identity.
- SPIFFY ID is a URI format that represents the identifier for a workload.
- SPID documents are short-lived and rotated frequently.
- SPID documents are verified using cryptography and trust bundles.
- SPIRE is an implementation of the SPIFFY standards that includes an agent and server.
- The agent attests to the server, and workloads attest to the agent to map selectors to workload identities.
Conference: Transform X 2021
Authors: Navrina Singh
2021-10-07
Navrina Singh is the Founder & CEO of Credo AI which helps organizations build Artificial Intelligence with higher ethical standards. She discusses why AI governance is critical to the scaling of AI across and highlights the risks of not governing AI effectively. She shares how organizations can adopt AI governance practices effectively and continuously to build trust with internal and external stakeholders.