Session

Lifting the Curse of Static Credentials

Why do we still login with username and password almost everywhere in the age of crypto passports and 50€ hardware tokens?

Static credentials of all kind (passwords, permanent tokens, SSH keys ...) are a major hazard in IT. A lot of engineering effort goes into securely managing secrets. And still companies utterly fail in this area (see "Instagram's Million Dollar Bug").

It is essential to eradicate such static credentials wherever possible. Digital identities, access control lists and trust relationships are the modern tools that make our services secure and our live as engineers easy.

Come and learn from practical examples and specific recommendations for on-premise data centers, desktops and cloud environments that you can instantly use at home and at work. Practical examples include AWS identity integration for Kubernetes or for GitLab CI.

Stealing data from public or shared cloud environments is a raising threat that already put companies out of business. Putting all our assets into public or shared clouds takes away the layer of physical security that is the base of traditional security concepts. One of the root causes for weak security in cloud environments are static credentials.

This talk raises the awareness for this problem and provides proven solutions how to solve it. It lays out a security strategy that significantly reduces the risk of being hacked and that increases the convenience for all users and developers.

See A Login Security Architecture Without Passwords (https://schlomo.schapiro.org/2022/02/login-security-architecture-without-passwords.html) for more background info.

The audience is anyone interested in security and modern IT environments. DevOps and others can learn how to use and setup modern authentication systems with security in mind. Users, administrators and decision makers will learn why eradicating static credentials is one of the most important challenges in modern IT.

This presentation will help everyone better understand the connection between ease of automation, static credentials and general security design. In line with Rugged DevOps and Lean Security these are very important topics that help everybody to build better systems that are secure by their nature and that are impossible to hack because there are no secrets that can be stolen.
Kubernetes and other cloud solutions already provide advanced solutions that allow us to build large environments without static credentials. Concrete examples show the integration of AWS, Kubernetes and on-premise data centers.

Schlomo Schapiro

Agile IT & Open Source Enthusiast

Berlin, Germany

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top