Yoshiyuki Tabata
CNCF TAG Security and Compliance Tech Lead / CNCF Ambassador
Actions
Yoshiyuki Tabata is an OSS consultant with over a decade of experience in IAM, API platforms, and cloud-native security. As Tech Lead of CNCF TAG Security and Compliance, he helps shape security guidelines and best practices. He also speaks at global conferences including KubeCon, sharing insights from his work in open source and cloud-native security. In the Keycloak community, he helped launch the first KeycloakCon, maintains language translations, and supports community engagement at events.
Links
Let’s join CNCF TAG Security APAC!
The CNCF Security Technical Advisory Group (TAG Security) is a group of cloud-native security experts and anyone interested in cloud-native security, and we can come together to work on various issues in different security areas. We do this in various ways, including through white papers we produce as resources for the community, presentations on new security projects including CNCF projects, and security assessments we provide to CNCF projects and many other initiatives.
Previously, TAG Security meetings were only held in the US and EMEA time zones for a long time. This made it difficult for security friends in the APAC time zone to contribute to TAG Security, but we have now managed to hold meetings in the APAC time zone starting in August of this year!
In this presentation, Yoshiyuki Tabata, facilitator for TAG Security APAC, will provide an overview of TAG Security and its latest trends.
Let's make TAG Security APAC even more exciting together!
Mastering Authorization: Integrating Authentication and Authorization Data in Cloud-Native Apps
Authorization is one of the most important considerations for cloud-native applications, as highlighted by the OWASP Top 10. For a long time, there was no clear standard, making authorization a significant challenge for many implementers. The OpenID Foundation AuthZEN WG is now working on standards, focusing on interfaces between PEP (Policy Enforcement Point) and PDP (Policy Decision Point), which provides some hope.
However, managing authorization data remains challenging. Since this data is closely related to authentication data, architects often struggle with how the OP (OpenID Provider) and PDP should manage and integrate it. There are multiple methods, and the best approach varies by use case.
In this session, Yoshiyuki Tabata will explain various methods for managing and integrating authentication and authorization data. He will also describe implementation using Keycloak for OP and Topaz for PDP, providing valuable insights into effective data management.
How does a workload authenticate an API request?: Implementing Transaction Tokens with Keycloak
Using OAuth2 access tokens is the best practice for authenticating an API request by a resource server. As stated in the draft CNCF Zero Trust White Paper, it is recommended to verify the "audience" of the access token to prevent access tokens from being consumed by other recipients ("Token Redirect" attack). Especially in cloud-native architectures, there are many internal workloads, so it's hard for the resource owner to identify all audiences and consent for each consumption. In this case, we can adopt the OAuth WG's draft called "Transaction Tokens" (Txn-Tokens), which utilizes OAuth2 Token Exchange (RFC8693) to issue Txn-Tokens that allow downstream workloads to identify call chains. Keycloak, an IAM OSS, supports Token Exchange. Therefore, Keycloak can potentially support the Txn-Token service which issues Txn-Tokens.
In this presentation, Yoshiyuki Tabata provides an overview of Txn-Tokens and introduces how to implement Txn-Tokens with Keycloak.
Challenge to Implementing “Scalable” Authorization with Keycloak
In the OWASP API Security Top 10 2023, three of the top 5 vulnerabilities include the word "authorization (authz)", authz is becoming more important for security considerations. Authz is often developed from scratch, however, along with the expanded service, the authz logic often becomes low scalability due to the increase in authz targets, attributes, and combinations. In such cases, it is common to introduce an authz service. Keycloak, an IAM OSS, also has an authz service. Keycloak has OAuth2 authz server capabilities, too, so by using the authz service, it is possible to centrally manage data related to authentication (authn) and authz.
In this session, Yoshiyuki Tabata explains how to implement scalable authz using Keycloak and how to combine it with OPA to avoid Keycloak becoming SPOF and improve authz performance. Furthermore, by combining with CockroachDB, he introduces an authn and authz solution that withstands regional failures and operates in multi-cloud environments.
SOSS Community Day Japan 2024 Sessionize Event
CloudNativeSecurityCon North America 2024 Sessionize Event
KubeCon + CloudNativeCon North America 2023 Sessionize Event
Yoshiyuki Tabata
CNCF TAG Security and Compliance Tech Lead / CNCF Ambassador
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top