SlideShare a Scribd company logo

Securing Microservices in Hybrid Cloud

Download as PPTX, PDF
VMware Tanzu
VMware Tanzu

SpringOne Platform 2018 Securing Microservices in Hybrid Cloud Komes Subramaniam & Senthil Velusamy, T-Mobile

Software
1 of 21
Securing Microservices in Hybrid Cloud By Komes Subramaniam, Senthil Velusamy T-Mobile USA
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ About us Komes Subramaniam, Sr. Manager, Digital Services Group • 18+ years of IT experience • Responsible for Digital Transformation Architecture, API Products and Platform Management • Member of OSS working group @ T-Mobile • Passion for running and biking 2 Senthil Velusamy, Sr. Member of Technical Staff, Digital Customer Experience • 18+ years of product and technology experience • Responsible for strategy, technical and service architecture for Mobile Apps Ecosystem • Head of Mobile Center of Excellence, Wi-Fi Alliance board for T-Mobile • Passion for running and cooking
About T-Mobile US America's Un-carrier: Redefining the way consumers and businesses buy wireless through leading product and service innovation. • Based in Bellevue, Washington • NASDAQ traded public company – TMUS • Two flagship brands: T-Mobile and MetroPCS • 21 consecutive quarters with more than one million net adds • 323 million Americans covered today • 18 quarters in a row with the fastest download and upload speeds (Ookla and OpenSignal) • #1 U.S. wireless carrier in customer care (J.D. Power) 3
About T-Mobile US (cont..) 4 T-Mobile Open Source Projects (https://opensource.t-mobile.com) Digital Transformation • Monolithic to Microservices • DevOps You Build It, You Own It • Telemetry • CI/CD/CT • Investment in FTEs Product & Technology • World-class product management organization • Empowering teams to build and own customer experience-obsessed products from design through sustainment casquatch: Java abstraction layer for Cassandra databases next-identity: Highly auditable blockchain-based, access management solution keybiner: Library for encoding authorized business functions in an ID token t-vault: Simplified secrets management solution jazz: A platform for building serverless applications
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Traditional API /Service Security • Trust based access to all internal API / Services • Traditional authentication method uses user session id or cookie • Stateful : Server keeps track of active authenticated sessions 5 Source image: montgomerynews.com
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Securing Microservices 6 Token based Authentication • Stateless • Scalable SPA: Single page Application • Performant • Supports Modern SPA Source image: depositphotos.com
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ JWT, ODIC JWT (JSON Web Token) • Optionally validated and/or encrypted container format that is used to securely transfer information between two parties. 7 { “type”:”jwt”, “alg”:”sha256” } { "exp" : “xx600", "iat" : "1xxx1699266017", "iss" : "https://xxx.t-mobile.com", "aud" : “TMOApp", "nonce" : "NONCE", "auth_time" : "1481699265", “AT" : "3285.4326xyabbss521112m4", "sub" : "U-9645rra1cf7-0xxxf-450c-bdbe-1yyyyy926“ } PayloadandclaimsHeader Source: OpenID Connect & OAuth - Demystifying Cloud Identity - Filip Hanik, Sree Tumidi { bGmI4ujxjRgc7OKKNATgvXGMADfnFmrwfwxBoTM2g8 8ndi3mGU1i6xo2jr6NQE_..} Signature OIDC (Open ID Connect) • Identity layer on top of OAuth 2.0 flow • Token issued has access and profile information • Use the token information to accordingly retrieve resource data Source: DOL.WA.gov
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile API Access Process (TAAP) • TAAP developed based on Open ID Connect flow • Introduced POP (Proof of Possession) for Message Integrity • ID Tokens user identity and basic information (JWT) • AT (Access Token) is based on JWT and supports self-validation PoP Token (Proof of Possession) • JWT Format • Claims include: • Request Payload • Header Parameters • Signed by Client’s Private Key { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "ehts": "authorization; content-type, uri", "edts": "109e2ee7xxbbvvefe457bbe3c1065e3 c510744511cnbvg411e956ea836370 d605" }
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ TAAP Call flow Client Registration AuthN & AuthZ Get Token Get Resources
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Use Public cloud for high-volume internet traffic • All API layers deployed to handle burst traffic Use Private / On-Premises for sensitive, business-critical operations • All events traffic handled on-premises /w legacy system integration • Sensitive data filtrations and handling Ability to scale to the public cloud, you pay for extra computing power only when needed Need for Hybrid Cloud Public Private On-Premise
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Hybrid Cloud /w TAAP flow 11 IDP: Identity Provider, TAAP: T-Mobile API Access Process A P I G A T E W A Y IDPOIDC AT, ID Token AT AT1 µ Service - A 1. Client Application follows TAAP Flow for obtaining Access Token & ID Token 2. Client sends AT to API Gateway. Gateway does a cache lookup for ID Token 3. API Gateway sends AT & ID Tokens as part of µ Service request 4. µ Service-A may require system level access for µ Service-B. In this case, it follows Client Credential grant flow to obtain Access Token (AT1). 5. µ Service-A sends AT1 and ID Token (Original) to µ Service-B AT, ID Token A P I G A T E W A Y AT1, ID Token µ Service - B AT1, ID Token AT1, Request
T-Mobile App : Evolution to TAAP for Secure API Access in Hybrid Cloud • T-Mobile App Overview • Using Opaque Token and its challenges • Evolution to TAAP based Token and its benefits
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App 13 • Android & iOS • 75M+ installs • 4.3 rating V1 Launched in 2015 Opaque Token based V2 Launched in 2018 TAAP based tokens T-Mobile app core functions : 1. Self-serve  Retrieve user info 2. Analytics  Submit device info
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App: Data in Hybrid Cloud 14 On-Premises: • Identity provider • Credentials, Profile, Tokens Public Cloud: • AWS • Device, Plan, Promo etc. • Data Orchestration for UI Private Cloud: • PCF • Customer Account, Bill, Lease etc. (425)-xxx-yyyy Priya (425)-xyz-yyyy Identity Provider Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) 1 2 3
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V1) : Opaque Token Call-flow 15 OT: Opaque Token, UI: User Interface Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) Identity Provider Opaque Token: 02.USR.KtDZXYxzleIDLWjOSvVP Device identifier: subscriber._0JOBCZpSwWWxyZxXKLCs3t56shu8bd D77_HfB76KUg= 1. Submit Credentials 2. Opaque Token, Device Identifier 3. Request app data (OT) 10. App data for UI display 4. Validate (OT) 5. Valid 7. Validate (OT) 8. Valid 6. Request account info (OT) 9. Account data
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V1) : Opaque Token Challenges 16 Opaque Token requires validation with a central system and adds latency to critical path of user experience • 100 – 200ms latency, up to 6 requests to IDP per login session Tokens when stolen can be used to replay until its validity OT: Opaque Token, IDP: Identify Provider
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Call-flow 17 JWK: JSON Web key, TAAP: T-Mobile API Access Process, POP: Proof of Possession Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) Identity Provider 1. Submit Credentials 2. User ID token, Device ID Token 3. App data (User ID Token, POP) 6. App data for UI display 4. Account info (User ID Token) 5. Account data JWK • JWK: Retrieve Identity Provider public key • Each domain receiving the ID token self- validates
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Tokens 18 { "iss": "https://xxxxx.t-mobile.com", "network": { id: “35679xxx0011980” phone: “425xxxyyy”}, "device": { "cnf": "-----BEGIN PUBLIC KEY----- nMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA5 oaIEnqExSKXK/J7mvgx........... n-----END PUBLIC KEY-----" }, "exp": 1aabc435ddee, "aud": “TMOApp", "iat": 1xx6yyy776 } Device ID Token User ID Token Proof Of Possession (POP) { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "iss": "https://xxxxx.t-mobile.com", "aud": "TMOApp", "auth_time": 1536870785, "sub": "U-xxxxx-yyyyyy-zzzzzzzz", "amr": [ "password“ ], "cnf": "-----BEGIN PUBLIC KEY----- nMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA5 oaIEnqExSKXK/J7mvgx........... .........n-----END PUBLIC KEY-- ---", "usn": “abcabcabcabcabc", "ent": { "acct": [ { "r": “XX", "tst": “YY", "line_count": 5, "lines": [ { "phnum": “1234567890", "r": “Z" } ] { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "ehts": "a11ept;x-tmo-device-os;x- txx-yym;x-b3-paxxyyyzznid;x- aao-clixxt-name;x-tmo-model;x- nno-cvcnt-version;x-dat;x-tmo- xnbvce-os- version;authorization;x-tmo- oem-id;x-b3-spanid;x-tmo-post- sequence-number;x-b3- traceid;content-length;content- type", "edts": "109e2ee7xxbbvvefe457bbe3c 1065e3c510744511cnbvg411e 956ea836370d605" }
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : How TAAP is used? 19 POP: Proof of Possession, UIT: User ID Token, DIT: Device ID Token, IDP: Identity Provider Header () Iss: IDP Sub: Identity KEY: cPub Entitlement:… Signature (iPri) UserIDToken Header () Iss: Client Sub: Identity Headers: ….. Hash: xxxxx Signature (cPri) POP Self-serve: User ID Token + POP 1. Validate User ID Token signature (JWK, iPub) 2. Retrieve cPub from User ID Token 3. Validate POP signature (cPub) 4. Validate POP hash (message integrity) 5. Use Entitlement info (Role, lines etc) Header () Iss: IDP Sub: Identity Network: … KEY: cPub Signature (iPri) DeviceIDToken Header () Iss: Client Sub: Identity Headers: ….. Hash: xxxxx Signature (cPri) POP Analytics: Device ID Token + POP 1. Validate Device ID Token signature (JWK, iPub) 2. Retrieve cPub from Device ID Token 3. Validate POP signature (cPub) 4. Validate POP hash (message integrity) 5. Use Network identifiers (Hardware ID, Phone Number)
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Benefits 20 TAAP: T-Mobile API Application Process, IDP: Identity Provider • Improved Performance: Remove dependency on centralized system - IDP not in critical path of experience • Reduced load to downstream (e.g., no downstream call for unsupported account, plan types) Sample metrics shown below for T-Mobile app load time: Opaque Token : ~3.2s User ID Token : ~2.5s ~20% improvement in app load time • Flexibility to integrate with different IDPs • Selfheal, no coordinated key rotations • Improves security: Can’t replay tokens
> Stay Connected. #springone@s1p @komethagan, @mvsenthil

Recommended

Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 
Gateway deepdive
Gateway deepdiveGateway deepdive
Gateway deepdiveShiu-Fun Poon
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Open Banking via APIc 2018
Open Banking via APIc 2018Open Banking via APIc 2018
Open Banking via APIc 2018Shiu-Fun Poon
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 

Recommended

Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 
Gateway deepdive
Gateway deepdiveGateway deepdive
Gateway deepdiveShiu-Fun Poon
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Open Banking via APIc 2018
Open Banking via APIc 2018Open Banking via APIc 2018
Open Banking via APIc 2018Shiu-Fun Poon
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustInformation Security Services SA
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveWSO2
 
W3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
W3C Presentation -FIDO Alliance -Tokyo Seminar -SmithW3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
W3C Presentation -FIDO Alliance -Tokyo Seminar -SmithFIDO Alliance
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
Vilas Patil
Vilas PatilVilas Patil
Vilas PatilVilas Patil
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...VMware Tanzu
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...Nuno Árias Silva
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 

More Related Content

What's hot

Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveWSO2
 
W3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
W3C Presentation -FIDO Alliance -Tokyo Seminar -SmithW3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
W3C Presentation -FIDO Alliance -Tokyo Seminar -SmithFIDO Alliance
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...VMware Tanzu
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...Nuno Árias Silva
 

What's hot (20)

Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep Dive
 
W3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
W3C Presentation -FIDO Alliance -Tokyo Seminar -SmithW3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
W3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
Vilas Patil
Vilas PatilVilas Patil
Vilas Patil
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
 

Similar to Securing Microservices in Hybrid Cloud

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Systems, Inc.
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low CostDonald Malloy
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSORohit Kapoor
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayVMware Tanzu
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Hitachi, Ltd. OSS Solution Center.
 

Similar to Securing Microservices in Hybrid Cloud (20)

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low Cost
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
WSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best PracticesWSO2Con EU 2015: API Management Strategies and Best Practices
WSO2Con EU 2015: API Management Strategies and Best Practices
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSO
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity Gateway
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 

More from VMware Tanzu

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleVMware Tanzu
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductVMware Tanzu
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready AppsVMware Tanzu
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And BeyondVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptxVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchVMware Tanzu
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishVMware Tanzu
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVMware Tanzu
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - FrenchVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeVMware Tanzu
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsVMware Tanzu
 

More from VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Recently uploaded

Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

Recently uploaded (20)

Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 

Securing Microservices in Hybrid Cloud

  • 1. Securing Microservices in Hybrid Cloud By Komes Subramaniam, Senthil Velusamy T-Mobile USA
  • 2. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ About us Komes Subramaniam, Sr. Manager, Digital Services Group • 18+ years of IT experience • Responsible for Digital Transformation Architecture, API Products and Platform Management • Member of OSS working group @ T-Mobile • Passion for running and biking 2 Senthil Velusamy, Sr. Member of Technical Staff, Digital Customer Experience • 18+ years of product and technology experience • Responsible for strategy, technical and service architecture for Mobile Apps Ecosystem • Head of Mobile Center of Excellence, Wi-Fi Alliance board for T-Mobile • Passion for running and cooking
  • 3. About T-Mobile US America's Un-carrier: Redefining the way consumers and businesses buy wireless through leading product and service innovation. • Based in Bellevue, Washington • NASDAQ traded public company – TMUS • Two flagship brands: T-Mobile and MetroPCS • 21 consecutive quarters with more than one million net adds • 323 million Americans covered today • 18 quarters in a row with the fastest download and upload speeds (Ookla and OpenSignal) • #1 U.S. wireless carrier in customer care (J.D. Power) 3
  • 4. About T-Mobile US (cont..) 4 T-Mobile Open Source Projects (https://opensource.t-mobile.com) Digital Transformation • Monolithic to Microservices • DevOps You Build It, You Own It • Telemetry • CI/CD/CT • Investment in FTEs Product & Technology • World-class product management organization • Empowering teams to build and own customer experience-obsessed products from design through sustainment casquatch: Java abstraction layer for Cassandra databases next-identity: Highly auditable blockchain-based, access management solution keybiner: Library for encoding authorized business functions in an ID token t-vault: Simplified secrets management solution jazz: A platform for building serverless applications
  • 5. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Traditional API /Service Security • Trust based access to all internal API / Services • Traditional authentication method uses user session id or cookie • Stateful : Server keeps track of active authenticated sessions 5 Source image: montgomerynews.com
  • 6. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Securing Microservices 6 Token based Authentication • Stateless • Scalable SPA: Single page Application • Performant • Supports Modern SPA Source image: depositphotos.com
  • 7. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ JWT, ODIC JWT (JSON Web Token) • Optionally validated and/or encrypted container format that is used to securely transfer information between two parties. 7 { “type”:”jwt”, “alg”:”sha256” } { "exp" : “xx600", "iat" : "1xxx1699266017", "iss" : "https://xxx.t-mobile.com", "aud" : “TMOApp", "nonce" : "NONCE", "auth_time" : "1481699265", “AT" : "3285.4326xyabbss521112m4", "sub" : "U-9645rra1cf7-0xxxf-450c-bdbe-1yyyyy926“ } PayloadandclaimsHeader Source: OpenID Connect & OAuth - Demystifying Cloud Identity - Filip Hanik, Sree Tumidi { bGmI4ujxjRgc7OKKNATgvXGMADfnFmrwfwxBoTM2g8 8ndi3mGU1i6xo2jr6NQE_..} Signature OIDC (Open ID Connect) • Identity layer on top of OAuth 2.0 flow • Token issued has access and profile information • Use the token information to accordingly retrieve resource data Source: DOL.WA.gov
  • 8. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile API Access Process (TAAP) • TAAP developed based on Open ID Connect flow • Introduced POP (Proof of Possession) for Message Integrity • ID Tokens user identity and basic information (JWT) • AT (Access Token) is based on JWT and supports self-validation PoP Token (Proof of Possession) • JWT Format • Claims include: • Request Payload • Header Parameters • Signed by Client’s Private Key { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "ehts": "authorization; content-type, uri", "edts": "109e2ee7xxbbvvefe457bbe3c1065e3 c510744511cnbvg411e956ea836370 d605" }
  • 9. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ TAAP Call flow Client Registration AuthN & AuthZ Get Token Get Resources
  • 10. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Use Public cloud for high-volume internet traffic • All API layers deployed to handle burst traffic Use Private / On-Premises for sensitive, business-critical operations • All events traffic handled on-premises /w legacy system integration • Sensitive data filtrations and handling Ability to scale to the public cloud, you pay for extra computing power only when needed Need for Hybrid Cloud Public Private On-Premise
  • 11. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Hybrid Cloud /w TAAP flow 11 IDP: Identity Provider, TAAP: T-Mobile API Access Process A P I G A T E W A Y IDPOIDC AT, ID Token AT AT1 µ Service - A 1. Client Application follows TAAP Flow for obtaining Access Token & ID Token 2. Client sends AT to API Gateway. Gateway does a cache lookup for ID Token 3. API Gateway sends AT & ID Tokens as part of µ Service request 4. µ Service-A may require system level access for µ Service-B. In this case, it follows Client Credential grant flow to obtain Access Token (AT1). 5. µ Service-A sends AT1 and ID Token (Original) to µ Service-B AT, ID Token A P I G A T E W A Y AT1, ID Token µ Service - B AT1, ID Token AT1, Request
  • 12. T-Mobile App : Evolution to TAAP for Secure API Access in Hybrid Cloud • T-Mobile App Overview • Using Opaque Token and its challenges • Evolution to TAAP based Token and its benefits
  • 13. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App 13 • Android & iOS • 75M+ installs • 4.3 rating V1 Launched in 2015 Opaque Token based V2 Launched in 2018 TAAP based tokens T-Mobile app core functions : 1. Self-serve  Retrieve user info 2. Analytics  Submit device info
  • 14. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App: Data in Hybrid Cloud 14 On-Premises: • Identity provider • Credentials, Profile, Tokens Public Cloud: • AWS • Device, Plan, Promo etc. • Data Orchestration for UI Private Cloud: • PCF • Customer Account, Bill, Lease etc. (425)-xxx-yyyy Priya (425)-xyz-yyyy Identity Provider Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) 1 2 3
  • 15. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V1) : Opaque Token Call-flow 15 OT: Opaque Token, UI: User Interface Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) Identity Provider Opaque Token: 02.USR.KtDZXYxzleIDLWjOSvVP Device identifier: subscriber._0JOBCZpSwWWxyZxXKLCs3t56shu8bd D77_HfB76KUg= 1. Submit Credentials 2. Opaque Token, Device Identifier 3. Request app data (OT) 10. App data for UI display 4. Validate (OT) 5. Valid 7. Validate (OT) 8. Valid 6. Request account info (OT) 9. Account data
  • 16. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V1) : Opaque Token Challenges 16 Opaque Token requires validation with a central system and adds latency to critical path of user experience • 100 – 200ms latency, up to 6 requests to IDP per login session Tokens when stolen can be used to replay until its validity OT: Opaque Token, IDP: Identify Provider
  • 17. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Call-flow 17 JWK: JSON Web key, TAAP: T-Mobile API Access Process, POP: Proof of Possession Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) Identity Provider 1. Submit Credentials 2. User ID token, Device ID Token 3. App data (User ID Token, POP) 6. App data for UI display 4. Account info (User ID Token) 5. Account data JWK • JWK: Retrieve Identity Provider public key • Each domain receiving the ID token self- validates
  • 18. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Tokens 18 { "iss": "https://xxxxx.t-mobile.com", "network": { id: “35679xxx0011980” phone: “425xxxyyy”}, "device": { "cnf": "-----BEGIN PUBLIC KEY----- nMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA5 oaIEnqExSKXK/J7mvgx........... n-----END PUBLIC KEY-----" }, "exp": 1aabc435ddee, "aud": “TMOApp", "iat": 1xx6yyy776 } Device ID Token User ID Token Proof Of Possession (POP) { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "iss": "https://xxxxx.t-mobile.com", "aud": "TMOApp", "auth_time": 1536870785, "sub": "U-xxxxx-yyyyyy-zzzzzzzz", "amr": [ "password“ ], "cnf": "-----BEGIN PUBLIC KEY----- nMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA5 oaIEnqExSKXK/J7mvgx........... .........n-----END PUBLIC KEY-- ---", "usn": “abcabcabcabcabc", "ent": { "acct": [ { "r": “XX", "tst": “YY", "line_count": 5, "lines": [ { "phnum": “1234567890", "r": “Z" } ] { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "ehts": "a11ept;x-tmo-device-os;x- txx-yym;x-b3-paxxyyyzznid;x- aao-clixxt-name;x-tmo-model;x- nno-cvcnt-version;x-dat;x-tmo- xnbvce-os- version;authorization;x-tmo- oem-id;x-b3-spanid;x-tmo-post- sequence-number;x-b3- traceid;content-length;content- type", "edts": "109e2ee7xxbbvvefe457bbe3c 1065e3c510744511cnbvg411e 956ea836370d605" }
  • 19. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : How TAAP is used? 19 POP: Proof of Possession, UIT: User ID Token, DIT: Device ID Token, IDP: Identity Provider Header () Iss: IDP Sub: Identity KEY: cPub Entitlement:… Signature (iPri) UserIDToken Header () Iss: Client Sub: Identity Headers: ….. Hash: xxxxx Signature (cPri) POP Self-serve: User ID Token + POP 1. Validate User ID Token signature (JWK, iPub) 2. Retrieve cPub from User ID Token 3. Validate POP signature (cPub) 4. Validate POP hash (message integrity) 5. Use Entitlement info (Role, lines etc) Header () Iss: IDP Sub: Identity Network: … KEY: cPub Signature (iPri) DeviceIDToken Header () Iss: Client Sub: Identity Headers: ….. Hash: xxxxx Signature (cPri) POP Analytics: Device ID Token + POP 1. Validate Device ID Token signature (JWK, iPub) 2. Retrieve cPub from Device ID Token 3. Validate POP signature (cPub) 4. Validate POP hash (message integrity) 5. Use Network identifiers (Hardware ID, Phone Number)
  • 20. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Benefits 20 TAAP: T-Mobile API Application Process, IDP: Identity Provider • Improved Performance: Remove dependency on centralized system - IDP not in critical path of experience • Reduced load to downstream (e.g., no downstream call for unsupported account, plan types) Sample metrics shown below for T-Mobile app load time: Opaque Token : ~3.2s User ID Token : ~2.5s ~20% improvement in app load time • Flexibility to integrate with different IDPs • Selfheal, no coordinated key rotations • Improves security: Can’t replay tokens

Editor's Notes

  1. About us, I m komes.. been with IT for long time in various service sector companies. Thanks for taking time to attend this session. I am Senthil. I head the mCOE at T-Mobile. My responsibility include strategic, technological guidance to mobile apps solution that includes both internal as well partner apps. I support around 20 apps that are in T-Mobile portfolio.
  2. T-Mobile started a wireless revolution, un-carrier movement , understanding customer pain points. Part of some of these uncarrier movements that has redefined wireless. We made moves that were never heard of in our industry to meet customer needs. We got rid of long term contracts, as part of Simple Choice, eliminated roaming charges as part of simple global, introduced unlimited data plans, taxes n fee included as part of T-Mobile One etc. As a result of all the uncarrier moves, we had 100% growth in the company in the last five years. We have added more than 1+ million customers for 21 quarters in a row Growth is a natural evolution for us, because as our network has expanded. In 2012, none of our customers had 4G LTE. Today, we cover 323 million people. T-Mobile delivers an outstanding customer service, and has received the highest score of any company, ever, in the 2018 J.D. Power U.S. Wireless Customer Care study.
  3. In order to adapt to this evolution, T-Mobile started a digital transformation in our Technology organization to make things faster, better and cheaper . The mission is to increase velocity, quality and throughput while reducing risk and eliminating pain points for both our customers and ourselves. One key thing to callout is our investment on FTEs to ensure the inherent knowledge and IPs stay within the team to continue our journey. Another critical change to help drive our success, has been merging product and technology teams to empower teams to build and own end-end from design to operations. As we embark the journey to be a world-class technology leader, we started to share our best practices and learnings through open source projects. We have several project that are open sourced and these projects used across different countries in the world. The topic that we discuss today was also part of the digital transformation and sharing of our learnings. I will have Komes takes us through next few slides to set on the foundation for the topic.
  4. Traditional service/api security is trust based. Just like once you got ticket in movie complex, you are good to go to any movie you want. Most places don’t have check at movie gate OR no checking on seat placement. We follow similar approach in traditional security model where web application server takes care of incoming request session validation. If its good, web server allowed to make request to the back end services. Pretty much it can make call to any server. Drawback: Servers need to validate with web application service about session validity and state. In modern SPA, its not scalable solution. Centralized system for session management is an another alternative.
  5. Microservices arch become popular because of Netflix and Amazon success. Microservices promotes independent develop and deployment. Scalability and Reusability are key benefits. Having centralized session management would make more complexity in MS world and we want to make sure every cross domain communication authN and AuthZ validation. For instance, for air travel, After booking your ticket, You are getting an boarding pass, checking in, TSA check and Boarding Time.. Some times, if you lucky, you get selected randomly.
  6. JWT used for securely transfer information between two parties. Optionally validation can included to make sure the legitimation of the content. Driving License is example OAuth 2 : User Authorization delegation protocol
  7. Thanks Komes. Komes has set the foundation for TAAP. In the next few slides, I will walk us through the journey of T-Mobile app from opaque token to TAAP. I will be covering Overview of T-Mobile app, challenges of using opaque token and the benefits of transitioning to TAAP
  8. How many of you have worked on mobile apps? T-Mobile app is a mobile application that is available in both Android and iOS. Its preloaded on all Android devices that T-Mobile sells and there are more than 75M downloads of the app. T-Mobile app is key to self-service channel and it serves as the first touchpoint to T-Mobile for our customers. Our customers can message, shop, pay bill, call us from the app. The app also collects analytics data that will be used to improve the app experience. The key takeaway for the slide is there are 2 core functions: Self-serve, analytics collection. I will be refereeing to these 2 functions through out the slides and mapping it to 2 versions of application. V1 launched in 2015 uses Opaque toke, and V2 launched in 2018 is based on TAAP.
  9. Komes discussed about how Hybrid cloud is used in enterprise. Here is an example of how its used by T-Mobile app. T-Mobile app data is stored across different infrastructure On-Perm to Cloud. All login, credential related information are stored on-perm. Data that can be used across customers are stored in public cloud. E.g., device info, device images, plan information etc. Restricted data like customer bill, usage, account info are all stored in private cloud at PCF. The experience services specific to app to orchestrate data from different sources is also in AWS cloud So to recap: Mobile app that has self-serve & analytics Two version of apps 3 different infrastructures
  10. V1 of T-Mobile app was based on Opaque tokens to get self-serve data. And device identifiers were used to submit analytics data.   User submits the credentials and once successfully validated the response includes a Opaque token and a device identifier. These are short string of hexadecimal characters that means nothing for the receiving application. It need to send the opaque token back to IDP to check its validity. If its valid then it continues with the application business logic to retrieve data. When it requires data from a different cloud or on-perm it passes the opaque token in the request. The receiving app does the same to validate the token with IDP. If you recall, Komes mentioned earlier that traditional API security is based on session ids.. And opaque tokens are based on session ids, valid for a duration.
  11. There are 2 key challenges with Opaque token. The receiving application always dependent on a centralized system and in this case the IDP to complete its operation. There are multiple calls for a given session across different domains and this impacts the user experience. The second challenge is when Opaque tokens are valid its blindly trusted. When OT are stolen it can be used to replay until its validity to access any APIs that just depends on OT validation.
  12. The V2 of T-Mobile app launched early this year used TAAP.   User submits the credentials and once successfully validated the response includes a user ID token and a device ID token. These are JWTs that had identify of the user and device in respective tokens. When requests are made to get app data the userID token and POP isi included for message integrity. The UID is validated by the microservice itself and there is no dependency on IDP. The applications that would want to validate ID tokens fetched the IDP publick key using JWK. . When it requires data from a different cloud or on-perm it passes the UIT in the request and the receiving app follows the same process to self-validate.
  13. There are 3 token used in v2 of app derived based on TAAP flow.   Device ID token: Includes identity of the device like hardware ID, phone number. When diagnostic information is to be submitted the Device ID token is used.   User ID token: Generated based on successful authentication of the credentials and it includes basic profile information. These information can be used at the microservice to determine subsequent calls.   POP: POP token is used along with ID tokens for message integrity.