Application Security. Demo of open source project using *FREE* developer accounts with 3 cloud native services.
Recording here: https://www.youtube.com/watch?v=Sc2uoNjcrqU
Referenced notes at https://bit.ly/edge9
2. BACKBLAZE TECH DAY ‘23
BACKBLAZE TECH DAY ‘23
Dora Militaru
Developer Relations Engineer
Fastly
Greg Hamer
Principal Developer Evangelist
Backblaze
Trust in Every Byte
Securing Edge Workflows with Fastly Compute
+
3. BACKBLAZE TECH DAY ‘23
BACKBLAZE TECH DAY ‘23 20
Agenda
● Backblaze + Fastly
Together
● OAuth/OIDC Overview
● Introduction to the Sample
Application
● Demonstration
○ End User Experience
○ Application Logic
(Fastly Compute)
● Questions & Answers
4. BACKBLAZE TECH DAY ‘23 21
● Backblaze B2 is world class cloud storage
● Fastly is a world class edge cloud platform
● Backblaze and Fastly have been partners since 2020
● Free Egress! No cost for moving data between
Backblaze B2 and Fastly
● Backblaze B2 storage costs 1/5th of other world class
cloud storage vendors
+
5. BACKBLAZE TECH DAY ‘23 22
● Data security is imperative, as is enabling access to the data
● Customers come to Backblaze B2 to for durability and
reliable access
● Backblaze B2 supports:
○ Public buckets
○ Private buckets
● Public buckets are excellent for data that allows
anonymous access
● Private buckets require systems for authentication and
authorization in order for contents to be accessed
+
6. BACKBLAZE TECH DAY ‘23
BACKBLAZE TECH DAY ‘23
Central Challenge:
Serving data out of a private bucket
Private
7. BACKBLAZE TECH DAY ‘23
BACKBLAZE TECH DAY ‘23
Central Challenge:
Serving data out of a private bucket
Solution:
Federated login
Private
8. BACKBLAZE TECH DAY ‘23 25
Application Overview
● Cloud native
○ Backblaze B2
○ Fastly
○ Okta
● Source code on Github including detailed README.md
● Application is simple but infinitely scalable
○ 2 users
○ 2 groups
○ 2 secure documents
○ 1 key pair for bucket access
● Serverless Fastly Compute
● UI via a simple JavaScript single-page application (SPA)
9. BACKBLAZE TECH DAY ‘23 26
Resources
Documentation + Source Code
● Reference Architecture
● Use Cases
● Proof of Concept Application
10. BACKBLAZE TECH DAY ‘23 27
Resources
Fastly.com
● Reference Architecture
○ Article: Simplifying authentication with OAuth at the edge
https://www.fastly.com/blog/simplifying-authentication-with-oauth-at-the-edge
● Use Cases
○ Article: Building on top of OAuth at the edge
https://www.fastly.com/blog/building-on-top-of-oauth-at-the-edge
■ Paywalls and other advanced authorization decisions
■ Granular access control for static content
■ Upgrading access with incremental authorization
■ Blocking abusive users
11. BACKBLAZE TECH DAY ‘23 28
Resources
Shared Link
● bit.ly/edge9
Demo URL
● https://b2-rbac.edgecompute.app/
Github.com - Proof of Concept Application
● Project: Role-Based Access Control at the Edge
https://github.com/backblaze-b2-samples/fastly-compute-rust-rbac
12. BACKBLAZE TECH DAY ‘23 29
Fastly Network Map (2023 September)
277 Tbps
Global Edge
Capacity
As of 06/30/2023
13. BACKBLAZE TECH DAY ‘23 30
Fastly Compute
Performant
100x faster startup times and
high vCPU code execution
Scalable
Runs globally at all Fastly POPs
Secure
Full isolation for each request
Fast execution
close to end users
Instant global
deployment
14. BACKBLAZE TECH DAY ‘23 31
Fastly’s Edge Cloud Platform
Benefits of Compute running on Fastly:
● Faster request-response performance
● Caching
● DDoS and WAF
● Realtime observability, metrics and monitoring
● Logging
15. BACKBLAZE TECH DAY ‘23 32
#1 most critical web application security risk in 2023:
Broken Object Level Authorization
#2:
Broken Authentication
Access Security
OWASP Top 10 API Security Risks – 2023 – https://owasp.org/API-Security/editions/2023/en/0x11-t10/
16. BACKBLAZE TECH DAY ‘23 33
Access Security and Fastly Compute
For best performance and manageability, this access security
architecture:
● Provides authorization close to the end-user
– fast and distributed
● Is isolated from the rest of the system
- autonomous
● Is implemented and maintained by security professionals
– secure
● Is easy to integrate with existing and future applications
18. BACKBLAZE TECH DAY ‘23 35
Roles in OAuth
Source: OAuth: When Things Go Wrong by Aaron Parecki, Okta Inc., Senior Security Architect
19. BACKBLAZE TECH DAY ‘23 36
Demo from End User Perspective
Demo Url: https://devweek2023-demo.edgecompute.app/
User Application Identity Provider
IdP
Origin
Fastly
Compute
Private
20. BACKBLAZE TECH DAY ‘23 37
Proxy Access via Fastly - Physical View
Our code is deployed to every Fastly POP.
Fastly routes requests to the closest POP
to the user.
Identity Provider Backblaze B2
22. BACKBLAZE TECH DAY ‘23 39
Use Case in Demonstration
● Role-Based Access Control to resources in Backblaze B2
○ authN - Authentication
● Login via Okta as IdP using OpenID Connect
● authZ - Authorization
○ Implemented in Fastly Compute (serverless edge)
○ Rules:
■ Allow read access to files in the “root” of the B2 bucket to any authenticated user
(thru group Everyone)
■ Allow additional read access to files in B2 bucket “subdirectories” based on group
membership and where the group name matches a subdirectory’s name
23. BACKBLAZE TECH DAY ‘23 40
Sample App Demo
● User experience view
○ In web browser
○ Console open for developer view of cookies
● Fastly CLI
○ Console open for developer view of log-tail including:
■ stout and stderr output
■ Near real-time
25. BACKBLAZE TECH DAY ‘23 42
Resources
Shared Link
● bit.ly/edge9
Demo URL
● https://b2-rbac.edgecompute.app/
Github.com - Proof of Concept Application
● Project: Role-Based Access Control at the Edge
https://github.com/backblaze-b2-samples/fastly-compute-rust-rbac