Event Recording

Credentialing-enabled Zero Trust Architecture for API Endpoint-Security

Name: Credentialing-enabled Zero Trust Architecture for API Endpoint-Security
Uploaded: 2023-05-11T12:00:00+02:00
Duration: 18 min 28 s

Posted on May 11, 2023

Traditional network security focuses on perimeter defenses, but many organisations, systems and processes no longer have a clearly defined network perimeter.

To protect a modern digital enterprise, companies need a comprehensive strategy for securely accessing their IT resources (e.g. applications, physical access control systems, portals, data resources, and devices) wherever they are located.

APIs in supply chains and cyber-physical systems (CPS) are proliferating exponentially across the technology landscape, creating a huge attack surface that security teams struggle to understand and defend.

Zero Trust Architecture (ZTA) refers to security concepts and threat models that no longer assume that actors, systems or services operating within the security perimeter are automatically trusted, but instead must verify everything and everyone who attempts to connect via an API to their systems resources before granting access.

Hence, ZTA is an important design philosophy to establish security mechanisms at the API layer of each individual IT resource for increasing API Endpoint Security in both, corporate infrastructures and open systems. Identity and authorization credentials as well as policies are a key enabler of securing the API endpoints.

These different ZTA approaches include:

1) ZTA Using Enhanced Identity Governance,
2) ZTA Using Micro-Segmentation, and
3) ZTA Using Network Infrastructure and Software Defined Perimeters.

Our presentation will demonstrate how Trust Frameworks and Identity Governance (1) are the foundational layer for a credentialing infrastructure. With this layer in place credentials can be used enable SW-defined perimeters (3).

We will provide in-depth insides how ecosystems solutions such as the Open Credentialing Initiative and Gaia-X are applying design patters using decentralized identity and verifiable credentials for (3).

Show description

Speakers

Advisor
Logalty Prueba por Interposicion SL

Dr. Ignacio Alamillo-Domingo

Ignacio is a Doctor in Law (UMU), with a PhD thesis related to the eIDAS Regulation, and holds a Degree in Law (UNED), a Diploma of Advanced Studies (UAB) and a Master in introduction to administrative law research (UAB). He is a Certified Data Protection Solutions Engineer, CDPSE, a...

View profile

Data Space Architect
In Transition

Matthias Buchhorn-Roth

I am an accomplished data ecosystem expert, specializing in the development of sovereign data collaboration solutions across various industries. As an active member of the Eclipse DataSpace Components (EDC) Community, International DataSpace Association (IDSA), and Gaia-X, I am dedicated to...

View profile

Co-founder and CEO
Spherity

Dr. Carsten Stöcker

Dr. Carsten Stöcker is co-founder and CEO of Spherity. Spherity is building decentralized digital identity management solutions to power the fourth industrial revolution. Carsten Stöcker is a physicist by training with a Ph.D. from the University of Aachen . He serves...

View profile

Show Transcript

Excellent, thank you. So my name is Kaka. I'm from Severity and at Severity. So we are a market leader in applying decentralized identity for compliance use cases and for cybersecurity use cases. So in simple terms, we work with identity trust chains for provenance and authorization chains in regulated industries. And with me is and Matthias and yeah, short introduction from your side.
Well, in fact I did not present myself in the previous explanation. So I am a lawyer, very particular lawyer with a PhD on the EIF as one. But I've been 25 years working on identity and true services standardization. I'm in fact founding member of at CT C E S I. The last four years I've been working for Epsy and promoting a standardization activities in ISO and ISO TC 3 0 7 and TC 2 24 and other places.
Excellent. Matthias,
I come from a totally different angle. I'm an engineer and data space architect as well. Cloud solution architect implemented these zero trust approaches in in different clouds in AWS and and Microsoft Azure. So I also give this perspective
Super. And what do we do? First we do a framing. What does zero trust mean for us? For us three, after we have done the framing, we look a little bit in zero trust architecture in inter-organization, cross organization use cases, the challenges are, and then we do a deep dive in attributes based access, control and trust trends and trust domain, how credentials and identity can enable the abac and what, what kind of other tools such as reasoning we need maybe materials you give kind of a framing. So what does zero trust mean for us? Short framing, Matthias,
This is as you can see, a holistic approach. And as you can see here, we have six different areas we are focusing. That's identity as cast mentioned already. That's endpoints. And as you can know today, you bring your own device. So that means there's also corporate personal endpoints on, on your device. You need to protect both. You have to protect your data, you need to classify your data, you to, you have to know what you have and you label that you need to encrypt that you have applications and here we ha you have adaptive access for your software as a service applications, but also on-premise applications. And then you have a wide range of infrastructure as a service here you need runtime control. And here that comes in place, this role-based access control and we discussed this earlier, we have some struggle with this role based access control and you mentioned the next big thing is attribute based access control.
Excellent, thank you. And we, we have heard a lot of presentations today in terms of applying zero trust architecture within an organization and what the challenges are. And now if we think beyond even the original white paper from nist, they're talking about one organization and micro segmentation and identity governance and one organization. But the two challenges in today, today's world. So when we have dynamically defined value chains, cyber physical systems where everyone interacts with everyone else is really go beyond the enterprise cost organization cost, government cost entity. So natural what, what are the challenges from your perspective moving zero trust beyond the organizational boundaries? Well
In fact, this is something I was referring to before in my presentation. So when I look at this kind of diagram and I fe I think in a real use case for instance, I, I can see much in a hospital, my hospital for instance, right in in Spain that needs to give access to a German doctor to my medical records because I have have, I'm injured here and need to be to re to receive healthcare. When I look at this, I, I see that it won't work. And mainly the major issue is because the, the German hospital will or German doctor will need to be authenticated into my hospital back in Catalonia. And then to design, they will need to set up a trust agreement. They will need to federate their identity systems because otherwise the German doctor won't have access. So when we look at digital trust architectures, we don't look only effectively to internal organizations but to the fact that we will need to engage in relationships with people that we don't know beforehand. Therefore we need new trust approaches to be able to perform policy calculations automatically and make informed decisions. In this sense we have a challenge which is that we cannot anymore rely on organizational air back. We need to move into cross organizational aback.
Yeah, that's good insight. So big change moving beyond from airbag to ABAG cross organization and Matthias, you have done as an engineer and architect a lot of work in terms of Gaia and data spaces. So can you give us some examples about what role plays the ABAG and credentials and decent identity in your data space works that you're doing at the moment?
Data spaces for example are like in the automotive business, Katina Xs, they're handling more identities, non-human identities. But we also have different data spaces like education, health, we have human identities, so we need consent management in that we need strong authentication but for both identity types, you know,
And yeah, this is the examples I have. Yeah. Excellent. And Nacho, you mentioned you have the abec and the trust train and the root of trust and the, how does this all fit together and what do you think are the emerging next steps to bring the technologies together in a legal fulfilling legal requirements to deploy systems to production?
Well again, this is a difficult question but, but maybe we, we can share some insights in fact again from the, the point of view of truss tanko. So at the end of the day, if you are responsible, let's take the example of the, of the health data space that has primary purpose information and secondary use purpose information regarding sharing data, blah, blah blah. So if I am the, the, the responsible for giving access in here, whether and and I need to be give access to people I don't have any relationship with with before people, I don't know somehow it is a kind of bring your or identity approach. It means that I need to rely on that. But the problem is how I do rely on someone if I don't have any previous trust relationship established. This is when d EI does to, in my opinion comes.
So if the medical doctor has a identity wallet with identity attributes which are asserted in this case, it is a human identity. This human identity is bound to a device to achieve high-level assurance and it follows a vocabulary using for instance an ontology which is agreed upon at the European level, then I will be able to onboard automatically this person even if I don't have any, any previous record of that person and give access. In this sense, the most important thing is how can we rely on the authenticity of the information? How do we know that this German doctor is effectively a doctor? And this is where this approach works. My, the credential of the medical doctor had will have been issued by an authority, which I can't rely upon because there is a governance framework at the European level and this credential has been issued to a particular wallet which provides an A level of assurance. The next thing we need to think about then is how we get these attributes and how do we compute to make decisions on these attributes. Therefore we need, as I explained before, specific types of stanko and some a bit of little recognition and then we can promote new kinds of policies.
Excellent. I think you're talking about abic credentials and making decisions. I think it's also important and not much explore in zero trust architecture ecosystem. The newspaper, the original newspaper, they're talking about trust algorithms and you get information from different trust domains and maybe different AB credentials. And if you get the information neighbor credential is not like binary, it's a hundred percent faults or two, there's always probability combined to it. And that's what the trust algorithms take into consideration to make an informed decision about the threshold, a threshold security, do the authorization credentials, do they fulfill a certain threshold? If yes, I proceed. If not, I don't proceed. And I think the idea that data comes with trust and the data kind of related to risk scoring and I need to apply trust algorithm, that's pretty much underexplored yet. But what you are saying natural combining abec credentials, verifiable credentials with trust algorithms, this might be solution for the future. Maybe Matthias some, some of your thoughts. In addition,
Yesterday I had also a session about adaptive protection in data spaces and we struggling to get these policies from the customers because we have to start with something. So we have ODL policies and we asked the customers, Hey, how you want to protect your data with which policies? I said, I don't know because this is like a journey for all of us and if you share information with suppliers and customers, you have also a, a bigger attack vector. So everyone is scared about it. So what we need to establish is this kind of evolutionary process and feedback loop. And as you can see this feedback loop goes, we feed the policy optimization with all these six different areas, identity endpoint, network data, apps, infrastructure, learn from that, optimize our policies. But that's the attacks are very fast. So no human can act so fast. So in this case we need threat protection and with this threat protection they have machine learning behind, they make the risk risk assessment and goes back to the zero trust policy. So
Ken's machine do risk assessment based on ABK credentials. What are your thoughts?
It's, it's very early I would say to do that we wish
If, if I may I want to add something about abac ABAC policy evaluation. Of course all policy languages are typically based on rules. So rules is are are something that we can work with to define what should be the outcome of, of a decision partner with rules. And this happens both with APAC and with apac is that the logic you need to define this language rule is limited. So there is a point where you cannot make a real good decision because you get inconsistencies and you get limitations. In this sense, I truly believe that artificial intelligence has a role to play in here learning what happens, reinforcing, and then making decisions not based on formal logic but but make but on the statistics. So in this sense I think it is a promising technology to compliment this reasoning based in a, but the true point is that when you are going to give access, it is you the verifier who are going to request to the other party which attributes shall be presented. So once you have the attributes and the attributes are wealthy and you have checked that they have a security assurance level and you have your trics, then it is not that important whether the decision is made by a human or by a rules-based system or by an artificial intelligence. So the thing is that the, we should move quickly from Arabic and high rigid identities into the attribute world, otherwise we won't be receiving the information we need. And this should information should be trustworthy.
And if I understood you correctly. Now another main difference, we have our algorithms and feed them with abic information and now abec information are coming as a verifiable credentials. So we can really kind of put a level of assurance to individual data and that's probably the first time, yeah, that we have abec and we get abic information with level of assurance and this already kind of articles articulates risk. Yeah, trustworthiness of the data feed us in the algorithm. And probably the next step before we close, I would like, because you mentioned trust anchors, I would like to provide an example. Yeah, trust anchors very abstract. Yeah. So I like the example that also Matthias mentioned in terms of enterprise identity. And I as an enterprise can have different, can get different credentials, authorization credentials from different testaments. One can be might issue a legal entity, identify credential to me then have two identifies in resource seven 70,000 1 27 1 credential to me. And then I have maybe GS one and glyph and industry associations. I have a lot of different credentials from different trust domains. And as a closing remark, Naro and Matthias, what do you think in terms of working with different trust domains in the ABIC context and yeah, putting this in terms of verifiable credentials and connecting
From my side verifi credit, remember that VERIFI credentials are specific general purpose containers for trustworthy data. So it it, the fifth first thing we need to do is to be able to use common shared vocabularies for attributes and of course define what are the vocabulary for defining trustworthiness of these, of these attributes. In fact, the previous discussion was about identity proofing. So we have identity assurance levels, blah, blah blah. So the second thing is of course we need to be able to have a governance framework for this. Probably IDAs two will be one of the most important models in the world. And third, we need to be able to ask someone in our supply chain and this is the supply chain of data, of data to be liable to respond whether they have made a mistake. So if you put all of this in a true metrics, then it is relatively easy to go work. We cannot go today with federated identity. This is in my opinion the promise of this model applied to K rationale identity management.
Excellent. I like tougher of verifiable supply chain of data. So a lot of provenance history of data lifecycle data comes with his own, his history story. That's very good. Mathias. Very short closing your mark from your side.
Hmm, good question. So we need a strong authentication. We need multifactor authentication and we need to get rid of the flat networks, corporate flat networks. We communicate over the internet. This is I think the principle in zero trust. And we cannot trust even the trust anchors. We cannot trust because if the trust anchor is compromised, everything is down. So we need more than one trust anchor. So if one trust anchor is down and compromise, we can trust another trust anchor. And this is the idea of decentralization. So
With ZT trust is not going away, it's just somewhere else. Trust put somewhere else. It is the trust domain, the trust anchor technology. I think that's, that's a key takeaway. Yeah, thank you Matthias Natural. And we might have questions from the audience.
Yeah, we do have one question. How do you address zero trust and principle propagation in arrest based ipi chain from front end to backend layers or across the organization? It's quite complex and and technical.
That's complex. Do you want or should I do otherwise? From my perspective? Yeah. So if I have the credentials and have multiple APIs front and back end in terms of different organizational entities, I need a piece of software that's able to verify different abec credentials from different trust domains sitting next to the api. Yeah. Because if I centralize then the software, then I still don't have zero trust architectures pretty much centralized. So a lot of this logic verifying credentials, the supply chain of data up to a trust anchor. I think this needs to be sit next to the api. That's would be my my takeaway.
We once send as architect, software architect, we see a movement from from from infrastructure to managed identities in the cloud to protect the apps, the data. So you have like a placeholder identity for each database. For each application and it's micro segmentation of the network. So every application live in a small network segmentation. So the blast radios, you have to keep as minimum as possible. And if you do that with this micro segmentation, you ha don't have such a big impact after attack. Yeah.
Great. Well thank you. Thanks Carsten, Ignacio and Matthias, it was a great panel today.
Thank you. Thank you.

Playlist

European Identity and Cloud Conference 2023

Event Recording

What’s Next In Enterprise Authorization

May 11, 2023

As organizations undergo digital transformation to zero-trust architectures, identity-driven security becomes a critical aspect. Beyond new authentication technologies, organizations must have strong authorization controls. Today, if and when an identity is compromised, the attacker can make lateral movements with very few restrictions and access a wide range of critical systems and information. Much of this over-permissive environment can be attributed to manual permissions management processes that are hard to maintain over time. Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC), which underlie these manual processes, provide a good baseline for access security. However, their complexity grows over time and the management overhead they place oftentimes subvert the very goals of security and compliance they are deployed for. Just-In-Time Access Management (JITAM) represents a new robust and secure authorization strategy that can reduce the need for periodic access certifications and manual role administration, while providing auditability. Learn how the authorization space is rapidly changing from RBAC and ABAC to JITAM, and how it could benefit your organization.

Watch

Event Recording

Real-time Fraud Detection - Challenges and Solutions

May 12, 2023

Fraud can be considerably reduced via speed, scalability, and stability. Investigating fraudulent activities, using fraud detection machine learning is crucial where decisions need to be made in microseconds, not seconds or even milliseconds. This becomes more challenging when things get demanding and scaling real-time fraud detection becomes a bottleneck. The talk will address these issues and provide solutions using the Hazelcast Open Source platform.

Watch

Event Recording

The Art of Privilege Escalation - How Hackers Become Admins

May 11, 2023

Privilege escalation is also one of the most common techniques attackers use to discover and exfiltrate sensitive valuable data. From a hacker’s perspective, privilege escalation is the art of increasing privileges from the initial access, which is typically that of a standard user or application account, all the way up to administrator, root, or even full system access. With NT AuthoritySystem access or on Linux the root account, attackers have full access to one system. With Domain Administrator access, they own the entire network.

• Top Methods of Privilege Escalation on Windows and Linux
• Common Tools used to identify Privilege Escalation
• And more...

Watch

Event Recording

Zero Trust Applied for Access Management - How to Control and Monitor the User Access

May 12, 2023

UX with Security in Corporate and Customer Access but including a huge monitoring approach to have the effect of Zero Trust for the users. I will Mix CIAM, Access Management, IAG and UEBA

Watch

Event Recording

Leveraging Decentralized Identity Approaches in the Enterprise

May 11, 2023

In this session, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts look at the potential of utilizing DID approaches within the enterprise. This session will look at the business benefits, the steps involved, important considerations, challenges, pitfalls, and recommendations for implementing decentralized identity. Martin will explain the potential and look at how this will impact existing technologies such as IGA, PAM, and Access Management, and how this relates to other trends such as WfA, BYOD, Policy-based Access, and more. He also will outline where interoperability and standards must further evolve to enable organizations in re-inventing their IAM, without ripping everything apart. He will discuss the steps involved, important considerations, challenges, pitfalls, and recommendations for implementing decentralized identity in the enterprise.

Watch

Event Recording

Fraud Reduction Intelligence Platforms (FRIPs): Critical Capabilities & Market Overview

May 11, 2023

Fraud is a major cost to businesses worldwide. Cybersecurity Ventures estimates that cybercrime costs will reach $10.5 trillion by 2025. Banking, finance, payment services, and retail are some of the most frequent objectives of fraudsters, as expected. However, insurance, gaming, telecommunications, health care, cryptocurrency exchanges, government assistance agencies, travel and hospitality, and real estate are increasingly targeted as cybercriminals have realized that most online services trade in monetary equivalents. In this session we will look at critical capabilities for FRIPs and provide an overview on the solution market.

Watch

Event Recording

Why the Cyber Security Managed Service Market Needs a Twist?

May 10, 2023

The Cyber Security Market has developed quite significantly within the last decade. The scarcity of expertise in the market, the increased number of attacks, the lack of leverage of product implementation ROI are a number of topics we will shortly address in this session. Why it is going to be key that companies should consider an outcome-based managed services going forward.

Watch

Event Recording

Moving on from legacy MFA: Phishing-resistant MFA as a prerequisite for Passwordless

May 10, 2023

As long as passwords exist, enterprises are vulnerable to account takeover attacks –yet organizations looking to eliminate passwords may not know where to begin their passwordless journey. While passwordless authentication methods—especially those based on FIDO2—are widely available, they are not yet universally supported nor adopted. This lack of a universal approach can cause confusion and complacency—or both. Attend this session to learn why (and how) organizations should move away from passwords and legacy MFA to advance to and adopt a secure passwordless strategy centered on phishing-resistant MFA in 2023

Watch

Event Recording

Trust No One, Always Verify

May 11, 2023

Cybercriminals no longer “hack” in – they simply log in. Once inside, they hunt for privileged accounts. A vast majority of breaches today are due to the abuse of stolen privileged accounts. Privileged accounts are very powerful but at times, anonymous and shared. Learn how to take control of Privileged Access to ensure that your most valuable asset - your data - is protected.

Watch

Event Recording

Preparations for Smoother PAM Flight

May 11, 2023

The short abstract of this topic would be "How we can make a proper business case and ROI(Return on Investment) for PAM". Below are some of the preparations we need for a smoother PAM flight:

Business Use Case
Technical Use Case draft and definition
Vendor selection & Role of research organisations like KuppingerCole
POC
ROI for management and their approval
Vision, Mission & Use case selection and prioritizations

Watch

Event Recording

A Sovereign Cloud for the German Government

May 11, 2023

You will learn about the Sovereign Cloud for the German Government, this solution is based on Azure and operated by Delos Cloud Gmbh

Watch

Event Recording

Graph-Based Access Control: What, Why and How ?

May 11, 2023

“Graph-Based Access Control'' (GBAC) is a generic term that refers to the use of graphs and networked data to solve Identity and Access Control problems. You may have seen this before through the disguise of acronyms such as ReBAC (relationship-based), KBAC (knowledge-based), PBAC (policy-based), NGAC (Next-Generation), FGA (fine-grained), and even some implementations of ABAC (attribute-based). All of these terms refer to techniques that use graphs to enforce access-control for any level of coarseness.

In this session you will learn why all the latest Dynamic Authorization offerings on the market use GBAC in a way or another, and how you can successfully adopt the technique yourself. Graphs are becoming ubiquitous - one can just look at the rise of the GraphQL API model to witness their popularity first-hand. Through concrete, real-life examples we will showcase the use of graphs to solve common access problems using the same modern and future-proof techniques that you see in the current authorization market.

As a result, storing all identity data in graphs truly unlocks its full potential. Graphs are data-science and analytics enablers, and have the potential to transform the IAM practice from a cost centre to a true revenue generator. We’ll explore how this can happen for you too…

Watch

Ask an Analyst

Credentialing-enabled Zero Trust Architecture for API Endpoint-Security