Ignasi Barrera

Patents

• US-11811771-B2 - NGAC Graph Evaluations (2023-11-07)

  Zack Daniel Butcher, San Francisco, CA (US); Ignacio Barrera Caparros, Barcelona (ES); Joshua Douglas Roberts, Ashburn, VA (US) This patent defines a technique to bind authenticated principals to a set of policy classes in a way that allows evaluating all the policy classes in a single access decision. This technique establishes a set of patterns that allow safely scaling the number of bindings and policy classes without compromising existing configurations.

• US-20220156393-A1 - Repeatable NGAC Policy Class Structure (2022-05-19, Provisional)

  Zack Daniel Butcher, San Francisco, CA (US); Ignacio Barrera Caparros, Barcelona (ES); Joshua Douglas Roberts, Ashburn, VA (US) This patent defines a Policy Class structure that can be used to implement NGAC Policy Classes at scale. Introducing new policy classes in a running NGAC system is challenging, as it is very easy to break access to objects that had existing access control policies and start participating in the new Policy Classes. This Policy Class structure can be used to safely introduce new Policy Classes and gradually migrate and add existing objects to them.

Talks

• The Role of NGAC and Service Mesh for Enterprise-wide Authorization

  Zero Trust and High Assurance for Cloud Native Applications, NIST 2023 [video] [demo] [slides] In this session at the 4th Annual Multi-Cloud Conference conference held at NIST co-presented with Zack Butcher, we introduced the role of Next Generation Access Control (NGAC) and Service mesh for enterprise-wide Authorization. We explained the fundamentals of NGAC and the main advantages it brings over traditional authorization systems like RBAC or ABAC, and did a practical demo showing how Policy as Code can be implemented for enterprise-wide authorization at scale.

• Service Mesh as the Security Kernel for Zero Trust Platforms

  Zero Trust Architecture and DevSecOps for Cloud-Native Applications, NIST 2022 [video] [code] In this talk given at the Zero Trust Architecture and DevSecOps for Cloud-Native Applications conference held at NIST, I am demonstrating how a Service Mesh can be used as a Security Kernel to implement Zero Trust platforms. We will see how we can leverage distributed enforcement points to apply policy on the user identity, how to enforce runtime identity as well, and how application targetted policies can be created to quickly mitigate vulnerabilities like the Log4Shell one.
  The demo also shows the development of custom WASM-based policies that can leverage the entire feature set of the programming language of choice to build rich access policies that can be enforced by the mesh.

• Access Control for Microservices

  Istio Weekly live stream, 2021 [video] [slides] In this episode of the Istio Weekly live stream I present what is Next Generation Access Control (NGAC) and why it is a revolutionary technology that is a perfect fit as an access control framework for micro-services. I explore the different components that build the NGAC architecture, deep dive into its decision making process, and discuss how a Service Mesh can help leverage access control at scale.

• Identity Provisioning in a Service Mesh

  DevSecOps and Zero Trust Architecture (ZTA) for Multi-Cloud Environments, NIST 2021 [video] [slides] In this talk given at the DevSecOps and Zero Trust Architecture (ZTA) for Multi-Cloud Environments conference held at NIST, I am showing how the process of provisioning runtime identities to the workloads of a Service Mesh works. The demo covers in detail how the istio proxy works internally and how it uses the Envoy SDS API to continuously provision certificates to the workloads to be used in mTLS connections.

• Protecting your data with a Service Mesh

  Identity Management & Access Control in Multi-cloud, NIST 2020 [video] [slides] In this talk given at the Identity Management & Access Control in Multi-cloud conference held at NIST, I am showing a demo on how a Service Mesh and NGAC can be used to provide fine-grained access control for data. The demo showcases common use cases such as GDPR compliance and self-revoking and time-bounded access permissions.

• Service Mesh and the future of networking

  Software Crafters Barcelona, 2019 [video] [slides] In the world of microservices, we have seen this new technology, the Service Mesh emerge and grow very fast. Projects like Istio, Linkerd or Consul have become very popular and people are starting to adopt them and figuring out the new possibilities these projects bring. But beyond the individual features each of those projects provide, in this talk, we will present the core concepts of a Service Mesh, the novel things this technology brings, and the use cases it is meant to solve.
  We will explore how Service Meshes will push networking to the next level, opening the door to a whole new set of possibilities especially designed for this new era of multi-cloud and hybrid architectures, and giving us a mental model with which to explore and evaluate after the talk.

• Next Generation Access Control for the Multi-Cloud World

  Service Mesh Day San Francisco, 2019 [video] [slides] NGAC is a fundamental reworking of traditional access control into a form suited to the needs of the modern, distributed, interconnected enterprise. NGAC is based on a flexible infrastructure that can provide access control services for a number of different types of resources, accessed by a number of different types of applications and users.
  In this joint talk with David Ferraiolo from NIST we introduced NGAC and did a live demo showing how it can be applied to augment traditional RBAC with high level concepts xsuch as time and location in an efficient and scalable way.

• Do you need a service mesh?

  CodeMotion Madrid, 2018 (Spanish) [video] [slides] In this talk I explored what a service mesh is and what they can do for your microservice web backends. Are the claims of observability, resiliency, and WAF features real? Are they useful during development, production, or both? Using pictures and demos, we’ll find out! This session also briefly covered how a service mesh works, giving us a mental model with which to explore and evaluate after the talk.

• Standalone Neutron: How we integrated it with Abiquo

  OpenStack BCN 7th birthday meetup, 2017 [slides] This is a talk I gave at the OpenStack BCN 7th birthday meetup.
  In it I explain how we integrated a standalone Neutron with Abiquo to implement an SDN solution without a full OpenStack deployment.

• Rule the cloud with Apache jclouds

  ApacheCon North America, 2016 [slides] Apache jclouds is an open source multi-cloud toolkit for the Java platform that gives you the freedom to create applications that are portable across clouds while giving you full control to use cloud-specific features.
  In this talk I explored the core concepts around jclouds and did a demo showing how the same code can be used to manage your infrastructure in different cloud providers.

Podcasts

• The New Stack - How ‘Secure’ Your Cloud Native Can Be

  KubeCon + CloudNativeCon NA, 2018 On this livestream from KubeCon + CloudNativeCon NA with Liz Rice and Sarah Allen, we’re discussing the growing security focus at CNCF. In particular, how the CNCF approached security in the past, and how is it continuing to focus on it in the future. [audio] [video]

• Compilando Podcast - Fundación Apache con Ignasi Barrera y el cumpleaños de TUX

  21st Tux anniversary, 2017 (Spanish) On this edition of Compilando Podcast I am introducing the Apache Software Foundation and the main principles behind the Apache Way, the framework used in the Foundation to create sustainable open source projects. [audio]

Publications

• CIDEX: Intercambio distribuido de alertas para la gestión de ataques coordinados In Actas de la IX Reunión Española de Criptología y Seguridad de la Información. Joaquín García-Alfaro, Ignasi Barrera