US-11811771-B2 - NGAC Graph Evaluations (2023-11-07)Zack Daniel Butcher, San Francisco, CA (US); Ignacio Barrera Caparros, Barcelona (ES); Joshua Douglas Roberts, Ashburn, VA (US) This patent defines a technique to bind authenticated principals to a set of policy classes in a way that allows evaluating all the policy classes in a single access decision. This technique establishes a set of patterns that allow safely scaling the number of bindings and policy classes without compromising existing configurations.
US-20220156393-A1 - Repeatable NGAC Policy Class Structure (2022-05-19, Provisional)Zack Daniel Butcher, San Francisco, CA (US); Ignacio Barrera Caparros, Barcelona (ES); Joshua Douglas Roberts, Ashburn, VA (US) This patent defines a Policy Class structure that can be used to implement NGAC Policy Classes at scale. Introducing new policy classes in a running NGAC system is challenging, as it is very easy to break access to objects that had existing access control policies and start participating in the new Policy Classes. This Policy Class structure can be used to safely introduce new Policy Classes and gradually migrate and add existing objects to them.
The Role of NGAC and Service Mesh for Enterprise-wide AuthorizationZero Trust and High Assurance for Cloud Native Applications, NIST 2023 [video] [demo] [slides] In this session at the 4th Annual Multi-Cloud Conference conference held at NIST co-presented with Zack Butcher, we introduced the role of Next Generation Access Control (NGAC) and Service mesh for enterprise-wide Authorization. We explained the fundamentals of NGAC and the main advantages it brings over traditional authorization systems like RBAC or ABAC, and did a practical demo showing how Policy as Code can be implemented for enterprise-wide authorization at scale.
Service Mesh as the Security Kernel for Zero Trust PlatformsZero Trust Architecture and DevSecOps for Cloud-Native Applications, NIST 2022 [video] [code] In this talk given at the Zero Trust Architecture and DevSecOps for Cloud-Native Applications conference held at NIST, I am demonstrating how a Service Mesh can be used as a Security Kernel to implement Zero Trust platforms. We will see how we can leverage distributed enforcement points to apply policy on the user identity, how to enforce runtime identity as well, and how application targetted policies can be created to quickly mitigate vulnerabilities like the
Access Control for MicroservicesIstio Weekly live stream, 2021 [video] [slides] In this episode of the Istio Weekly live stream I present what is Next Generation Access Control (NGAC) and why it is a revolutionary technology that is a perfect fit as an access control framework for micro-services. I explore the different components that build the NGAC architecture, deep dive into its decision making process, and discuss how a Service Mesh can help leverage access control at scale.
Identity Provisioning in a Service MeshDevSecOps and Zero Trust Architecture (ZTA) for Multi-Cloud Environments, NIST 2021 [video] [slides] In this talk given at the DevSecOps and Zero Trust Architecture (ZTA) for Multi-Cloud Environments conference held at NIST, I am showing how the process of provisioning runtime identities to the workloads of a Service Mesh works. The demo covers in detail how the istio proxy works internally and how it uses the Envoy SDS API to continuously provision certificates to the workloads to be used in mTLS connections.
Protecting your data with a Service MeshIdentity Management & Access Control in Multi-cloud, NIST 2020 [video] [slides] In this talk given at the Identity Management & Access Control in Multi-cloud conference held at NIST, I am showing a demo on how a Service Mesh and NGAC can be used to provide fine-grained access control for data. The demo showcases common use cases such as GDPR compliance and self-revoking and time-bounded access permissions.
Service Mesh and the future of networkingSoftware Crafters Barcelona, 2019 [video] [slides] In the world of microservices, we have seen this new technology, the Service Mesh emerge and grow very fast. Projects like Istio, Linkerd or Consul have become very popular and people are starting to adopt them and figuring out the new possibilities these projects bring. But beyond the individual features each of those projects provide, in this talk, we will present the core concepts of a Service Mesh, the novel things this technology brings, and the use cases it is meant to solve.
Next Generation Access Control for the Multi-Cloud WorldService Mesh Day San Francisco, 2019 [video] [slides] NGAC is a fundamental reworking of traditional access control into a form suited to the needs of the modern, distributed, interconnected enterprise. NGAC is based on a flexible infrastructure that can provide access control services for a number of different types of resources, accessed by a number of different types of applications and users.
Do you need a service mesh?CodeMotion Madrid, 2018 (Spanish) [video] [slides] In this talk I explored what a service mesh is and what they can do for your microservice web backends. Are the claims of observability, resiliency, and WAF features real? Are they useful during development, production, or both? Using pictures and demos, we’ll find out! This session also briefly covered how a service mesh works, giving us a mental model with which to explore and evaluate after the talk.
Standalone Neutron: How we integrated it with AbiquoOpenStack BCN 7th birthday meetup, 2017 [slides] This is a talk I gave at the OpenStack BCN 7th birthday meetup.
Rule the cloud with Apache jcloudsApacheCon North America, 2016 [slides] Apache jclouds is an open source multi-cloud toolkit for the Java platform that gives you the freedom to create applications that are portable across clouds while giving you full control to use cloud-specific features.
The New Stack - How ‘Secure’ Your Cloud Native Can BeKubeCon + CloudNativeCon NA, 2018 On this livestream from KubeCon + CloudNativeCon NA with Liz Rice and Sarah Allen, we’re discussing the growing security focus at CNCF. In particular, how the CNCF approached security in the past, and how is it continuing to focus on it in the future. [audio] [video]
Compilando Podcast - Fundación Apache con Ignasi Barrera y el cumpleaños de TUX21st Tux anniversary, 2017 (Spanish) On this edition of Compilando Podcast I am introducing the Apache Software Foundation and the main principles behind the Apache Way, the framework used in the Foundation to create sustainable open source projects. [audio]