This deck explores modern distributed systems, authorization, authentication, identity management, and rate limiting.

1. Security in the Context of
Distributed Computing

2. Who am I?
Solutions Architect
For DeARX
Based in our Cape Town office
Christhonie Geldenhuys

3. Topics
A practical view based on our experience with distributed computing
► A look at modern distributed systems
► Authentication
► Creating a seamless experience
► Leveraging Social login
► Additional factors
► Identity Management
► A single view
► Personal data and consent
► Authorisation
► Rate limiting or throttling

5. An evolution in component size
Source: Tiempo Development

6. And an evolution in location

7. Monolithic to Microservices
Source: Tiempo Development

8. So how does this impact security?

9. Key considerations remain the same
► Who is accessing
the system?
Authentication
► What can they do?
Authorization
► When/how often
can they do it?
Throttling

10. Authentication

11. Traditional monolithic authentication
Typical application level
implementation of role base
access control

12. Traditional approach cause duplication
Legacy User DB
Active Directory
App 1
App 2
We still see many examples of this!

13. Traditional approach cause duplication
Active Directory
Application 1
Application 2
This is much better.

14. Authentication as a service
Use a “Trusted 3rd
party”
Back-end servers

15. Central authentication mechanism
Provide a single mechanism
for identity management
and authentication.
Integrate applications with
the Identity server.

16. Benefits of this approach
► A single mechanism for authentication
► Common and shared across all application
► User information in one place
► Easy to maintain
► Can leverage proven security standards
Using an Identity Server provides;
► Central login mechanism
► Customised registration flow
► Customised approval flows
► Advanced authentication techniques

17. Single Sign-On
Single Sign-On application have the following characteristics;
► Static, well known URL – i.e. http://logon.acme.com
► Authentication session is maintained at this URL;
► Using cookies to identify the session
► Redirect mechanisms are used to redirect to and from this app
Benefits
► This enables the authentication session to span multiple application.
► Login once for a range of applications.

18. Implementation considerations
► Users and Groups now become a
central responsibility
► Roles remain an application
concern
► Share information via API or
claims.
How do we separate the various identity objects?

19. Social Login – Use cases
► End-users – Removes the risk to create yet another account
► Occasional or temporary workers – i.e. contractors, not requiring the benefits
corporate-wide access control groups / roles

20. Identity information and POPI

21. What is POPI
► Protection of Personal Information Act will regulate the Processing of
Personal Information.
► Personal Information broadly means any information relating to an
identifiable, living natural person or juristic person (companies, CC’s etc.)
and includes, but is not limited to:
► contact details: email, telephone, address etc.
► demographic information: age, gender, race, birth date, ethnicity etc.
► history: employment, financial, educational, criminal, medical history
► biometric information: blood type etc.
► opinions of and about the person
► private correspondence etc.
► Processing means broadly anything that can be done with the Personal
Information, including collection, usage, storage, dissemination, etc.

22. Personal information as a service
What if…
► We can access personal data from a central source
► Information is stored once.
► Easy to add, change or remove in one place.
► Central access control
► Provide a customer self-help portal to view or change data.
► Get user content to determine who can use it.

23. Personal information capture
► Initial user / customer information is
captured as part of the registration
process.
► Additional user information can also be
stored here over time.

24. Personal information distribution
Obtaining the user consent is one
of the fundamental requirements
of personal information
regulation.
WSO2 Identity Server facilitates
this through its Consent
Management features.

25. Support in WSO2 Identity Server
Consent Management
► Provides self-help profile creation, user provisioning to other systems, sharing
of user attributes through SSO, and identity federation are fully based on user
consent
► Users can review, modify, and revoke previously given consent via the
self-care user portal or RESTful Consent API
► Consent API can also be used to integrate WSO2 IS consent management
capabilities with existing applications
► WSO2 IS can be used to manage consent of any 3rd party application via the
RESTful Consent API

26. User account management by WSO2 IS

27. Authorization

28. OAuth to the rescue
WSO2 Identity Server includes
support for the popular OAuth
standards.

29. API Manager as a first line of defence
API Manager help offloads checking tokens at the point of ingress.

30. Who is this? – Access tokens
When using Access Tokens…
We might want to check who is using this token;
► For display of user name perhaps
► For additional authorization decisions
► Per operation, per business record, etc.

31. Access token lookup
► Use API to validate/lookup
token claims.
► Cache token for the validity
period.
► Store principle and claims as
part of cache.
Token validation
lookup

32. Who is this? - JWT

33. Access Token or JWT?
Access Token
Benefits
► Small, simple
► Ideal for smaller number of
sessions and “chatty” interfaces.
Drawbacks
► Require lookup
► Mitigated through caching
JWT
Benefits
► Self contained, stateless
► Verification can be self contained,
or via lookup (remember to cache)
Drawbacks
► Large (sometimes larger than
payload). Not ideal for;
► “Chatty” APIs
► Expensive networks, i.e. Mobile,
Satellite, IoT

34. Trust your services
It is vital to verify the communication path and authenticity of your identity /
authentication infrastructure.
Identity your infrastructure;
► Use HTTPS!
► Check the certificates!
Consider using certificate chains:

35. Which OAuth flow / grant type?
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
Use the online decision tree to determine which OAuth flow
is best for your application;

36. Rate limiting

37. Rate limiting – Why and how
► Limit access to APIs using the
various rate limiting filters.
► Absolute limits or support for burst
traffic.
► API manager continuously monitors
the traffic and limits.
► API suspension is implemented
when limits are reached.
► Rather stop them at the gate than
try to deal with load while under
load.
► Suspension returns pre-defined
error codes (customisable)
► API auto resume after predefined
period(s).

38. WSO2 Throttling Policies

39. Summary
► Authentication as a service
► A seamless experience for the user,
across multiple applications
► Identity as a service
► User/customer information in one
place.
► Controlled access to that
information.
► Authorization
► A mechanism to provide access to
resources.
► Rate limiting
► To protect our systems from
over-use and abuse.