Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Proposal] Identity and Access Management Whitepaper #1332

Open
4 of 20 tasks
y-tabata opened this issue Jul 26, 2024 · 21 comments
Open
4 of 20 tasks

[Proposal] Identity and Access Management Whitepaper #1332

y-tabata opened this issue Jul 26, 2024 · 21 comments
Assignees
Labels
project work of the group

Comments

@y-tabata
Copy link
Contributor

y-tabata commented Jul 26, 2024

Description:
Authentication and authorization are the most important security considerations in the cloud-native ecosystem, as evidenced by their high ranking in the OWASP Top 10 and OWASP Top 10 API Security Risks.
On the other hand, authentication and authorization frameworks have a wide range of related specifications, including OAuth and OpenID Connect, and it can be difficult for implementers to implement the frameworks, so it would be beneficial to publish best practices for identity and access management.
Fortunately, Keycloak, a powerful IAM OSS, has joined the CNCF ecosystem as a CNCF incubating project, so it may be time to consider what IAM should be like in the cloud-native world.

Impact:
As seen in the high rankings in the OWASP Top 10 and OWASP Top 10 API Security Risks, security risks related to authentication and authorization remain of great concern to customers. Once IAM best practices are published, they can mitigate these concerns and realize a more secure cloud-native ecosystem.

Scope:
not yet determined.
Authentication and authorization are broad terms, and some of them are related to other areas like zero trust currently the WP being promoted, so it is very important to decide what the scope should be.

Intent to lead:

  • I volunteer to be a project lead on this proposal if the community is
    interested in pursing this work.
    This statement of intent does not preclude
    others from co-leading or becoming lead in my stead.

Proposal to Project:

  • Added to the planned meeting template for mm dd
  • Raised in a Security TAG meeting to determine interest - mm dd
  • Collaborators comment on issue for determine interest and nominate project
    lead
  • Scope determined via meeting mm dd and/or shared document add link
    with call for participation in #tag-security slack channel thread add link
    and mailing list email add link
  • Scope presented to Security TAG leadership and Sponsor is assigned

TO DO

  • Security TAG Leadership Representative: @eddie-knight
  • Project leader(s): @y-tabata
  • Issue is assigned to project leaders and Security TAG Leadership
    Representative
  • Share this whitepaper collaboration opportunity at each of the TAG community meetings
  • Project Members:
  • Fill in addition TODO items here so the project team and community can
    see progress!
  • Scope
  • Deliverable(s)
  • Project Schedule
  • Slack Channel (as needed)
  • Meeting Time & Day:
  • Meeting Notes (link)
  • Meeting Details (zoom or hangouts link)
  • Retrospective
@y-tabata y-tabata added proposal common precursor to project, for discussion & scoping triage-required Requires triage labels Jul 26, 2024
@nynymike
Copy link

This would be a great service to the community if you took it on.

One thought though... as great as KeyCloak is, I don't think any such white paper should be proscriptive about specific solutions when it comes to authn / authz standards.

On the authn topic, there are many great open source IDPs--Janssen Project, Ory, Shibboleth just to name a few. Some of these solutions are tailored for specific use cases, for example, Janssen Project for enterprise, or Shibboleth for universities. Also let's not forget that Dex at the CNCF is an "OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors". Ultimately, we want to recommend an IDP that supports open standards like OAuth, OpenID and FIDO.

There are also a number of Authz solutions domains should consider--AWS Cedar, OPA, OpenFGA just to name a few that are popular in the cloud native space.

@y-tabata
Copy link
Contributor Author

@nynymike
Thank you for your comment.
I don't intend to recommend a single solution such as Keycloak, and I hope to have the following discussion as you mentioned in your comment.

Ultimately, we want to recommend an IDP that supports open standards like OAuth, OpenID and FIDO.

@eddie-knight
Copy link
Collaborator

@y-tabata I have tentatively marked you as the Project Lead and myself as the supporting STAG Representative. Our next step will be to gather interest from the community to support in the research and writing processes.

After sufficient interest has been garnered, I will help kick things off by creating the project schedule, slack channel, TAG calendar meeting entry, and a shared drive location for the group to begin collaborating.

For anyone else who is interested, please comment here with a note regarding how you would like to contribute to this Whitepaper effort!

@tnorimat
Copy link

I would like to participate the activity as a member.

@wadahiro
Copy link

wadahiro commented Sep 2, 2024

Hi, I'm interested in contributing to this whitepaper project.

@daian183
Copy link

daian183 commented Sep 2, 2024

Hello I am interested in participating the activity as a member.

@Satarupa22-SD
Copy link

Satarupa22-SD commented Sep 2, 2024

Hi, I am interested in contributing to this whitepaper. I wish to contribute towards the research paper writing.

@patatoid
Copy link

patatoid commented Sep 3, 2024

For me, it would be great to get in. Hoping we will find out some practices that help integrators to find their way through the hill of specs.

@y-tabata
Copy link
Contributor Author

y-tabata commented Sep 3, 2024

@tnorimat @wadahiro @daian183 @Satarupa22-SD @patatoid
Thank you all!
I want to decide the meeting time & day.
Your time zones are JST & IST & CEST, right?
So how about JST (17:00-18:00), IST (13:30-14:30), and CEST (10:00-11:00) on Tuesday?
Please comment if you have any inconvenience or give this a thumbs up if you like.
I will set up a meeting to start as early as next Tuesday.

@dadrus
Copy link

dadrus commented Sep 3, 2024

I’d like to contribute as well. My time zone is CEST. Unfortunately, I have a full-day workshop scheduled next week from Tuesday to Thursday. Would it be possible to record the session for those who are unable to attend?

@y-tabata
Copy link
Contributor Author

y-tabata commented Sep 3, 2024

@dadrus
Yes, I plan to provide recordings and meeting notes.

@entlein
Copy link

entlein commented Sep 3, 2024

I m interested in contributing especially wrt to federated-identity setups (like pod-identity etc)

@y-tabata
Copy link
Contributor Author

y-tabata commented Sep 5, 2024

@eddie-knight
Could you set up an LFX recurring meeting for this?

JST (17:00-18:00), IST (13:30-14:30), and CEST (10:00-11:00) on Tuesday

@Satarupa22-SD
Copy link

@y-tabata is there a meeting today? I haven't received the meeting link yet. Could you please add me mail. Thanks!

@y-tabata
Copy link
Contributor Author

@Satarupa22-SD Unfortunately, we haven't yet created an LFX recurring meeting for this, so it will start next week at the earliest.

@eddie-knight
Copy link
Collaborator

Sorry that I missed the ping on this! I've just submitted the request for an LFX meeting.

@eddie-knight
Copy link
Collaborator

Zoom meeting has been created and added to all of the calendars we are part of.

https://zoom-lfx.platform.linuxfoundation.org/meeting/93249891248?password=dc1fd69a-eb31-4d67-81de-0103910ca062

The last thing we'll need to do is update the repo with information about this project.

@y-tabata
Copy link
Contributor Author

In the first meeting today, determine the scope according to the Process for Creating Papers.
https://github.com/cncf/tag-security/blob/main/community/publications/paper-process.md#audience-goals-and-refining-scope

@y-tabata
Copy link
Contributor Author

@tnorimat @wadahiro @daian183 @Satarupa22-SD @patatoid @dadrus @entlein
The meeting is started from today.

@y-tabata
Copy link
Contributor Author

y-tabata commented Oct 1, 2024

Currently, we moved to phase 2, "Tasking Assignment".
https://github.com/cncf/tag-security/blob/main/community/publications/paper-process.md

@y-tabata
Copy link
Contributor Author

y-tabata commented Oct 8, 2024

@daian183 @dadrus @entlein
If you are still interested in contributing to this white paper, I will add you to the IAM WP Slack channel, so please DM me on the CNCF Slack channel.

@mnm678 mnm678 added project work of the group and removed proposal common precursor to project, for discussion & scoping triage-required Requires triage labels Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
project work of the group
Projects
None yet
Development

No branches or pull requests