[Proposal] Identity and Access Management Whitepaper

[y-tabata]

Description: Authentication and authorization are the most important security considerations in the cloud-native ecosystem, as evidenced by their high ranking in the OWASP Top 10 and OWASP Top 10 API Security Risks. On the other hand, authentication and authorization frameworks have a wide range of related specifications, including OAuth and OpenID Connect, and it can be difficult for implementers to implement the frameworks, so it would be beneficial to publish best practices for identity and access management. Fortunately, Keycloak, a powerful IAM OSS, has joined the CNCF ecosystem as a CNCF incubating project, so it may be time to consider what IAM should be like in the cloud-native world.

Impact: As seen in the high rankings in the OWASP Top 10 and OWASP Top 10 API Security Risks, security risks related to authentication and authorization remain of great concern to customers. Once IAM best practices are published, they can mitigate these concerns and realize a more secure cloud-native ecosystem.

Scope: not yet determined. Authentication and authorization are broad terms, and some of them are related to other areas like zero trust currently the WP being promoted, so it is very important to decide what the scope should be.

Intent to lead:

• [x] I volunteer to be a project lead on this proposal if the community is interested in pursing this work. This statement of intent does not preclude others from co-leading or becoming lead in my stead.

Proposal to Project:

• [ ] Added to the planned meeting template for mm dd
• [ ] Raised in a Security TAG meeting to determine interest - mm dd
• [ ] Collaborators comment on issue for determine interest and nominate project lead
• [ ] Scope determined via meeting mm dd and/or shared document add link with call for participation in #tag-security slack channel thread add link and mailing list email add link
• [ ] Scope presented to Security TAG leadership and Sponsor is assigned

TO DO

• [x] Security TAG Leadership Representative: @eddie-knight
• [x] Project leader(s): @y-tabata
• [x] Issue is assigned to project leaders and Security TAG Leadership Representative
• [ ] Share this whitepaper collaboration opportunity at each of the TAG community meetings
• [ ] Project Members:
• [ ] Fill in addition TODO items here so the project team and community can see progress!
• [ ] Scope
• [ ] Deliverable(s)
• [ ] Project Schedule
• [ ] Slack Channel (as needed)
• [ ] Meeting Time & Day:
• [ ] Meeting Notes (link)
• [ ] Meeting Details (zoom or hangouts link)
• [ ] Retrospective

[nynymike]

This would be a great service to the community if you took it on.

One thought though... as great as KeyCloak is, I don't think any such white paper should be proscriptive about specific solutions when it comes to authn / authz standards.

On the authn topic, there are many great open source IDPs--Janssen Project, Ory, Shibboleth just to name a few. Some of these solutions are tailored for specific use cases, for example, Janssen Project for enterprise, or Shibboleth for universities. Also let's not forget that Dex at the CNCF is an "OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors". Ultimately, we want to recommend an IDP that supports open standards like OAuth, OpenID and FIDO.

There are also a number of Authz solutions domains should consider--AWS Cedar, OPA, OpenFGA just to name a few that are popular in the cloud native space.

[y-tabata]

@nynymike Thank you for your comment. I don't intend to recommend a single solution such as Keycloak, and I hope to have the following discussion as you mentioned in your comment.

Ultimately, we want to recommend an IDP that supports open standards like OAuth, OpenID and FIDO.

[eddie-knight]

@y-tabata I have tentatively marked you as the Project Lead and myself as the supporting STAG Representative. Our next step will be to gather interest from the community to support in the research and writing processes.

After sufficient interest has been garnered, I will help kick things off by creating the project schedule, slack channel, TAG calendar meeting entry, and a shared drive location for the group to begin collaborating.

For anyone else who is interested, please comment here with a note regarding how you would like to contribute to this Whitepaper effort!

[tnorimat]

I would like to participate the activity as a member.

[wadahiro]

Hi, I'm interested in contributing to this whitepaper project.

[daian183]

Hello I am interested in participating the activity as a member.

[Satarupa22-SD]

Hi, I am interested in contributing to this whitepaper. I wish to contribute towards the research paper writing.

[patatoid]

For me, it would be great to get in. Hoping we will find out some practices that help integrators to find their way through the hill of specs.

[y-tabata]

@tnorimat @wadahiro @daian183 @Satarupa22-SD @patatoid Thank you all! I want to decide the meeting time & day. Your time zones are JST & IST & CEST, right? So how about JST (17:00-18:00), IST (14:00-15:00), and CEST (10:00-11:00) on Tuesday? Please comment if you have any inconvenience or give this a thumbs up if you like. I will set up a meeting to start as early as next Tuesday.

[dadrus]

I’d like to contribute as well. My time zone is CEST. Unfortunately, I have a full-day workshop scheduled next week from Tuesday to Thursday. Would it be possible to record the session for those who are unable to attend?

[y-tabata]

@dadrus Yes, I plan to provide recordings and meeting notes.

[entlein]

I m interested in contributing especially wrt to federated-identity setups (like pod-identity etc)

[y-tabata]

@eddie-knight Could you set up an LFX recurring meeting for this?

JST (17:00-18:00), IST (14:00-15:00), and CEST (10:00-11:00) on Tuesday