We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Access control in message-driven systems - Marc Klefter - NDC Porto 2023
Learn how to enforce access control in message-driven systems using token-based authentication, attribute-based access control, and Open Policy Agent to ensure security and integrity in event-driven systems.
- Event-driven systems require access control to ensure security and integrity.
- Zero trust is a philosophy that assumes all connections and communication are untrusted and verifies identity at every touchpoint.
- Token-based access control is a mechanism for enforcing zero trust in message-driven systems.
- Tokens contain claims, attributes, and hashes that are used to verify identity and enforce access control.
- Tokens are typically short-lived and should not be reused or shared.
- In asynchronous communication, tokens are passed between services and verified at each step to ensure authenticity and integrity.
- Attribute-based access control (ABAC) is a model that uses attributes to make access control decisions.
- Open Policy Agent (OPA) is a tool that can be used to implement ABAC and enforce policies in a distributed system.
- Identity context is crucial in message-driven systems, and it should be propagated along the flow to ensure access control.
- Commands, events, and queries are all types of messages that require access control in message-driven systems.
- Synchronous communication implies short-lived interaction, while asynchronous communication requires longer-lived tokens.
- Implementing zero trust in message-driven systems can be challenging, but it is essential for ensuring security and integrity.
- Policy decision points (PDPs) are used to make access control decisions, and they rely on policy administration points to provide policy bundles.
- Hashing data and including it in the token is a way to ensure data integrity and prevent tampering.
- Events are immutable and should not be modified or replayed.
- Bounded contexts are a way to confine access control to specific areas of the system.
- Open Policy Agent (OPA) Rego language can be used to define policies and enforce access control in a distributed system.
- System roles can be used to enforce access control and ensure that only authorized actions are taken.
- Implementing zero trust requires a combination of technical and policy-based solutions.