From f8c9f1743fd95bd6fdc309f2ce772cb2571c5655 Mon Sep 17 00:00:00 2001 From: Alone2671 <62079805+Alone2671@users.noreply.github.com> Date: Sun, 19 Nov 2023 23:17:04 +0300 Subject: [PATCH] Update Protect-Your-Application-Not-Just-the-Network-Add-Zero-Trust-Superpowers-to-Your-Critical-Applications-and-Systems.md --- ...-Your-Critical-Applications-and-Systems.md | 786 ++++++++++++++++++ 1 file changed, 786 insertions(+) diff --git a/content/sessions/2023/mini-summits/Oct/DevSecOps/Protect-Your-Application-Not-Just-the-Network-Add-Zero-Trust-Superpowers-to-Your-Critical-Applications-and-Systems.md b/content/sessions/2023/mini-summits/Oct/DevSecOps/Protect-Your-Application-Not-Just-the-Network-Add-Zero-Trust-Superpowers-to-Your-Critical-Applications-and-Systems.md index 8156b60d978..10fd3ab4e4e 100644 --- a/content/sessions/2023/mini-summits/Oct/DevSecOps/Protect-Your-Application-Not-Just-the-Network-Add-Zero-Trust-Superpowers-to-Your-Critical-Applications-and-Systems.md +++ b/content/sessions/2023/mini-summits/Oct/DevSecOps/Protect-Your-Application-Not-Just-the-Network-Add-Zero-Trust-Superpowers-to-Your-Critical-Applications-and-Systems.md @@ -37,3 +37,789 @@ In this session you will: • learn some core tenants of zero trust and how it's different from current network security • see what it means to embed zero trust into your app and why it's the future for application security • discover the superpowers your app gains by simply incorporating an OpenZiti SDK in your app" + +## Transcript: +Clint Dovholuk - 00:00 +You. Hi. + +Dinis Cruz - 00:02 +Welcome to the last session of the Open Security Summit in October 2023. +And we have Clint, who's going to talk us about the next evolution, or +natural, I would say evolution of the whole Zero Trust, which is the +application, which I completely agree that we need to do it there. And by +the way, I love that. Isolate your app. Spot on. And we might get some +language models too, here. So looking forward to it. + +Clint Dovholuk - 00:30 +Great. Well, thanks a lot, Denis. Yeah. Again. My name is Clint. Clint +Obloblock. I work for a company that sponsors an open source project +called Openzd. And as everybody knows, every good open source project +must have a mascot. And so down in the lower right hand corner here, +you'll see Ziggy. And Ziggy is our mascot. He is a piece of ZD for zero +trust. All right. So anyway, let's get into it. Usually in the last few years, +whenever I tell people that I work for an open source project, that is a +Zero Trust overlay Network, this is usually the response I'll get, right? A +big deep eye roll. Because in the last few years, particularly, the term zero +trust has kind of been turned into a marketing buzword. So hopefully +you've seen this presentation. You said, is it real? + +Clint Dovholuk - 01:26 +Is it legit, or is it not? And by the end of this presentation, I'm going to +turn you from a deep eye roll into Shaq here and that kitty cat with a little +shimmy shake shake, right? Like, give me that. Zero trust. That's my goal. +If you're watching this live, or if you're watching it on a recording and you +have Go, I invite you to participate in the demo. That's going to happen +towards the end of the presentation here. So if you're watching it on +recording, pause the video, go install Go, and you'll get to enjoy the +appetizer for our Zero Trust overlay Network. Here's what we're going to +talk about, and you'll forgive me if you have seen this sort of stuff before. +Maybe you're familiar with Openzd already. Maybe you've seen me give a +similar presentation to this. + +Clint Dovholuk - 02:14 +But this is the current overview. I don't want to assume anybody knows +what Zero Trust is. So we're going to start at the basics, and we're going +to go from there. So let's first start by talking about what the current +network security setup usually looks like, right? And here's what it will +usually look like. It'll be a castle and a moat motif. So this is what you +hear a lot of that castle and the moat kind of idea. And so that's what +most people think of when they think of current network security. So here +we have just a regular basic network, right? And what is a regular basic +network? Well, it's just a bunch of castles and it's a bunch of moats. And +we have individual little networks and individual little locations. + +Clint Dovholuk - 02:54 +And our job is to allow network to allow devices to send traffic to one +another, right? So once you get behind the walls, once you get over the +moat, all these devices can send traffic to wherever they want. And that's +what normal network security is all about. Once you're on the network, +you're considered trusted. Obviously that's not a great idea. And this was +such a bad idea way back in the day that we said, hey, http FTP, that's +maybe not the greatest idea. Let's make our network a little bit more +secure and let's put TLS or transport layer security everywhere. And so +that's what we did. We went out and we got a little lock icon and we put it +on our little individual devices, and now everybody has TLS. So instead of +FTP, now we're using SSH and SCP. Instead of Http. + +Clint Dovholuk - 03:45 +We're using Https. Then people said, well, you know, that's great, Https, +but it's kind of hard to get that certificate. So poof out. Popped this thing +called https everywhere. HTPs Everywhere is a project by the Electronic +Frontier Foundation, and it was so successful that they're actually phasing +it out. But what it would do is it would take your Http URL that you typed +in Google.com and upgrade you automatically to Https. So it would check +to see if your browser had access to an actual secure URL. If it did, it +would automatically upgrade you. And that was great. Less encrypt was +started because everybody was like, hey, this Https is everywhere now, +right? How do I get some Https for me? Turns out back in the Dark Ages +before let's encrypt and SSL. Zero, I think is what it is. + +Clint Dovholuk - 04:39 +There's another one that's similar to let's encrypt now. You would have to +pay for a certificate. So most people on their trusted network were like, +it's trusted, I don't have to bother with this HTPs stuff. Of course, that's +obviously a bad idea. We should not trust our local network. And that's a +central tenet of the term zero trust, right? Trusting that network, you're +safe, you're secure if you're on that local network. So why is it a bad +thing? Well, obviously if an attacker in this case, represented by our little +fella down here in the lower left in red, because he's dangerous, if they +attach to your network even though you have TLS, well, what are they +going to do? + +Clint Dovholuk - 05:18 +They're going to start sending packets, they're going to start probing your +network, and then if they find an O day or a zero day, or some sort of +vulnerability, they're going to compromise your laptop and poof. Now +you're having a bad time. So horizontally moving across a network +something that we really need to control. And if you didn't know it, this is +what VPNs are, right? When you attach to a VPN, you're basically turning +those three little castles into one giant castle that lets you get to anything, +anywhere. Most of the time, now you might have an advanced VPN that +does a little bit of segmentation, then fantastic, good for you, but lots of +people don't. + +Clint Dovholuk - 05:54 +And so if you are attaching to a VPN, oftentimes you're able to get to all +of those corporate resources without any worry other than having to be on +the VPN. So again, I mentioned the word segmentation. We started to do +this idea of segmenting things where maybe now we'll take our little Ziggy +and we'll put him in a little policeman's outfit and he's going to police our +traffic. So now when that nasty offender gets on our network and wants +to send those packets, we have old Ziggy there taking care of business, +stopping those. Cool, cool. Right. Everything's good? Are we done? Call it +a day? Of course not. We can't call it a day. It's never going to be good +enough. So what happens? + +Clint Dovholuk - 06:32 +These attackers, they are ever vigilant, they are always out there and once +they have a foothold, they're not going to give up. So they're going to keep +trying. They're going to compromise a laptop that does have access to the +target that they're looking for and then use that target as a stepping stone +to the next network where they're going to just compromise that target of +opportunity. All right, so how do we combat some of this? Enter the idea +of zero trust. Again, we're back at our basic network and I'm going to get +rid of the castles and the moats now and we're going to just look at this +diagram. But what if our network had this idea of a device identity? So +this is one of the core pillars of Zero Trust, this device identity. + +Clint Dovholuk - 07:15 +And what it means is every device on your network has a strong identity +that the network can use to verify the authenticity of the identity +connecting to that network. So if the identity is permitted to connect to +the network, then great, it'll connect to the network and it can send +traffic. And if it's not, then it won't be able to. And that's called device +identity. This is how Openzd bootstraps device identity. It's a little +complicated. If there's any questions, hit us up on discourse, since you'll be +watching this in a replay, but hit us up in discourse and ask about how +Openzd actually accomplishes secure enrollment. And this is just one +flavor of getting your authentication to the overlay network and we'll see +more about what enrolling means in a bit. And then there's device identity +with our attacker. + +Clint Dovholuk - 08:05 +So if that firewall sorry, if that network has all these little firewalls, that +understand device identity. Even if the attacker is to get on your network +and be able to start trying to send packets, well, the network is smart +enough to not permit that attacker to send these malicious packets, right? +The network knows the device identity and doesn't even let you on +oftentimes. That's called an overlay network. So what are they going to +do? Well, they're going to just go out and they're going to find themselves +an identity in a laptop that does have access. Because once they have a +laptop that has access, well, guess what? Game's over. They're able to +connect to that machine again and Zero trust been defeated, right? Call it +a day. Of course not. There's even more we can do. So what do we do +next? + +Clint Dovholuk - 08:51 +Next we take that idea of segmentation and we lower it even more. We +keep narrowing the segment. So instead of having a great big VPN, +instead of having a little network, instead of having one device, we keep +going further and further down to its logical end, which will be +applications. And we'll see that in a bit too. So this concept of least +privilege says every identity on the overlay network is authorized to +connect to other identities or other services on that overlay network. If it's +not authorized, you can't connect. So here we have that same attacker. +They're trying to send data over to our target of opportunity, but ha, they +can't. Because of least privilege, the network knows what services this +device can attach to. + +Clint Dovholuk - 09:36 +And that laptop in the lower right that it's been trying to compromise all +along is not able to connect to that laptop. So of course we're done, right? +Call it good. But as is always, if that identity is compromised and that +identity has access to the target of opportunity and to the service in +question, then you're still going to be able to be attacked. But does that +mean this is not a good approach? Of course not. We have made this +already. Just imagine how many hoops, how many extra hoops this +attacker has had to jump through just to find a machine that can even +connect to the target of opportunity. It's all about layers and layers of +security. And the more layers you add, obviously the better it is. The +smaller your attack surface, the better it is. + +Clint Dovholuk - 10:22 +So least privilege giving the identities only the ability to contact the things +that they're supposed to contact, narrowing that focus. Another core pillar +of zero trust is continuous authorization or posture checking. So this +would be things like am I connecting to the service from Windows? I can +only get here from Windows or from Mac or from Linux or is my patch +level of the operating system up to date? Things along those lines. So if a +new patch comes out, you can update a posture check and then suddenly +that laptop is no longer able to even attach to the network, no longer able +to send traffic. All right, and that's a little bit about zero trust. So now +we're going to get into application embedded zero trust. You heard +mention the term overlay network prior. So what exactly is an overlay +network? + +Clint Dovholuk - 11:17 +You might have already kind of figured it out, but here we're going to take +the Internet, right? Generally speaking, it's really convenient if the +Internet can just be your overlay network. So can we turn our Internet, the +Internet, into our overlay network with Opencd? Yeah, you can. So what +does that look like? We'll deploy a controller somewhere out in the +Internet, and this controller's job in life is to manage authorization and +authentication. So when a device comes online, it talks to the controller. +The controller says, yes, you are who you say you are, and you are now +authorized to connect to the network. Sorry, authenticated to connect to +the network. And you can actually connect. Authorization is the green +light, if you will, giving the identity the ability to actually connect to the +servicing question. So we have a controller now. + +Clint Dovholuk - 12:11 +We have these things we call routers, and there are different kinds of +routers, some of which can service links between other routers and some +service edge connections. These things come online and they form +connections to everything else. So Openzd is an overlay network that's +also a mesh network, which does differentiate it from other overlay +technologies, like normal VPNs, where you have one concentrator and one +input, one output kind of place. With Opencd overlay, you can have +multiple inputs and multiple outputs, and those things all go together and +they form secure Mutual TLS connections. And that's important. And this +diagram gets really busy when I add all these locks on here. But that's +important because every single edge router to edge router connection or +router to controller, that's all Mutual TLS, meaning the device attaching, +must provide a certificate to the server it's attaching to. + +Clint Dovholuk - 13:04 +And the authenticity of the certificate that is being presented is verified by +both the client and the server that uses public key infrastructure. If you +haven't looked that up, fun topic, deep topic, but that's what Mutual TLS +is all about. I'm going to take those lock icons away because it makes it +busy. And then the edge routers also are there, as I said before, to service +connections between edge devices or edge SDKs, and the edge router. And +that's all done for the express purpose of one thing, and that's sending +data back and forth. Obviously, the whole idea of a network is to send and +share data. Ideally, it's with identities which are only authenticated and +only authorized to send that data, like on an opencd overlay network. + +Clint Dovholuk - 13:52 +Here's the three basic forms of zero trust as we define zero trust, and we'll +go into each one here in a moment. Zero trust, network access. This is +what most vendors will tell you is zero trust. You trust your local network. +Wink. Not a good idea, right? You trust your local network, you trust your +remote network, and then everything in between, we will make zero trust. +And that's pretty darn good. It's actually not bad, right? It's pretty good. +That's not terrible, but we can do better. So what if we take an agent and +put the agent on their computer. Like for example, on my Windows +computer, I'm running the Windows desktop edge for Windows, which +looks like this. And so I have a little agent on my computer. + +Clint Dovholuk - 14:38 +And that little agent's job in life is to make sure that traffic is only trusted +on the device. And that's pretty darn good. Openzd works like this. Other +cool technologies like WireGuard works like this as well. Or your VPN, +even if you want to consider the VPN right, there's a little agent that runs +and its job is to intercept all of this traffic and then shuttle it safely over to +the other side. If it's a server, if it's a client, wherever it's going to. But +everything in between is safe. So even if you're using Http and Insecure +protocol in your device, you can successfully and safely tunnel Http to the +server. And we'll see that happen here in a minute. And then finally, +obviously, the end all be all application access. + +Clint Dovholuk - 15:22 +Keep reducing the attack surface all the way down as far as you can into +the application itself. No longer do I trust my host's OS stack. Let's go +back a moment. If we look at the network access, not application. Come +on, where's my build? Right there. That's host access. If we look at this, +anything on my local machine that sends Http is able to go into this +tunnel. So if I curl there, or if I have malware, or if I have the actual app +that I'm trying to use, all of which can go into this tunnel and safely +tunnel, that is what application embedded zero trust can solve. You no +longer have a listening port here, intercepting traffic. You don't have +anything that does that sort of interception. The application simply writes +into the zero trust stream by itself. That's a huge benefit. + +Clint Dovholuk - 16:14 +And you can even go one step further. With Openzd, you can use a +hardware route of trust, which is really cool because then you don't even +have to trust that the file is safe on your operating system. Always there's +some root of trust somewhere here. It would be a little green dongle that +you plug into your computer. All right, so all that's what our application +embedded zero trust is all about. Let's focus now and we'll just take a look +at the attacker and the client that it's trying to attach to. So what are we +going to do? We're going to take an SDK, we're going to stuff it into our +application, and then magically lock icon shows up and we have a secure +application. And that's basically what end to end embedded zero trust is +all about. + +Clint Dovholuk - 16:56 +Application embedded zero trust cool is no firewalls are needed. We have +application embedded zero trust already. We're good to go. What does that +look like when the attacker gets there? Well, that attacker compromises +the laptop. You have an application embedded zero trust SCP program, +SQL program, and FTP program, right? Secure protocol. SQL. You never +know if it's secure or not. Depends on how you've done it. FTP? Definitely +not. So if the SCP application wants to send traffic to SCP, it's permitted +to. If the SQL Server wants to, it's permitted to. If the FTP wants to, it's +permitted to. Obviously. So now what happens if the SCP application tries +to send traffic to that FTP application? The SCP application has no idea +how to send traffic to FTP. It doesn't even know how to get there. + +Clint Dovholuk - 17:45 +As they say, you can't get there from here, so it's denied. Same would be +true for SQL traffic going to FTP or for the SQL Server program to try to +send SCP. It literally cannot be done because it must go over the overlay, +and the overlay won't even permit it to. So why that's? Super powerful. +Now you have effective immunity to malware, showing up on your local +computer, compromising, one of those bad applications, super cool stuff. +And that's where Openzd comes into the picture. Now, you might be +saying to yourself, this sounds like a lot of work and it is a lot of work, +and it was a lot of work. And this slide is one of my favorites. It represents +the duration or the longest path a human can walk across the earth, right? +And this is basically the path to Zero Trust. + +Clint Dovholuk - 18:37 +We realize everybody's not going to go straight from Brownfield +application to application embedded Zero Trust Greenfield application. If +you can, then great. You get to start in Siberia or maybe in Africa, +depending on where your start and end is. But otherwise you're going to +have to go the whole entire path. And so we realize that it is a journey. +Open Zero Trust is a journey, and people aren't going to jump right into +Zero Trust and application embedded Zero Trust immediately. So maybe +you'll start somewhere in the middle of Asia, maybe you'll start somewhere +in the middle of Africa, and your journey might be different. But this is the +longest path a human can walk and it represents the fact that it is quite +the journey. + +Clint Dovholuk - 19:20 +But Openzd has you covered because we have those things I remember I +referred to before as those tunneler apps. So if you have Linux or if you +have iOS or Android or Windows like me, or whatever, your particular +operating system target is of choice, you can use one of those tunnelers to +bridge the gap between application. Embedded Zero Trust and brownfield +deployments tunnelers do have a really cool property that is worth noting +because if you have an Open ZD overlay network, you will have these +tunnelers available to you. And so suddenly you can start doing cool things +with all your brownfield apps too. So for example, one of the superpowers +from Openzd that tunnelers provide is true private DNS. You can create +fictitious DNS names that your users can then connect to. + +Clint Dovholuk - 20:12 +Like my ZD which is not a valid top level domain or Linux Foundation one +summit. Like I made this slide for Bodibic boat face, right? Fluffernutter. +These are all DNS entries that you can create and would be private to +your bespoke overlay network. So that's pretty cool. But not only is it +private DNS super cool, but it's authenticated DNS. It's truly private. +Right? If you deny the user and the identity, I should say access to your +overlay network poof that DNS entry goes away. And so those are some +really powerful superpowers of a tunneler, and we could get into tunnelers +someday. That sounds interesting, but what are we here for? We're here to +talk about the superpowers of application embedded zero trust. So let's +blow it up and let's get going. So what do we have here? We have two +pictures. + +Clint Dovholuk - 21:06 +Perhaps you're familiar with the picture on the top. That is called the +Beast. The Beast is a limousine that the United States presidents drive +around in. It is bulletproof. It is blast proof. Right? It's got all this security +built into it, not bolted on top like the Mad Max approach. Right? With the +Mad Max approach, you're like, oh, there's a chink in the armor right +there. Oh, I can shoot through here. Oh, it has regular tires, right? The +Beast. Sleek, sexy. Security built inside. Secure from day one, secure by +design. Mad Max. We'll do our best we can. Day two, security. It happens, +right? We'll just keep bolting stuff on until we make it secure because we'll +get there, I'm sure, right? So that's a key difference of application +embedded zero trust is it's built secure by default. + +Clint Dovholuk - 21:59 +You have zero trust security built into it right out of the gate. That's a +superpower. Another one. From a developer's point of view, I don't know if +you've ever had a service that's behind a load balancer, but all too often +when you're behind a load balancer, you as a developer, you don't even +know where this thing is going. So you're told to connect to my +application server, and then that gets turned into an IP address. And then +if you're lucky, the load balancer will forward source IP. And so you as a +developer could have a shot at understanding who is connecting to your +service before they actually connect to your service. But that's not the case +with an overlay network. Like Openzd. With Openzd, you know, Clint is +trying to connect to Prometheus. There's no question about it. Right? + +Clint Dovholuk - 22:46 +You know the exact identity connecting, you know the exact identity that's +being connected to that is also a superpower. On top of that superpower is +it's not just for the clients. It's also for the server side. Right. Usually we +think about zero trust. We think about security. You think about the cloud. +The cloud is safe, right? Nobody's going to get into my cloud. My VPC is +secure. I've only got 85 holes open to my VPC. That's only 85 holes. Not a +worry. Well, with a zero trust overlay like Openzed, you can have zero +open holes to your firewall. So your VPC can be truly firewalled off from +the world. No open listening ports at all on top of that, so that's the +firewall. On top of that, the server has no listening ports either. + +Clint Dovholuk - 23:33 +We already talked a little bit before about side channel attacks being +impervious to side channel attacks and the local computer, that goes for +the server too. So if that FTP server is listening out in VPC land, or virtual +network land, or Cloud land, wherever Kubernetes land, it'll have no +listening ports, it is not attackable by IP and port, literally not attackable. +And that's what we're going to see in our demo in a bit. Oh yeah, I guess +this is just more no inbound Firewall polls. Same exact point. I should +have looked ahead of my slides, but you get the point, right? No listening +ports, no inbound firewall rules. That is just super cool stuff. I don't know +if you are familiar, but a couple of years ago there was a CVE, a critical +vulnerability and exploit around Java and Spring called Spring Boot. + +Clint Dovholuk - 24:26 +And it was kind of a big deal, right? If you got a hole in that firewall, then +anybody on the open Internet can do what? Oh, they can just attach right +through that hole in the firewall, hit that Spring Boot server, and +compromise whatever they want to compromise, because that +vulnerability was of astronomical proportions. That's a good zero day. +Guess what you can't do when you have a zero trust network like Open +ZD. You can't even connect to that, what's the word? Attackable target. I +can't come up with the right word, so you can't even connect to it. So the +only people who could connect to it are people who have that strong +identity. Now of course, if one of them gets compromised, then your bets +are off. + +Clint Dovholuk - 25:08 +But you have reduced your attack vector from something that's on the +Open Internet to, if you're lucky, whitelisting of IP addresses. But you +don't even have to worry about that because Openzd you can just bypass +all that and secure your application directly, have no listening ports, that +attacker has no chance to get to that Spring Boot application. And so that +was also another issue that the Spring framework had, and I don't +remember exactly what CVE oh, what's this CVE? Also a 9.8. So a 9.8. If +you haven't seen the CVSS scoring, I do recommend you go check it out. +The critical Vulnerability scoring system, it's pretty neat. It has like six to +eight parameters, I don't know exactly, but the two that I focus one of +which is attack vector is Network. Permissions required none. + +Clint Dovholuk - 25:58 +If you have an attack vector of network with a permissions required of +none, you're already in a bad place, right? That means anybody on the +network is able to potentially attack that vulnerable target. So if it's on +the Open Internet, I don't even know how many billion devices there are +out on the Open Internet nowadays that are available to attack that +target. With Openzd, you can close all that down. And again, before I told +you, another superpower is contacting the client from the server. Usually, +if you're lucky, you know what a server side event is, or you know what a +WebSocket is, and you can open a WebSocket to your server and you can +get events that way, or you have some sort of IoT type of implementation +that allows you to do this sort of stuff too. + +Clint Dovholuk - 26:44 +Openzd's overlay network already allows you to do that. So if you were to +embed Zero Trust into your server, into your client, it's just another client +on the network, your server is just another client and your client is just +another client. And it's possible for your client to declare that it binds or +accepts connections from other clients on the network. So let's think of +like SSH would be one of those ones where you would define an identity as +able to SSH or RDP for example. But with Zero Trust enabled by Openzd, +you can use application embedded Zero Trust and talk from your server +straight to your client. So if you want to notify them all, not a problem. +You can just do that. You can just connect to them. But you must be +authorized. + +Clint Dovholuk - 27:29 +The server must be authorized to send a message or dial, and the client +must be authorized to accept a message. And then soon Openzd is going to +allow the clients to turn off that ability of listening, even so that the device +you with your tunneler could turn off the ability to listen. So you are in the +control there too. That's super cool. And we use that with Amazon +Lambda. So because it's application embedded, it doesn't matter where +you deploy it, right? This is not Kubernetes only, this is not VPCs and +Amazon only. It is literally anywhere it's application embedded. You can +run this on your local laptop, and I'm going to run my client on my local +laptop here in a minute and when I stop blathering and get to the actual +demo, right? + +Clint Dovholuk - 28:15 +So another killer feature, Openzd, gives you end to end encryption out of +the gate. So by adopting Zero Trust into your application and your server, +you have true end to end encryption. If you remember, before I talked +about Mutual TLS, I talked about the router and the client connecting and +forming a Mutual TLS connection. And that's great between links, but that +means when you're on the router or at the endpoint, you can see whatever +the traffic is. With end to end encryption, even if you were sending traffic +through that router has no ability to be able to read that traffic. On top of +that, even if you had. If you use a secure protocol like SSH on your other +side, on both sides, the SSH application protocol is also another layer of +encryption. + +Clint Dovholuk - 29:08 +Being able to obtain secrets and defeat the security of that connection is +going to be incredibly difficult. Attackers are going to have such a hard +time. It's definitely not going to be worth it. Because of course, if it's +worth it, maybe people will find a way to get through it. But it'll take +nation state actors in order to go through the amount of effort it'll take to +bypass those three layers of encryption. So don't forget application layer +end to end encryption. Mutual TLS makes it basically unhackable, and I'll +say basically because everybody who is sufficiently motivated, perhaps +they'll find a way. But as we know, of course, there's not right now. And +that uses Libsodium, which is built for small devices. So you'll see, Openzd +oftentimes is targeting IoT type devices because we have a Csdk and the +Csdk is tiny. + +Clint Dovholuk - 29:58 +And Chacha 20 poly 13 Five was built for tiny devices. So even if you have +a Raspberry pi or something teeny tiny, zero trust is not out of reach. Take +an SDK, stuff it in your application. Now you have zero trust available to +you. Another just amazing superpower, in my opinion, port inference. If +you go out to any network and you scan that network, you're going to find +out, oh, Clint's using MySQL clinch using VNC, right? It doesn't matter. +When you send all of your traffic through the secure zero trust overlay +every port becomes 443. So good luck figuring out what services +somebody is using just by scanning ports. You're never going to do it. It'll +just be all 443 or whatever you choose. 443 is just a common one. + +Clint Dovholuk - 30:50 +So all your traffic pardon me 1 second, all your traffic gets synthesized +over a single connection through the Openzd overlay, which doesn't +impact performance. So don't think of it like that. It's a big pipe. It's as +big as your network speed is. So all of your protocols travel over that pipe. +And so they all look like port 443, whether it's FTP, SQL or SSH or +whatever I mentioned before. Continuous authorization. You get that for +free with Openzd as well. Domain checking, Mac address checking, +process checking. Also, ZD supports two factor authentication out of the +box. So that's all cool stuff you get. You get a self healing mesh network, +which is also really important. So this way, if your device is sending traffic +and one of those routers goes down, no problem. Openzd will just route +the traffic from one place to the other. + +Clint Dovholuk - 31:39 +That's super cool. And then this is what it looks like. This is an example of +taking an actual Java application which creates a client and then sends +traffic over that client from the before to the after. Key things to pay +attention here, let me make it a little bit easier for you to see it. Let me +make it even easier for you to see it, right? So you have no need to know +the IP address anymore. You don't need to know its local host or whatever +the IP is. You don't have any need as the developer to know what port it is. +You just know you have some super secure service, and your identity is +authorized to, in this case, bind to bind that identity. So this is acting as a +server. Bind means I accept traffic. Dial means I'll send traffic. + +Clint Dovholuk - 32:29 +And so as a developer, you don't need to know where things are defined or +where they're hosted, et cetera. One of my favorites, maybe my favorite +embedded superpower is this thing I refer to as Implicit multifactor +authentication. So if you have a strong identity, you can't even get onto +the network. You can't even send traffic to your API. Now, presumably +your API will have some sort of authorization that's baked into it. So this +SDK on the left will talk to this API on the right, and the API will verify the +traffic in some way. The network also verifies that identity by having that +implicit identity baked into it. So, realistically, you have two factors of +authentication already. By just using a zero trust overlay network, you +have your strong identity from openzd, and you have your authentication +from your API service. + +Clint Dovholuk - 33:25 +And so those are the selling points about application embedded zero trust. +And I've blathered long enough. Maybe you just skipped right ahead to the +demo. Maybe they put nice little chapter marks in here for you, and you +just skipped into the good stuff. So that's cool. So here's where we +actually see all of this in action. We're going to put our money where our +mouth is. Let's take a look at what our demo is going to look like. So I've +already deployed. In fact, I won't say I did, because I didn't deploy this +network. The Net Foundry console deployed this network on my behalf. +We call it the Appetizer Network to get you to want some openzd. And +what we have is we have a network deployed, we have a controller, we +have some routers in the mix. + +Clint Dovholuk - 34:03 +And on the left, you'll see the Reflect client. That's my client running on +my local computer. And then on the right, you'll see Reflect server, HTP +server. And that's deployed in Amazon, Fargate. So I made an application, +I bundled it into a docker container, and then my good friend Mike +Guthrie deployed it out onto Fargate. And now we have the appetizer out +there running. This is all open source. I don't think I even mentioned this. +All of this is free and open source, right? You can go get all of this for free. +Host your own openzd network today. Go get it. And if you want to look at +the demo, you'll go to the Openzd test kitchen. ZD zero trust. ZT. ZD. +Italian pasta. So our little logo here, this little piece of ZD. So here's +Ziggy back again. + +Clint Dovholuk - 34:52 +He's got a chef hat on this time and he's in our Openzd test kitchen where +we basically test things out before we put them into the main repository, +which is just Openzd GitHub.com slash Openzd. All right, out there is an +appetizer repository and aptly named. We have an appetizer Openzd IO +pause right now because you can go there right now. And presumably we +haven't taken it down whenever you watch this video, who knows? But if +you're doing it right now, you'll probably have this available to you and +you can see I've gone there appetizer Openc IO. If you enter your email +address, which is what I'd ask you to do because that's a good, nice, +unique name, then fantastic. We'll get your email. + +Clint Dovholuk - 35:34 +Hopefully we won't solicit you, but maybe we but you can add yourself to +my Openzd overlay network and if you don't want to be bothered with it, +you can just click the don't bother with me, don't bother me right now. But +if you want to let us know that you care about Openzd, you can go ahead +and put an email in there. Once you've done that and click the button, +you're going to see, it brings you to a page that looks like this. And then +you'll see run some of the sample programs. You'll see the git clone, you'll +see where the repository is and then it'll give you the little kind of overview +that I just showed you and tell you some samples to run. Fantastic. That's +what we're going to see because I'm actually going to just go and do it. + +Clint Dovholuk - 36:11 +So let's just go and do it, shall we? First thing I need to do is I need to +bring up Microsoft Edge, a browser which I literally never use and with a +bunch of junk on it. So let's go to Appetizer Openzd IO and you'll see I get +the same thing that I showed you before. I'm going to enter my I'm not +gonna put my email address, but it's Clint@openzed.org. If you want to +email me, you can. But I'm not going to type it in here because who knows +who's going to look at it. So we'll just use Clint and let's do Open SEC +Summit. Let's do that. That sounds great. That's probably pretty unique. +And add me to openzd. All right, so now once I've added myself to no, I +can't click on that. + +Clint Dovholuk - 36:58 +Apparently once I've added myself to Openzd, then I can go and I can +clone the repository. Now I've already cloned the repository, but you can +just go ahead and copy that if you want to. And then I need to download +my token. So remember I talked about enrolling an identity. The identity +enrollment starts with a signed document, which in this case is a JWT, and +so it says, where would I like to save it? I'm going to save this thing into +my appetizer. GitHub openzdest kitchen. Where is it? It's in here +somewhere. Work GitHub openzd. Okay, let's go back up and find it. +Where is my test kitchen? That oh, it's because it's on Linux. That's right. I +am running this inside of Linux, which is why I don't remember where it is. + +Clint Dovholuk - 37:58 +And let's see, my username is going to be in home and CD and Git, where +is Git? In here, and here's GitHub. And here's opencd test kitchen. And +here's the appetizer. So I'm going to save this there. Now when I saved it +there, I can then just go run the application and I've already CD into that +location. So if I bring up my terminal and I PWD, you'll see I'm in the +appetizer repository, I can go ahead and just run that command that I +copied and pasted. Now when I do this, what's going to happen? What's +going to happen is the application is going to enroll that token, which you +can see it happened and that's going to connect to a server. I'm going to +bring up the diagram. Actually, I want to bring up the prettier diagram if I +can find it. + +Clint Dovholuk - 38:50 +Let me find it real quick, this one. So it's going to contact a service that +has no listening ports that I stood up that will do one thing and it will +reflect back to me or echo whatever I type. So if I say hi, then it'll say hi +and it'll say you sent me hi. Now, what also happens that you're not seeing +this is normal stuff. I challenge you to find this service on the open +Internet. You won't find it at appetizer openZ IO because it's all +application embedded. So this has no listening ports anywhere. But you +can try to find it, you won't. But what happened here is I've sent a +message up into the cloud, in this case an Amazon Fargate where this +thing is running. + +Clint Dovholuk - 39:41 +And I have a server that's running up there accepting connections on the +overlay network, not on the IP based underlay network. And it's returned +back to me, this text. And so that's what it's done. Also what it's done is +it's looked at my input and decided if the input was profanity. So I added a +Go library to check for profanity. And then we did something even cooler. +We have another service that can deploy it out there. In fact, I don't think I +was sharing my screen, so I'm sorry about that. We have another service +that Ken deployed and that service is doing language model work. It's a +text classifier. So AI being all the rage, right? Everybody needs an AI +service. + +Clint Dovholuk - 40:27 +We have a service that looks at my input and classifies it as to whether it's +offensive, I don't know where Ken deployed his service. Think about +microservices, right? Thinking about the what you do all day long. You got +Team A that does one thing. Team B, that does another thing. You need +team A to send traffic to team B. Team A has to say well, how do I +whitelist my IP? Here's my IP. Blah. Right. None of that with openzd. Ken +stood up a service, told me the name of the service and told me go dial it +and that's all I had to do. And so that language model is running out there +somewhere and I don't know where Ken put it. + +Clint Dovholuk - 41:02 +So if I do something like say I hate babies, then you're going to see, hey, +your message seems to be offensive and we are not going to relay it. Also, +if you will notice in our oh, Clint is a dingleberry. Somebody is being a +funny dude right now. That's really interesting. Who hates babies? I +wouldn't have expected that to kit through our language classifier. But +you can see somebody else is actually using this right now. I don't know +who. This honestly wasn't the plant. Hopefully it's somebody on the chat, I +don't know. So if I then say I like babies, you can see what I didn't show +you before is that the service also reflects the message back into your +screen right here. And if you wanted to have somebody else play along, +you could just send them to messages. Messages. M-E-S-S-A-G-E-S. + +Clint Dovholuk - 42:00 +HTML spell it wrong. Too many s's, maybe too many S's, I think. And they +can also get the messages too. Like example. So that is application +embedded zero trust working. We have sent message from my computer +here in western New York up into the cloud to a server that has no +listening ports. That server sent traffic to another server that was doing +language model identification using Python. Oh, I should mention, I wrote +it in go. Ken wrote it in Python. You can find that also on the test kitchen +GitHub account too. And then it returned a response and I printed it out +here and you can see the latency that incurs. Here is an example. If I hit +enter, you can see basically instantaneous pops up back on my screen. So +common question is what kind of latency can you expect? + +Clint Dovholuk - 42:54 +Humans never notice it. Now, I also did one more thing using application +embedded zero trust. I actually created a little bot in my application and +every time a message is sent to our demo application here, it actually pops +up here in mattermost and it tells me I hate babies. If were to go look at +this one, if we look at them both at the same time and see which one gets +the message and which one doesn't get the message, you'll see that the +message that's reflected publicly doesn't come through. But the message +that might be offensive is put in our chat message here. And so I can then +decide is this actually offensive? Is it not offensive? + +Clint Dovholuk - 43:39 +And maybe we could doesn't do this right yet because I just made this +demo literally today, but maybe someday that yes button will train our +language model so it can learn that this is offensive or that's not offensive, +and that's all entirely secure. I don't know where Ken deployed it, so just +think about multi cloud solutions now, right? If he deployed it in Azure, I +would have no clue that I deployed it in Azure while mine runs in Amazon. +And I think that's kind of mind blowing. So hopefully you think that's mind +blowing, too. Now, that's my demo. I hope you enjoyed it. You can go out +to the test kitchen. Like I said, let's skip past all of this. That was my +demo. Opencd has all kinds of other Zdefied, as we call it, apps. + +Clint Dovholuk - 44:20 +We have ZSS, which is neat because you can SSH here to a place without +having a port open, right? You can deny all the firewall rules like Ken did +when Ken deployed that service. Ken used Openzd to basically be the +bastion, if you would, the entry point to that server. He can only access his +server via Openzd. We use SCP as part of the ZSS package. Some +examples we have mattermost. You saw me doing mattermost. That +mattermost server that I just it's a chat app, which is equivalent to Slack +or Discord or something like that. But self hostable. That Mattermost +server that you just saw me accessing that I was messaging, can only be +messaged via Openzd because it's protected by Openzd. + +Clint Dovholuk - 45:11 +But it's a good example of the tunneler based approach and an +Embedding not Embedding joining an application embedded zero trust +approach with a Brownfield existing app. We send messages from GitHub +all the time to my Mattermost. So when I get a notification oh, there's Ken +right there. When I get a notification that a commit has happened or that +Clint approved a message, I'll get a notification from GitHub in my +Mattermost. But the only way to hit that Mattermost service is via +Openzd. So there's a Zdefied webhook for that. Zdbc. Actually, Marcos +has talked at a security summit in the past about me. If you haven't seen +that one, go check it out. Really good one. Great. Marcos, great job +presenting works with all your databases out there because it's not +bespoke per database. So it works with Postgres, Oracle, you name it, +right? + +Clint Dovholuk - 46:10 +It's just about poking the JDBC driver in the right way. Have good blog +posts about it. Cubezetle helm. I'm going to just skip all through these +because you can go out there and check them out on your own. +Prometheus actually one of my favorites here. I have a complicated +Prometheus example where we have a Prometheus server that's scraping +Kubernetes over the Openzd overlay, where the Kubernetes control plane is +entirely off the overlay before it had to be on the Open Internet. And you +have a Kubernetes ingress after you have kubernetes API. Totally hidden, +totally private kubernetes. And yet Prometheus can still scrape it from +anywhere. Cool blog post. If you're interested, let us know. Zdefi is also +neat. Very important. Every country, I believe, not just the United States, is +now issuing executive orders that secure infrastructure. + +Clint Dovholuk - 47:03 +Infrastructure must be secured by a Zero Trust mechanism of some flavor, +obviously why it's relevant in today's world. It's mentioned eleven times in +that document. Here are the Pillars of Zero. Trust. And you're thinking to +yourself, clint, what a great job. What a great demo. Blew my mind. Put +this in a cart. Let me bring it home. How do I go get it? Well, like I said +before, we are out on GitHub. You can go to oh my goodness. Shame on +me. Openzd GitHub. IO is no longer the URL. It is currently openzd. IO is +the URL. So I'll have to go and fix that. That's where you'll find our +documentation and GitHub. We're on GitHub at Slash Openzd so you can +find us on all our socials here. You can follow me and Ken weekly. We'll do +a ZDTV out on YouTube. + +Clint Dovholuk - 47:53 +We have a Twitter handle while Twitter is still around. And look at that. +Slide is so old. Still got the old bird. Who wants to go to X, right? Nobody +wants to go to X. We have a discourse group where you can hit us up in +discourse, where you can ask questions and whatnot. And if I can ask one +thing of you, it's to go to our GitHub repository openzd, and give us that +star. That star does mean a lot to us. It helps other people know that ZD is +a cool project and people should check it out. If you look at our star +progression here, you can see we're picking up some steam. So hopefully +you all who watch this can bump this up way higher. Let's see another big +spike. And yeah, give us that star. And that's the whole thing. + +Clint Dovholuk - 48:35 +That's application embedded. Zero Trust. I hope you've enjoyed it. Hope +the presentation was exciting. And if you have any questions, hit us up on +those socials. All right? Cheers.