Identity Aware Threat Detection and Network Monitoring by using eBPF Natalia Reka Ivanko, Isovalent October 28, 2020 ● ● ○ ● ○ ○ ○ ○ ● ● ● ● ● ● ● ● ○ ● ○ ○ ○ ● ● ● ○ ● ○ ○ ● ●

Ov Over erview view Casdoor is a UI-first Identity Access Management (IAM) / Single-Sign-On (SSO) platform based on OAuth 2.0, OIDC, SAML, and CAS. Casdoor serves both the web UI and the login requests Casdoor. By entering the correct username and credentials into the login page, Casdoor now knows the identity of the user and is about to send two pieces of information back to the callback URL set in Step casdoor-go-sdk Pr Proovider vider Casdoor is a federated single sign-on system that supports multiple identity providers via OIDC, OAuth, and SAML. Casdoor can also send verification codes or other notifications

that you may choose to use to generate the certificates and key material to configure and manage identity in your blockchain network. However, any CA that can generate ECDSA certificates may be used. Prerequisites additional help. Key Concepts Introduction Hyperledger Fabric Functionalities Hyperledger Fabric Model Identity Membership Peers Ledger Use Cases Introduction Hyperledger Fabric is a platform for distributed and cloud platforms, but the underlying structure is the same. Unified systems for managing the identity of network participants do not exist, establishing provenance is so laborious it takes days to clear

Architecture Cilium Operator Highly Available Cilium Operator CRD Registration IPAM KVStore operations Identity garbage collection CiliumEndpoint garbage collection Derivative network policy creation Reference security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer situation which limits scale, Cilium assigns a security identity to groups of application containers which share identical security policies. The identity is then associated with all network packets emitted

permissionless blockchain technologies are unable (presently) to deliver. In addition, in many use cases, the identity of the participants is a hard requirement, such as in the case of financial transactions where Know-Your-Customer specifically architected to have a modular architecture. Whether it is pluggable consensus, pluggable identity management protocols such as LDAP or OpenID Connect, key management protocols or cryptographic libraries Service Providers (MSP): Starting with v1.4.3, node OUs are now supported for admin and orderer identity classifications (extending the existing Node OU support for clients and peers). These “organizational

permissionless blockchain technologies are unable (presently) to deliver. In addition, in many use cases, the identity of the participants is a hard requirement, such as in the case of financial transactions where Know-Your-Customer specifically architected to have a modular architecture. Whether it is pluggable consensus, pluggable identity management protocols such as LDAP or OpenID Connect, key management protocols or cryptographic libraries Service Providers (MSP): Starting with v1.4.3, node OUs are now supported for admin and orderer identity classifications (extending the existing Node OU support for clients and peers). These “organizational

permissionless blockchain technologies are unable (presently) to deliver. In addition, in many use cases, the identity of the participants is a hard requirement, such as in the case of financial transactions where Know-Your-Customer specifically architected to have a modular architecture. Whether it is pluggable consensus, pluggable identity management protocols such as LDAP or OpenID Connect, key management protocols or cryptographic libraries Service Providers (MSP): Starting with v1.4.3, node OUs are now supported for admin and orderer identity classifications (extending the existing Node OU support for clients and peers). These “organizational

Hubble Metrics Example Prometheus & Grafana Deployment Metrics Reference Scalability Limiting Identity-Relevant Labels Scalability report Performance Evaluation Setup Evaluation Results Tuning Troubleshooting security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer situation which limits scale, Cilium assigns a security identity to groups of application containers which share identical security policies. The identity is then associated with all network packets emitted

security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer situation which limits scale, Cilium assigns a security identity to groups of application containers which share identical security policies. The identity is then associated with all network packets emitted emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external services

permissionless blockchain technologies are unable (presently) to deliver. In addition, in many use cases, the identity of the participants is a hard requirement, such as in the case of financial transactions where Know-Your-Customer specifically architected to have a modular architecture. Whether it is pluggable con- sensus, pluggable identity management protocols such as LDAP or OpenID Connect, key management protocols or cryptographic libraries Service Providers (MSP): Starting with v1.4.3, node OUs are now supported for admin and orderer identity classifications (extending the existing Node OU support for clients and peers). These “organizational