WEBVTT 00:00.000 --> 00:02.000 You have a big question. 00:02.000 --> 00:04.000 I'm very happy to hear that. 00:04.000 --> 00:05.000 I'm very happy. 00:05.000 --> 00:06.000 I'm very happy. 00:06.000 --> 00:07.000 I'm very happy. 00:07.000 --> 00:10.000 Okay, so yeah, we're ready for the next talk. 00:10.000 --> 00:12.000 Yeah, please, could you? 00:12.000 --> 00:14.000 Yes, please. 00:14.000 --> 00:16.000 It's all set up. 00:16.000 --> 00:17.000 Yeah, yeah. 00:17.000 --> 00:19.000 Okay. 00:19.000 --> 00:24.000 So yeah, we have a list from the next talk, the next says picker. 00:24.000 --> 00:26.000 Is what's it wrong with? 00:26.000 --> 00:28.000 And he told me the talk about, uh, 00:28.000 --> 00:31.000 very interesting topic and very popular topic. 00:31.000 --> 00:34.000 So we're in high-end, uh, sushi. 00:34.000 --> 00:35.000 Okay. 00:35.000 --> 00:36.000 Thank you. 00:36.000 --> 00:37.000 Thank you. 00:37.000 --> 00:38.000 I'd like to start us. 00:42.000 --> 00:45.000 I'd like to start this with our daily mentor from many of us. 00:45.000 --> 00:47.000 Can you hear me back there? 00:47.000 --> 00:48.000 No, no, no. 00:48.000 --> 00:49.000 More or less. 00:49.000 --> 00:50.000 And there. 00:50.000 --> 00:51.000 Better. 00:51.000 --> 00:52.000 Okay. 00:52.000 --> 00:53.000 This is more. 00:53.000 --> 00:54.000 I will try to keep this dance. 00:54.000 --> 00:56.000 Please raise your hand if you cannot hear me. 00:56.000 --> 00:57.000 I want everybody to hear. 00:57.000 --> 01:00.000 And let's see how this goes now. 01:00.000 --> 01:01.000 Welcome. 01:01.000 --> 01:05.000 This is the sushi ID project description of pre-show case. 01:05.000 --> 01:12.000 We are here to show how sushi has tackled their IAM landscape. 01:12.000 --> 01:17.000 The first thing it's important to show how did we get here. 01:17.000 --> 01:20.000 So let's go through a little bit of the story of sushi. 01:20.000 --> 01:24.000 So sushi was founded in 1992 in Germany. 01:24.000 --> 01:29.000 It was one of the first companies to go market for Linux enterprise. 01:29.000 --> 01:33.000 So sushi was acquired by Nobel in 2003. 01:33.000 --> 01:36.000 Then Nobel was acquired by attachment group in 2011. 01:36.000 --> 01:38.000 Then attachment group was submerged. 01:38.000 --> 01:41.000 Well, was acquired by micro focus in 2014. 01:41.000 --> 01:43.000 And then in 2019 sushi became independent. 01:43.000 --> 01:45.000 You see the pattern here. 01:45.000 --> 01:48.000 After 2003. 01:48.000 --> 01:51.000 Everybody here, long enough in the organization that has gone through mergers, 01:51.000 --> 01:53.000 can definitely spot it. 01:53.000 --> 01:56.000 It never ends well. 01:56.000 --> 01:57.000 But who are you? 01:57.000 --> 01:58.000 You might ask. 01:58.000 --> 02:00.000 Our dear friend here presented me earlier. 02:00.000 --> 02:02.000 But I can elaborate a little bit more. 02:02.000 --> 02:03.000 I'm Jose. 02:03.000 --> 02:05.000 I'm a full stock engineer in sushi. 02:05.000 --> 02:08.000 I've been working in sushi six to seven years. 02:08.000 --> 02:09.000 Five years in the customer center. 02:09.000 --> 02:12.000 And one year in the platform engineering team. 02:12.000 --> 02:15.000 And with all of this baggage in my back. 02:15.000 --> 02:18.000 I can confidently say that I have no idea what I'm doing. 02:18.000 --> 02:20.000 I just sit down and computer. 02:20.000 --> 02:22.000 I type things and they work and sometimes I don't. 02:22.000 --> 02:25.000 So this is what it is. 02:25.000 --> 02:30.000 I want to bring up a small disclaimer in this talk. 02:30.000 --> 02:35.000 We here in this talk are not wanting to sell you anything. 02:35.000 --> 02:39.000 We are going to talk about how we got to our IAM nightmare. 02:39.000 --> 02:42.000 And what steps are we going to take to make it better? 02:42.000 --> 02:44.000 We will mention products. 02:44.000 --> 02:48.000 We will mention things that are necessary for the plot. 02:48.000 --> 02:51.000 But in no way, shape or form, we're selling anything here. 02:51.000 --> 02:52.000 We do work for sushi. 02:52.000 --> 02:55.000 But that doesn't mean that I'm here to market sushi. 02:55.000 --> 02:58.000 With that out of the way, let's go back to original part. 02:58.000 --> 03:00.000 So how do we got here? 03:00.000 --> 03:03.000 A small summary in case you missed it. 03:03.000 --> 03:06.000 So we were found in a 92 chain of acquisitions. 03:06.000 --> 03:08.000 Now we're independent. 03:08.000 --> 03:11.000 This of course brought the classic. 03:11.000 --> 03:15.000 So every time there is a merger, two companies working different ways. 03:15.000 --> 03:17.000 One of the ways will win. 03:17.000 --> 03:18.000 It's always like that. 03:18.000 --> 03:20.000 They can never be fully integrated because that will be two different govern. 03:20.000 --> 03:21.000 And models. 03:21.000 --> 03:24.000 So we have now multiple possible providers. 03:24.000 --> 03:28.000 Because every merge, every movement requires new system, new platforms. 03:28.000 --> 03:33.000 We have multiple L-dapses because we were used to work like this in 1987. 03:33.000 --> 03:36.000 We were used to work like this in 1997. 03:36.000 --> 03:40.000 We were used to work like this in 2007 and so on and so forth. 03:40.000 --> 03:44.000 We also have multiple add-ons and bridges because those old systems. 03:44.000 --> 03:45.000 We're working really nice. 03:45.000 --> 03:47.000 We'll define for the technology at the moment. 03:47.000 --> 03:51.000 But we have new standards like open-outs, open ID and so on. 03:51.000 --> 03:53.000 But we cannot just recycle the old systems. 03:53.000 --> 03:59.000 So we have to bring new pieces of code that actually make the old pieces of software work with new protocols. 03:59.000 --> 04:01.000 That also means maintenance burden. 04:01.000 --> 04:07.000 We also have things like active directory because we cannot get the fact that windows is also used in organizations. 04:07.000 --> 04:09.000 So that is also a piece of maintain. 04:09.000 --> 04:13.000 We have radius of servers because we like to connect things together as well. 04:13.000 --> 04:15.000 The more the merrier, right? 04:15.000 --> 04:21.000 So at the end of the day, everybody is following or is feeling like this. 04:21.000 --> 04:23.000 So you know who you are. 04:23.000 --> 04:27.000 You know where to go to, but it's way too many identities, way too many things. 04:27.000 --> 04:31.000 So why are we doing this? 04:31.000 --> 04:37.000 As I have clearly stated, I think our authentication systems are not fully standardized. 04:37.000 --> 04:43.000 Login into a service may require navigating an nightmare of just services around. 04:43.000 --> 04:47.000 And sometimes manual interaction depending on the case. 04:47.000 --> 04:51.000 At the time of writing or at the time of presenting this, 04:51.000 --> 04:53.000 every employee needs at least two identities. 04:53.000 --> 04:58.000 So we have a sus provider product there where we can authenticate and do a part of our work. 04:58.000 --> 05:03.000 And we have also held up and all the protocols where we have another identity too. 05:03.000 --> 05:04.000 Also work. 05:04.000 --> 05:09.000 I think with this, many people can also feel a bit identified when you work in a bit company 05:09.000 --> 05:11.000 that the unusual happens. 05:11.000 --> 05:14.000 This of course comes with a problem on security and compliance concerns. 05:14.000 --> 05:21.000 We have multiple IIM services around and they bring problems when you try to govern them. 05:21.000 --> 05:23.000 Because everybody has their own system. 05:23.000 --> 05:27.000 There is an inconsistent in my fame implementation because the system does it all the way. 05:27.000 --> 05:31.000 And it's not so easy to steer them into proper ways or into the single way. 05:31.000 --> 05:37.000 And there's not standard ISOF identity because company A used to use active directory. 05:37.000 --> 05:39.000 And that's the source of truth. 05:39.000 --> 05:41.000 Company B uses LDAP in its own way. 05:41.000 --> 05:46.000 And it cannot properly merge with active directory because there is an encoding here that is not available there. 05:46.000 --> 05:51.000 Or it's a specific software feature that is not here but that is there. 05:51.000 --> 05:54.000 That also means on the administration side. 05:54.000 --> 05:57.000 We need multiple tools to just attend a single request. 05:57.000 --> 06:03.000 And there is many integrations to take care for before actually attending one of the requests. 06:04.000 --> 06:14.000 And with this I think I will show a little bit of how a Susan Playee or a Susan partner works in a daily day basis with some of the systems that Susan provides for them. 06:14.000 --> 06:17.000 So let's start with the first login. 06:17.000 --> 06:20.000 So you go to JIRA because you are a partner in Susan. 06:20.000 --> 06:25.000 You want to keep in touch with the properties of your software or your software request. 06:25.000 --> 06:26.000 You're prompted to authentication. 06:26.000 --> 06:29.000 You say, okay, you send him a password or good. 06:29.000 --> 06:33.000 And you're going to go to Confluence and you have to authenticate again. 06:33.000 --> 06:36.000 He's an MN password and you say, okay, it's fine. 06:36.000 --> 06:43.000 Now you go to the build service in case people here work with us or products that build services backbone for this. 06:43.000 --> 06:46.000 It loads, it's all beautiful, nice. 06:46.000 --> 06:49.000 You click on login and authenticate. 06:49.000 --> 06:52.000 Then you say, okay, I will check my boxzilla box. 06:52.000 --> 06:56.000 You open the boxzilla, you realize it's an important box that you have a relationship with us. 06:56.000 --> 06:58.000 You need to have security for this. 06:58.000 --> 07:02.000 So let's authenticate and login again. 07:02.000 --> 07:03.000 You say, okay, fine. 07:03.000 --> 07:05.000 And I am not a Susan partner. 07:05.000 --> 07:07.000 I just bought some products from Susan. 07:07.000 --> 07:13.000 So I'll just go to the Susan Customer Center, try to check my subscriptions and login. 07:13.000 --> 07:17.000 But with a different prompt, doesn't look like the previous ones. 07:17.000 --> 07:18.000 Is it okay? 07:18.000 --> 07:19.000 I'm an employee. 07:19.000 --> 07:22.000 I'll just go to my corporate email and authenticate. 07:22.000 --> 07:24.000 But you get another prompt. 07:25.000 --> 07:28.000 So at the end of the day, this is what everybody experiences. 07:28.000 --> 07:35.000 So we want to go to Susan's products and always authenticate. 07:35.000 --> 07:41.000 But you might ask yourself, why not move into get another SaaS product, cloud service or third party service? 07:41.000 --> 07:48.000 And I can confidently say to you that that would not be very open source of you. 07:48.000 --> 07:54.000 For once, we had to use the ones who complied with many regulations that would mirror relationship as possible. 07:54.000 --> 08:02.000 The first set of regulations he will be going through is first of all GDPR, which is very important in the European Union. 08:02.000 --> 08:13.000 There needs to be regulations as well, which tie us to have less people and to know more about the supply chain of our software and general. 08:13.000 --> 08:25.000 And the daughter certificate, the daughter regulation as well, which also forces us to know and to keep track of our information system systems and I guess there. 08:25.000 --> 08:27.000 But there is always a catch, right? 08:27.000 --> 08:37.000 So with all of this, we've been talking to you, you can, I can get to the hint that the gist, sorry that we cannot use a third party into our authentication system. 08:37.000 --> 08:45.000 But that obviously leads you to self-hosting, but self-hosting is not free, because it comes with these own issues. 08:45.000 --> 08:55.000 So self-hosting for sure will enable you or us in this case to comply with more regulations, because you control the software is running, you take the decisions, you have the data. 08:55.000 --> 09:03.000 But that come with a problem, because there is no such thing as a free lunch, every new solution that you bring to this table comes with new problems. 09:03.000 --> 09:11.000 Self-hosting brings costs in all of these area, you need operations to take care of the service, you get your putty in place. 09:11.000 --> 09:17.000 You need data centers to actually host the things, because if you use the cloud, you're breaking the first premise of self-hosting, it's not in your premises. 09:17.000 --> 09:25.000 You need data handling practices, you need security hardening, you need personal letters taking care of these systems, you need frontline support to actually take care of the requests. 09:25.000 --> 09:31.000 In the past, you just relay all of that to the service provider, and is there a problem? You just pay some money, and that's it. 09:31.000 --> 09:34.000 And now you have to absorb those costs. 09:34.000 --> 09:42.000 In our case, in particular, for Susan, we do have some of this costs already in our normal operations. 09:42.000 --> 09:48.000 So they don't really make a botch, that doesn't mean that they are not fully free. 09:49.000 --> 09:55.000 So for the case of data centers, we have data center personnel, we have data center operations teams, so we can rely on that. 09:55.000 --> 10:01.000 I'm bringing this project into the mix, does not constitute much of an increase in the workload. 10:01.000 --> 10:11.000 The same for departments with support and so on, but it does bring new costs on operations staff, data handling and security and infrastructure. 10:11.000 --> 10:21.000 But enough, let's see some diagrams, and let's go through more or less, how did we want to build this solution and how it will be looking in the future. 10:21.000 --> 10:27.000 So we want to put Susan ideas, the project of the name, in the center of all the products and services as Susan provides. 10:27.000 --> 10:37.000 That way we can have a centralized place where to control all of this, and of course, as both in one of the slides, the an example of digital sovereignty. 10:37.000 --> 10:49.000 So at first, all of our software products will be running as Susan is less as a base, as the Susan looks at the price operating system. 10:49.000 --> 10:59.000 On top of this, we are building with logical security, less running on encrypted disks and volumes of course. 10:59.000 --> 11:09.000 And we are also trying to achieve this fact of using confidential computing in the online computer resource, always as where it's available. 11:09.000 --> 11:16.000 On top of this, we have two main products, as I said, this is not a sales pitch at all, it just so happens that this is what we're running. 11:16.000 --> 11:25.000 We have the rancher prime for controlling all the containerized workloads, and we have the Susan visualization product line where we will be hosting. 11:25.000 --> 11:32.000 This set of online products or online software packages that we will be using for our project. 11:32.000 --> 11:35.000 So for the monitoring side platform, it uses a standout in the cloud. 11:35.000 --> 11:43.000 We have sort manager to do certificate brokering, and on the right side of the organization is we have the databases pretty much. 11:43.000 --> 11:50.000 So postgres, 3-9 years garage, patrolling for orchestrating postgres and hair of an ability. 11:51.000 --> 11:56.000 And on top of all of this infrastructure is where our integrations come. 11:56.000 --> 12:01.000 So we have a set of software products that we will be integrating and building from scratch. 12:01.000 --> 12:11.000 I think they are, well, I don't think I made this slide, so I know all of them are intentionally right from left to right to be the ones that we are creating. 12:11.000 --> 12:15.000 The last slide is the one that we are integrating from us, so we have idea merge. 12:15.000 --> 12:19.000 So small solution where we are merging many identity providers into one. 12:19.000 --> 12:25.000 We have a nature sink tool, which I think people here have been involved in the working with nature systems. 12:25.000 --> 12:31.000 They are never easy. They're never just a single MPI endpoint, there's always a report involved. 12:31.000 --> 12:37.000 We have the idea of my great, which is another tool for us to merge multiple identity systems. 12:37.000 --> 12:39.000 We will learn about that later. 12:39.000 --> 12:49.000 We have held up such a bind, which is a nice tool for interacting many LDAP servers when they don't really match about organizational units and structures. 12:49.000 --> 13:00.000 And at the end of the day, all of this will be fronted by authentic as a front and IDP, where we will provide the UI interfaces for people to talk and interact with this service as well. 13:01.000 --> 13:13.000 All of this is part of a bigger ecosystem that we want to build, where we don't really care much about where is on the line, but rather what we want to provide and what to connect with our community as well. 13:13.000 --> 13:22.000 Not only the corporate side has been talking in the last 40 something slides, but also the community in the open-source community that interacts a lot with the companies. 13:22.000 --> 13:32.000 We have many things that we are sharing across these two entities, and we want to have a foundation of components here where at the end of the day, 13:32.000 --> 13:42.000 Susia ID and the community solution can be the empowering all of these protocols and all of these solutions. 13:42.000 --> 13:46.000 I learned the way we did, we have done a lot. 13:46.000 --> 13:52.000 This is only a small excerpt of everything that has been done so far in the project as this is a continuous project, 13:52.000 --> 14:00.000 but along the way we have created a lot of open source contributions and fixes to project software, including not limited to this list, 14:00.000 --> 14:06.000 there's many other issues and things that you will see if you stock a little bit. 14:06.000 --> 14:16.000 But just to mention a few authentic sold-sack small step, Django Python, Django Python, LDAP, CandyDM, PortMamp UI, and GoLankLtiff. 14:16.000 --> 14:22.000 Along the way we also birthed a couple of projects like stepdands. 14:22.000 --> 14:26.000 This is a client certificates tool made easy. 14:26.000 --> 14:30.000 A lot of subwoof was earlier in the diagram. 14:30.000 --> 14:34.000 The ID emerged, which is an identity aggregator. 14:34.000 --> 14:36.000 It's a bunch of orgs. 14:36.000 --> 14:38.000 You can see what this is. 14:38.000 --> 14:40.000 This project is some of them already alive. 14:40.000 --> 14:42.000 In GitHub you can find them. 14:42.000 --> 14:48.000 Not all of them are by just because we are still developing some parts, but surely nothing there is critical. 14:48.000 --> 14:52.000 I think we will be releasing soon, so keep an eye on that. 14:52.000 --> 14:56.000 With this, I open the QA session. 14:56.000 --> 15:06.000 I think we have enough time. 15:06.000 --> 15:08.000 We have a question there. 15:08.000 --> 15:20.000 Of course. 15:20.000 --> 15:21.000 Okay. 15:21.000 --> 15:24.000 In the architecture diagram, there was a mention to Garage. 15:24.000 --> 15:30.000 And the question is, was it always planned, or was it a side effect of Minayo? 15:30.000 --> 15:32.000 It was the plan. 15:32.000 --> 15:36.000 We were not considering Minayo at the moment, or we started using Minayo on the 15:36.000 --> 15:40.000 The vehicle happened, so the decision was not made in the moment. 15:40.000 --> 15:44.000 Just so happens, Garage was convenient. 15:44.000 --> 15:52.000 But it wasn't the case of we started with Minayo, and then we had to switch. 15:52.000 --> 15:54.000 And what's on your roadmap? 15:54.000 --> 15:56.000 What do you see next? 15:56.000 --> 15:58.000 There's some of the next. 15:58.000 --> 16:02.000 The question is, what is in the roadmap? 16:02.000 --> 16:04.000 What is the next stage for the project? 16:04.000 --> 16:12.000 We're rolling out for public facing services. 16:12.000 --> 16:14.000 Integrations of what a new project. 16:14.000 --> 16:20.000 We know that it will take some reconfiguration for consumers to actually integrate into the new system. 16:20.000 --> 16:26.000 For now, we are testing a couple of operational responsibilities, let's say. 16:26.000 --> 16:28.000 But I would say the next step. 16:28.000 --> 16:34.000 So surely we will be in starting integrating new services into it. 16:34.000 --> 16:36.000 There was another question. 16:36.000 --> 16:38.000 There's a question from the internet. 16:38.000 --> 16:40.000 Yes. 16:40.000 --> 16:42.000 How do you handle secretization? 16:42.000 --> 16:46.000 There's a picture of what I repeated. 16:46.000 --> 16:50.000 The question from the internet is, how do I handle secret rotation from? 16:50.000 --> 16:52.000 It needs from pre. 16:52.000 --> 16:56.000 How do we handle secret rotation from the stack? 16:56.000 --> 16:58.000 It's handled by infrastructure as a code. 16:58.000 --> 17:02.000 So secret rotation is surprisingly easy. 17:02.000 --> 17:04.000 In the event that is needed. 17:04.000 --> 17:08.000 I know the skeptical face. 17:08.000 --> 17:12.000 Some of our infrastructure can be failover quite fast, 17:12.000 --> 17:16.000 so we can rotate the secrets in failover moments. 17:16.000 --> 17:18.000 So just read a new one with a new secret. 17:18.000 --> 17:20.000 New service with a new secret. 17:20.000 --> 17:22.000 Failover real quick. 17:22.000 --> 17:24.000 We update the other one. 17:24.000 --> 17:34.000 The question is, how can we use the authentic UI? 17:34.000 --> 17:38.000 That is going to happen in this month. 17:38.000 --> 17:40.000 You can start doing that. 17:40.000 --> 17:44.000 We can, for sure, have more internal communication with 17:44.000 --> 17:46.000 more details of our tests. 17:46.000 --> 17:52.000 We have another question. 17:52.000 --> 17:56.000 The idea of the merge. 17:56.000 --> 17:58.000 The idea of merge tool? 17:58.000 --> 18:00.000 What that is? 18:00.000 --> 18:04.000 I don't have the slides at hands. 18:04.000 --> 18:06.000 So I will not attempt to go back with it. 18:06.000 --> 18:10.000 But we have many sources of authentication. 18:10.000 --> 18:12.000 Where the user data is obligated. 18:12.000 --> 18:16.000 But not necessarily has the same natural keys. 18:16.000 --> 18:20.000 For example, some people in the community have their, 18:20.000 --> 18:22.000 the keys that also are members of community, 18:22.000 --> 18:24.000 have different user names. 18:24.000 --> 18:26.000 For corporate policy, they have the standardized one. 18:26.000 --> 18:30.000 But for their own life, they have their own one. 18:30.000 --> 18:34.000 So we need a way to know who is who for our compliance requirements as well. 18:34.000 --> 18:38.000 So some of them, we need to track and point from some other tool 18:38.000 --> 18:40.000 because they don't know each other who is to who. 18:40.000 --> 18:44.000 Like if you say UID, full bar, doesn't match UID, 18:44.000 --> 18:48.000 GACOMIS. 18:48.000 --> 18:50.000 It become an open. It's not yet open. 18:50.000 --> 18:56.000 I cannot tell you for sure next week, but in the soonish soonish. 18:56.000 --> 19:00.000 We have another question there. 19:00.000 --> 19:06.000 The question is will the number? 19:06.000 --> 19:12.000 Okay, will the user names in this process be standardized? 19:12.000 --> 19:16.000 Corporate wise, yes, they have to be standardized. 19:16.000 --> 19:20.000 Community wise, we don't really have a requirement for standardization 19:20.000 --> 19:22.000 rather than following practices, 19:22.000 --> 19:26.000 as you should not use bad words or things like that. 19:26.000 --> 19:30.000 Not much that I could really explain about that on that, 19:30.000 --> 19:32.000 because corporate wise, yes. 19:32.000 --> 19:36.000 We are standardizing some of the user names, of course. 19:36.000 --> 19:40.000 I have a question. 19:40.000 --> 19:44.000 Please do. 19:44.000 --> 19:48.000 Yes, that was a better or something there. 19:48.000 --> 19:52.000 Oh, that was a joke. 19:52.000 --> 19:54.000 Your company is founded. 19:54.000 --> 19:56.000 The company is acquired. 19:56.000 --> 19:58.000 The acquired of the acquired. 19:58.000 --> 20:00.000 The acquired of the acquired. 20:00.000 --> 20:04.000 The acquired of the acquired. 20:04.000 --> 20:06.000 Right. 20:06.000 --> 20:08.000 Problem with that is that every time you get acquired, 20:08.000 --> 20:10.000 you get an efficient, 20:10.000 --> 20:12.000 a new system, a new environment, 20:12.000 --> 20:14.000 which brings a new system. 20:14.000 --> 20:16.000 And yeah. 20:16.000 --> 20:18.000 Can you not experience this in evidence? 20:18.000 --> 20:20.000 What do you experience with that somewhere? 20:20.000 --> 20:22.000 Thank you. 20:22.000 --> 20:24.000 Any other questions? 20:24.000 --> 20:26.000 Thanks. 20:26.000 --> 20:28.000 Good.