Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This content explains the shift from traditional password-based security to more robust certificate-based authentication and the Zero Trust model, emphasizing the importance of continuous verification and digital trust for modern applications.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
went to those
personal link. Huh?
See [Music]
must be up. [Music]
[Music] See
Where are you with the things that we ask?
Hello. Hello.
Come again.
[Music] Bring
Bring [Music]
[Music]
start
Hello. Hello everyone.
I think we have around 20 people already.
already.
Let's just give some more seconds to
start. I hope that everyone can hear me
quite good.
So we will talk about beyond passwords
today. Certificate base.
>> All right. So let's start. So beyond passwords
passwords um
and let's start here. So
today we will talk a little bit about
some concepts some security fundament foundations.
foundations.
Uh we will talk a little bit about u
general passwords and why they are
failing. Understanding digital trust.
um also some certificate in action the
zero trust in practice um and benefits
challenges and also some takeaway and
resources notes uh that I think that
might be uh quite useful for everyone
that are interested on security things.
So my name is Nunu Nun Costa. Some of
you already know me. Uh I'm a solution
architect also a security expert here in
Lisbon in Boom. Uh we are here today uh
live streaming the event um for
everyone. Uh and we are here in Lisbon
uh on the office um and hopefully that
you can also enjoy the this this
workshop. Quick quick quick really quick
about bull. So we are a team of um
around 30 people. Um we have already
four uh expert certified, two MVPs and
more than 20 advanced developers. Uh and
I also talk a little bit about uh the
importance of training on some of the topics
topics
including the one that we are going to
talk today. So security but besides that
as an official Mandix trainer we are
also providing some specializations like
UXUI integrations
converting out systems developers cyber
security and obviously the the normal
boot camps from um intermediate or um
advanced. So now let's start here about
um security and what is exactly uh
security um and
probably most of you know that is not
just about keeping people out is really
about to protect what really matters and
this is something that I will try to
give you as a base for this uh workshop.
Um but
Bruce Schneider is one of the most
respected cryptographers and security
thinkers in the world and what he means
here um is that security isn't just a
checkbox that you can think and is just
more than as an on ongoing process. You
can buy antiviral software. You can also
deploy firewalls. You can use certificates.
certificates.
But if you don't maintain them, update
them and adapt them as a threat in
evolves, your system becomes vulnerable
again and again. And security is a
process that always needs to take um
always next steps and movements uh to
always keep it safe. in Mandix or any
platform the goal is not just to say yes
I have security uh is more just to keep
security alive throughout the application
application
uh life cycle.
So I want to talk here a little bit
about this triangle. Um so in IT
information technology security means
protecting the three fundamental things
confidentiality integrity and
availability as we can see on the CI
triads. Uh confident confidentiality
means only the right people see the
right data. Think of Medics app with the
customer records. Um no no user should
access someone else details. And this is
really really important. Then obviously
um integrity means that information
stays correct from the creation to the um
um
from creation and no one should be able
to modify it in a transaction uh in
transit and availability ensures that
even when attacks or failures happens
legitim users can still reach um your
system. And these three pillars are
complete are a complete life cycle. And
for example, adding ex extra checks may
reduce your availability. So
true security is about a balance between
all these three uh uh pillars.
Now let's take a look on traditional
versus zero trust um
method. So traditional in it works like
a med a medieval castle where you build
up strong walls firewalls around your
network and assume that everything
inside is safe once you logged in with a
password or connected via your VPN.
You were trusted automatically. But that
approach doesn't work anymore on some
security systems. not in cloud, not in
mobile users or not even in modern cyber
attacks. So zero trust, it's just a a
game changer. So it means never trust
and always verify.
Every device, every user, every action
must be verified whether it's internal
or external. Certifi certificates here
play a big part uh and is how we will
prove uh our identity. um without
relying on fragile or even strong
passwords. Instead of security, just
walls, zero trust secures everything,
All right. So,
So,
um so why are we talking about going
beyond passwords today? Um so because
nowadays passwords are the weakest link
according to the version uh databach
reports about 80% of breaches still
comes from stolen or weak pass
passwords. People reuse credentials
attackers are using fishing methods and
uh also credential stuffing
and even through strong passwords can be
compromised through social engineering.
So the real problem is that passwords
prove that you know uh but not who you
are. That's why we need strong
identification methods and certificates
cryptographic and the zero trust model
So
now talking about HTTPS and I know
there's were already uh some talks today
about this but let's just go a little
bit deeper and let's talk about uh HTTPS
and uh you see HTTPS every day is just
that little locker that you have on your
browser um on your address bar. But what
actually means uh to have this locker
and what really means this HTTPS? So it
stands for hypertext transfer protocol
secure. That's the the S and it means
that all the data sent between your
browser and to the web server is
encrypted. So that even if someone
intercepts the traffic, they cannot read
it. So means that when we have something
sended from the browser to the server,
it will be sended on an encrypted way
and if someone's catch it uh they will
not be able to read it. Um and that's
the reason of this uh certificate but
that's something that we will also touch
on a on a a slide later. So
and this encryption happens through a
process called TLS. So the transport
layer security HTTPS
not only keeps the data safe, it also
ensures that you're talking to the right
websites and that's where certificates
come in. So they prove that the site
you're visiting really is who it claims
to be. In the next part, we will look at
how those certificates work behind the
scenes uh through something called the
And before we talk about certificates,
let's think of a real world a real world
example. So when you go to an airport
you can just say who you are but besides
you saying that your name and whatever
you will need to prove it. Um and how do
we do that? So we need to show the
passport or our card ID card which was
issued by a trusted authority in our
case on on a traveling our government.
So the officer checks the validity um
and the authenticity uh before letting
you go uh and travel on your plane. So
the main point uh is that you need a
trusted and a secure rate to show that
you are really you and if gives the
officer a fake ID probably will not
pass. So the same principle will apply
here online. So websites and users must
prove who they are before they can
travel or if before they can access
whatever they need or exchange data
securely. So the the the the main idea
here that I want to give you as analogy
is is exactly your passport and your
passport will act a little bit as a
certificate but this passport needs to
be issued by this trusted
entity in our case the government. If
for any reason I ask my neighbor that is
really good with Photoshop and and uh
working with computers and if I ask him
to give me a passport okay I might take
the risk I can go to the airport but
probably they will see that is fake and
I will not be able to travel. So the
same analogy we want to bring here for
the certificates. So it needs always to
be issued by a trusted entity and this
trusted entity needs also to be trusted
by the ones that is going to consume or
to allow you letting in in. So always
remember this passport as um
an analogy to compare with certificates
when you want to to use them. So now
let's extend the analogy and who gives
you uh uh your passport. So yes the
government of each country. So it
dependent on your country and country by
country they are trusted. So Portuguese
uh government is trusted by other
governments and that's that's where we
have some some trusted um uh issues for
our passports. So online is exactly the
same and it happens with the certificate
authorities or the CAS. So they trusted
or say they are trusted organizations
that verify identities and issues those
certificates just like on an airplanes
um with a trusted passport from an
official government uh browsers trust
certificates from official CAS like this
let's encrypt or global sign and this is
the fundamental um of the chain of trust
So now that we know about a little bit
about HTTPS and how it encrypts the
connection, uh the next question is how
does your browser know it's taking the
right server? Yes, that's where PI comes
in. So the public key infrastructure
um KPI is the system that allows us to
use digital certificates to prove
identity online. It builds an an
asymmetric and cryptographic. Um that
means that each entity has two keys.
Public key which anyone can see and a
private key which must be kept secret.
And certificates are like are like
digital passports that connect these
keys to an organization ver verified identity.
identity.
But who gives these passports? So that's
the role of the certificate authority.
The CA is a trusted entity that issues
can sign certificates.
As an example, your browser or your
operating systems comes with a list of
CAS that they already trust. If a site
presents a certificate signed by one of
those authorities, it's considered uh
authentic and this creates what we call
the chain of tr of trust from the CA to
the website to your browser. In short,
So, and um now let's let's let's uh look
at the difference between what is a
symmetric and a symmetric cryptographic.
Um because both are used in HTTPS and
certificate based security. Uh symmetric
cryptographic is the simpler one. You
use the same key to lock and to unlock
the messages. It's very fast, great for
encryption, lots of data, but it has a
big problem. How do you share the key
securely with someone else without
exposing it? So that's where um a
symmetric cryptographic comes in. So
here we use two keys, one public and one
private. What you're encrypted uh what
you encrypt with one can only be
decrypted by the other. And this means
you can share your public key freely and
anyone can send you encrypted data but
only you with your private key can
decrypt it. And this means that you can
have some
data being exchanged and you will
securely make sure that only you with
your private key can decrypt it. And uh
this is the basis for how HTTPS start a
security session. The asymmetric keys
are used first to exchange a shared
secret and then the symmetric key takes
over and keep everything fast. In other
words, a symmetric cryptographic builds
the trust and symmetric cryptographic
keeps the speeds.
And here we also have some examples of
the of some encrypted uh protocols. Um
but but but but the main idea is exactly
to use the symmetric and um asymmetric um
um keys.
keys.
Okay, moving a little bit uh further and
I hope that I'm not being too fast or we
or um but hopefully that you are
following. In the end, we will also have
some Q&A uh session and you can also
point some questions if you if you have. So
So
now that we understand a little bit
about PIS and encryption,
let's see how certificates actually
works in real life. So certificates are
the digital passports um on the internet.
internet.
Server certificates are used by websites
or applications and they prove to your
browser that you really connection to
the correct server that what gives you
the HTTP back padlock that you see on
your address bar. Then we have client
certificates. They worked the other way
around. instead of websites proving its
identity is the user or the device that
does that. Okay, so these are often used
in secure corporate environments where
passwordbased authentication isn't
enough. Finally, authority certificates
from trusted certificates authority
complain this chain of trust. So
together they guarantee three things.
First encryption so no one can read your data.
data.
Authentication so you know who you are
talking to and also and third integrity.
So the message that can be cannot be
changed on the way. And this is how
HTTPS and modern security protocols
Let's bring this back to to to Mandix.
So Mandix supports certificate base
security out of the box. Uh and you can
manage your certificates directly inside
the application on your app settings or
on your cloud uh settings. So you can
also see it here. Um, not sure if you
can see my mouse, but I think so. I
hopefully at least. And um, yeah, you
can you can um use um
on locally uh on your local environment
or or also on your cloud. And these
certificates are primarily used when you
want to consume a rest or you want to
consume an O data service or even from
other systems or eventually if you want
to expose your own API uh for external
clients to use. Um and normally HTTPS
ensures that the server is trusted but
sometimes you also need to re verify who
is your client. So in case that you have
to connect two different systems your
app to a different systems it can also
be a service. So that's where you should
bring certificates in order to
authenticate and also to encrypt your
data and securely send it from one point
to the other point. So encryption and authentication
authentication
um and that's where mutual TLS or MTLS
comes in. So both sides present
certificates and verify each other identity.
identity.
This is very common in enterprise
environments where applications
um need to communicate security between backend
backend
systems. Uh as an example, if a Mandix
app connect to your SAP or to any Asure
service or any other uh service um
externally and this removes the needs
for a passwordbased authentication
between systems making in both more
So everything we've seen so far, so
certificates, encryption,
authentication, all come together under
the zero trust model.
And the key principle is never trust and
always verify.
in our old model. Um once a user logs
in, so they were considered safe and
they could be
um allowed to do whatever they need to
do on the app. So there was nothing
internally after you getting in that
would be validated and that's that's um
what zero trust changes. So as zero
trust um assumes that no connection is
inherently trusted not even inside your
own network. That means every user,
every device and every system must
continuously prove its identity. In mand
achieve this in several ways. So
normally using an SSO with an OIDC or a
SAML protocol for identity federation
implementing mutual TLS to validate both
sides and obviously applying a rolebased
access control inside um your app. So as
we all know that um Mandix is a has a
very good um rule based access control.
It's really important that you always
define your model and apply security
through all the different levels that
you have available.
And I want to mention that Mandix can go
to an attribute level of security uh on
your database. But since the client side
until the the the the attribute on your
model. So you can use this rolebased
model to ensure that your app is secured
and only the right people can see uh the
data that they need to see and no other
way around.
So trying to log in and audit everything
in your cloud for visibility and the
result is a Mandix exos system where
trust is earned not assumed making it
ideal for enterprisegrade
So
let's see a a real demo a conceptual
demo example. So to to make this real
let's look at simple conceptual demo and
on on how certificate base
authentication differs from traditional
password or token uh login.
Here on the left side um you can see the
classic model. A user sends a username
and a password to the server. Well, if
those credentials match, the server
grants access
um and that's it. But the problem is
passwords can be guessed, they can
reused or they can be stolen. So that's
that's the awareness that I want to
bring here with this uh workshop. Um
regarding uh passwords
on the right side uh with
certificatebased authentication it's
completely different. The client
presents a digital certificate which was
issued by a trusted authority. The
server checks if that's the c that
certificate was signed by a CA it trusts
and if it is okay. So connection
granted. no passwords, no secrets sent
over the the the network, just
cryptographic proof of um the identity
and these models and this model forms
the backbone of mutual TLS and is much
harder to compromise. So in one side we
have just
passwords being sent and on the other
side we have certificates being sent. One
One
can be compromised easily and the other
one much more difficult and it will
encrypt and will ensure on a different
So why go through all this effort
instead of sticking with passwords? The
benefit of certificatebased security are
um I think really clear. So first is
much stronger. It use cryptography to
prove um instead of share secrets and
second it's automation friendly means
systems can authenticate securely
without storing or managing any
passwords. And third it helps with
compliance. So many frameworks like the ESO227001
ESO227001
or GTPR
encourage certificatebased
authentication for sensitive data access
and it also proves user experience. No
more forgotten password or credential
resets. And from the security
standpoint, certificates are
temperproofed. They cannot be guessed or
reused like a stolen password can.
Finally, it's scalable and standardized.
Certificates work seamlessly across
clouds, devices, and APIs, which makes
them perfect for enterprise um environments.
Of
course, strong security comes with few
challenges and it's important to
acknowledge them.
Managing certificates is not something
that you set today and you will just
forget. So it's not something that that that
that
um it's done once and um it's done
forever. So you will need to handle
renewals, expired and some in in
sometimes revocation. If a key is
compromised as an example,
then there's integrity complexity. Many
many legacy systems were not designed
for certificatebased authentication. So
it can take time to align everything.
The initial setup uh can also require
some knowledge. setting up a a PI
hierarchy or defining a trust CA store.
Then often acknowledge gap in teams that
are not familiar with certificates
management and that's why training and
clear internal documentation are key.
Finally, good monitoring and auditing
are essential. So knowing which
certificates are active, when they are
expired or who issued them. But with
proper processes and tools, these
challenges are manageable and the
security benefits from of or outweight
So let's wrap up with the key takeaway
takeaways from today's session. First
passwords alone are not uh longer
enough. They are easily um stolen, reuse
or guess. uh certificate solved this by
pro providing verified digital uh
identity. Cryptographic proves that
can't be faked. Uh the system that makes
all the possible is PTI which establish
trust between uh parties. Mandix support
all of these out of the box making it
easier to implement certificatebased
security in enterprisegrades
apps and finally zero trust is the
middle that ties everything together
continuously verification
identity based access and encrypted
communication that's the future of
secure application
Okay. So, and we are almost done with
this. Um, so but before we close, let's
look a few uh some of uh some of few
sources uh and next steps. So if you
would like to dive deeper in MANDX
documentation uh you have a great
section on certificates HTTPS and
security best practices. I also
recommend checking the OWSP
guidelines. They are also an excellent
source for general web security
principles. Uh, and of course you can
continue to this discussion on the CTF
Slack channel or through the the event
app and I'll be answering um some extra
questions that you might have and
hopefully that I can also um answer all
your questions that that you might um
need. So I want to thank you for being
part of this um um and this bring us to
the end of the workshop. I hope that
this gives you a clear understanding on
how certificates PI PIS and zero trust
principles come together and how you can
apply them in Mandix. Now let's open the
floor for any questions. Feel free to
ask about anything concepts
implementation detail or even practical scenarios
scenarios
uh that you've seen that you've seen on
your projects. For any questions we
don't have time to cover uh you can post
them later. I can also post them later
on the Slack channel um or via the event
app and I'll gladly try to answer all of
them. So
Okay, no questions so far.
Or was everything really clear
Give me just one second. I think we have
So the question is um
if there are any recommendation on
managing MTLS uh easily.
uh to be honest I'm not sure if easily
uh can can really uh have a
recommendation from from my side um but
I would say uh centralized PIS uh maybe
um standardize
uh trust stores uh maybe automate some rotations
rotations um
um
I would say something around that Um
yeah but but but I'm not sure if this
really goes as easy as uh the question
means so um but I would say maybe
centralize um PI so use a manage CAS uh
and automate
um the renewals the issues
Okay.
Anyway, if you need some more details,
you can also reach me on Slack or on
other channels. Um, and I will try to
gladly help you or support you on any
question or need that you might have.
Any questions more so far? No. So,
let's give it one more minute.
we have here one more question.
Uh so if HTTP already proves encryption,
why do we still need a PI and certificate
certificate
uh in Mandix? Um
so so so the the the PI will provide you
identity and trusts. Okay. uh the the
the the HTTPS um
um
will will will will have the encryption
and also the KPI and the certificate
will do it but but the the main idea uh
so getting here to the question so just
more than encryption you also need to um
identify and also trust and that's the
right? Does it make sense? Okay.
more questions
and I think we still have around
Okay. Um
please just ping me on Slack. Um if you
need any extra
uh support help on these uh security
topics, please just just let us just let
me know and I will gladly help you if I
can. All right. So no other questions.
I will say thank you to all. Um and
um let me just say that security starts
with understanding. So thank you for
being part of this. Uh you also have my
contacts here in case that you need
something. Uh just email me or text me
or phone me and um I'm here to support
you. All right.
Thank you everyone and see you soon. All right.
right.
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
