This content explains the shift from traditional password-based security to more robust certificate-based authentication and the Zero Trust model, emphasizing the importance of continuous verification and digital trust for modern applications.
Mind Map
点击展开
点击探索完整互动思维导图
went to those
personal link. Huh?
See [Music]
must be up. [Music]
[Music] See
Where are you with the things that we ask?
Hello. Hello.
Come again.
[Music] Bring
Bring [Music]
[Music]
start
Hello. Hello everyone.
I think we have around 20 people already.
already.
Let's just give some more seconds to
start. I hope that everyone can hear me
quite good.
So we will talk about beyond passwords
today. Certificate base.
>> All right. So let's start. So beyond passwords
passwords um
and let's start here. So
today we will talk a little bit about
some concepts some security fundament foundations.
foundations.
Uh we will talk a little bit about u
general passwords and why they are
failing. Understanding digital trust.
um also some certificate in action the
zero trust in practice um and benefits
challenges and also some takeaway and
resources notes uh that I think that
might be uh quite useful for everyone
that are interested on security things.
So my name is Nunu Nun Costa. Some of
you already know me. Uh I'm a solution
architect also a security expert here in
Lisbon in Boom. Uh we are here today uh
live streaming the event um for
everyone. Uh and we are here in Lisbon
uh on the office um and hopefully that
you can also enjoy the this this
workshop. Quick quick quick really quick
about bull. So we are a team of um
around 30 people. Um we have already
four uh expert certified, two MVPs and
more than 20 advanced developers. Uh and
I also talk a little bit about uh the
importance of training on some of the topics
topics
including the one that we are going to
talk today. So security but besides that
as an official Mandix trainer we are
also providing some specializations like
UXUI integrations
converting out systems developers cyber
security and obviously the the normal
boot camps from um intermediate or um
advanced. So now let's start here about
um security and what is exactly uh
security um and
probably most of you know that is not
just about keeping people out is really
about to protect what really matters and
this is something that I will try to
give you as a base for this uh workshop.
Um but
Bruce Schneider is one of the most
respected cryptographers and security
thinkers in the world and what he means
here um is that security isn't just a
checkbox that you can think and is just
more than as an on ongoing process. You
can buy antiviral software. You can also
deploy firewalls. You can use certificates.
certificates.
But if you don't maintain them, update
them and adapt them as a threat in
evolves, your system becomes vulnerable
again and again. And security is a
process that always needs to take um
always next steps and movements uh to
always keep it safe. in Mandix or any
platform the goal is not just to say yes
I have security uh is more just to keep
security alive throughout the application
application
uh life cycle.
So I want to talk here a little bit
about this triangle. Um so in IT
information technology security means
protecting the three fundamental things
confidentiality integrity and
availability as we can see on the CI
triads. Uh confident confidentiality
means only the right people see the
right data. Think of Medics app with the
customer records. Um no no user should
access someone else details. And this is
really really important. Then obviously
um integrity means that information
stays correct from the creation to the um
um
from creation and no one should be able
to modify it in a transaction uh in
transit and availability ensures that
even when attacks or failures happens
legitim users can still reach um your
system. And these three pillars are
complete are a complete life cycle. And
for example, adding ex extra checks may
reduce your availability. So
true security is about a balance between
all these three uh uh pillars.
Now let's take a look on traditional
versus zero trust um
method. So traditional in it works like
a med a medieval castle where you build
up strong walls firewalls around your
network and assume that everything
inside is safe once you logged in with a
password or connected via your VPN.
You were trusted automatically. But that
approach doesn't work anymore on some
security systems. not in cloud, not in
mobile users or not even in modern cyber
attacks. So zero trust, it's just a a
game changer. So it means never trust
and always verify.
Every device, every user, every action
must be verified whether it's internal
or external. Certifi certificates here
play a big part uh and is how we will
prove uh our identity. um without
relying on fragile or even strong
passwords. Instead of security, just
walls, zero trust secures everything,
All right. So,
So,
um so why are we talking about going
beyond passwords today? Um so because
nowadays passwords are the weakest link
according to the version uh databach
reports about 80% of breaches still
comes from stolen or weak pass
passwords. People reuse credentials
attackers are using fishing methods and
uh also credential stuffing
and even through strong passwords can be
compromised through social engineering.
So the real problem is that passwords
prove that you know uh but not who you
are. That's why we need strong
identification methods and certificates
cryptographic and the zero trust model
So
now talking about HTTPS and I know
there's were already uh some talks today
about this but let's just go a little
bit deeper and let's talk about uh HTTPS
and uh you see HTTPS every day is just
that little locker that you have on your
browser um on your address bar. But what
actually means uh to have this locker
and what really means this HTTPS? So it
stands for hypertext transfer protocol
secure. That's the the S and it means
that all the data sent between your
browser and to the web server is
encrypted. So that even if someone
intercepts the traffic, they cannot read
it. So means that when we have something
sended from the browser to the server,
it will be sended on an encrypted way
and if someone's catch it uh they will
not be able to read it. Um and that's
the reason of this uh certificate but
that's something that we will also touch
on a on a a slide later. So
and this encryption happens through a
process called TLS. So the transport
layer security HTTPS
not only keeps the data safe, it also
ensures that you're talking to the right
websites and that's where certificates
come in. So they prove that the site
you're visiting really is who it claims
to be. In the next part, we will look at
how those certificates work behind the
scenes uh through something called the
And before we talk about certificates,
let's think of a real world a real world
example. So when you go to an airport
you can just say who you are but besides
you saying that your name and whatever
you will need to prove it. Um and how do
we do that? So we need to show the
passport or our card ID card which was
issued by a trusted authority in our
case on on a traveling our government.
So the officer checks the validity um
and the authenticity uh before letting
you go uh and travel on your plane. So
the main point uh is that you need a
trusted and a secure rate to show that
you are really you and if gives the
officer a fake ID probably will not
pass. So the same principle will apply
here online. So websites and users must
prove who they are before they can
travel or if before they can access
whatever they need or exchange data
securely. So the the the the main idea
here that I want to give you as analogy
is is exactly your passport and your
passport will act a little bit as a
certificate but this passport needs to
be issued by this trusted
entity in our case the government. If
for any reason I ask my neighbor that is
really good with Photoshop and and uh
working with computers and if I ask him
to give me a passport okay I might take
the risk I can go to the airport but
probably they will see that is fake and
I will not be able to travel. So the
same analogy we want to bring here for
the certificates. So it needs always to
be issued by a trusted entity and this
trusted entity needs also to be trusted
by the ones that is going to consume or
to allow you letting in in. So always
remember this passport as um
an analogy to compare with certificates
when you want to to use them. So now
let's extend the analogy and who gives
you uh uh your passport. So yes the
government of each country. So it
dependent on your country and country by
country they are trusted. So Portuguese
uh government is trusted by other
governments and that's that's where we
have some some trusted um uh issues for
our passports. So online is exactly the
same and it happens with the certificate
authorities or the CAS. So they trusted
or say they are trusted organizations
that verify identities and issues those
certificates just like on an airplanes
um with a trusted passport from an
official government uh browsers trust
certificates from official CAS like this
let's encrypt or global sign and this is
the fundamental um of the chain of trust
So now that we know about a little bit
about HTTPS and how it encrypts the
connection, uh the next question is how
does your browser know it's taking the
right server? Yes, that's where PI comes
in. So the public key infrastructure
um KPI is the system that allows us to
use digital certificates to prove
identity online. It builds an an
asymmetric and cryptographic. Um that
means that each entity has two keys.
Public key which anyone can see and a
private key which must be kept secret.
And certificates are like are like
digital passports that connect these
keys to an organization ver verified identity.
identity.
But who gives these passports? So that's
the role of the certificate authority.
The CA is a trusted entity that issues
can sign certificates.
As an example, your browser or your
operating systems comes with a list of
CAS that they already trust. If a site
presents a certificate signed by one of
those authorities, it's considered uh
authentic and this creates what we call
the chain of tr of trust from the CA to
the website to your browser. In short,
So, and um now let's let's let's uh look
at the difference between what is a
symmetric and a symmetric cryptographic.
Um because both are used in HTTPS and
certificate based security. Uh symmetric
cryptographic is the simpler one. You
use the same key to lock and to unlock
the messages. It's very fast, great for
encryption, lots of data, but it has a
big problem. How do you share the key
securely with someone else without
exposing it? So that's where um a
symmetric cryptographic comes in. So
here we use two keys, one public and one
private. What you're encrypted uh what
you encrypt with one can only be
decrypted by the other. And this means
you can share your public key freely and
anyone can send you encrypted data but
only you with your private key can
decrypt it. And this means that you can
have some
data being exchanged and you will
securely make sure that only you with
your private key can decrypt it. And uh
this is the basis for how HTTPS start a
security session. The asymmetric keys
are used first to exchange a shared
secret and then the symmetric key takes
over and keep everything fast. In other
words, a symmetric cryptographic builds
the trust and symmetric cryptographic
keeps the speeds.
And here we also have some examples of
the of some encrypted uh protocols. Um
but but but but the main idea is exactly
to use the symmetric and um asymmetric um
um keys.
keys.
Okay, moving a little bit uh further and
I hope that I'm not being too fast or we
or um but hopefully that you are
following. In the end, we will also have
some Q&A uh session and you can also
point some questions if you if you have. So
So
now that we understand a little bit
about PIS and encryption,
let's see how certificates actually
works in real life. So certificates are
the digital passports um on the internet.
internet.
Server certificates are used by websites
or applications and they prove to your
browser that you really connection to
the correct server that what gives you
the HTTP back padlock that you see on
your address bar. Then we have client
certificates. They worked the other way
around. instead of websites proving its
identity is the user or the device that
does that. Okay, so these are often used
in secure corporate environments where
passwordbased authentication isn't
enough. Finally, authority certificates
from trusted certificates authority
complain this chain of trust. So
together they guarantee three things.
First encryption so no one can read your data.
data.
Authentication so you know who you are
talking to and also and third integrity.
So the message that can be cannot be
changed on the way. And this is how
HTTPS and modern security protocols
Let's bring this back to to to Mandix.
So Mandix supports certificate base
security out of the box. Uh and you can
manage your certificates directly inside
the application on your app settings or
on your cloud uh settings. So you can
also see it here. Um, not sure if you
can see my mouse, but I think so. I
hopefully at least. And um, yeah, you
can you can um use um
on locally uh on your local environment
or or also on your cloud. And these
certificates are primarily used when you
want to consume a rest or you want to
consume an O data service or even from
other systems or eventually if you want
to expose your own API uh for external
clients to use. Um and normally HTTPS
ensures that the server is trusted but
sometimes you also need to re verify who
is your client. So in case that you have
to connect two different systems your
app to a different systems it can also
be a service. So that's where you should
bring certificates in order to
authenticate and also to encrypt your
data and securely send it from one point
to the other point. So encryption and authentication
