Zero Trust 3:16 – How Stone Cold Used Vault and Okta to Protect the WWF Title

I remember hearing glass shattering and the thunderous pulsating music echoing throughout the area while watching Stone Cold Steve Austin walk in the arena.

Channeling the energy of my childhood heroes from the WWF Attitude Era, I decided to build a Zero Trust lab that’s part security demo, part WrestleMania showdown.

If you don’t know what Zero Trust , its not just a buzzword. Its a security philosophy based built on the brutal truth no one can be trusted by default. Not your network, apps, or even your users.

Zero Trust is a federation framework that enforces continuous identification, least privilege, and assumes breach.

Identity is the most dangerous attack surface. A hacker doesn’t need to use a dictionary password attack when they can just phish a user and exploit their role. Authorization and Authentication are two policies that are apart of the SAML framework that Zero Trust enforces. Many different platforms offer solutions for users to be authenticated and authorized. Two of those platforms are Hashicorp’s Vault(a secret management tool) and Okta (an Identity Provider). In the following lab I used vault to emphasize the importance of zero trust by using Okta as an identity provider through the lens of Stone Cold Steve Austin.

It’s 1998 and Stone Cold Steve Austin is the World Wrestling Federation Champion. He is gearing up to face his rival Shawn Michaels at WrestleMania 14. However, Shawn Michael has plans to steal the WWF Championshop before Wrestlemania 14. Therefore, Stone Cold uses Hashicorp’s Vault to lock the WWF World Title and uses Okta as an authentication and authorization methodology to unlock the title. In order for the Vault to work there needs to be a policy written, user created and other important factors.

(1) Write a policy. The policy I wrote for Stone Cold using the Vault framework was

stonecold-policy.hcl

path "secret/data/wwf/championship/title" { capabilities = ["read"] }

Next I wrote the policy by using the following commands

vault policy write stonecold-policy stonecold-policy.hcl

I then created a role within Vault for Stone Cold and ensured only he (bound_claims) can access the world title

vault write auth/oidc/role/steve-austin-role
bound_audiences="0oat62ls6oNDoo9bQ697"
allowed_redirect_uris="http://localhost:8250/oidc/callback"
user_claim="email"
bound_claims='{"email":"steve.austin@wwf.com"}'
policies="stonecold-policy"
ttl="1h"

For those of you who are confused my bound_audiences comes from my Okta Client ID. The Client ID allows the Vault to verify identity tokens issued by Okta.

After creating the role in the Vault for Stone Cold I went over to my Okta Developer Account and

WWF Championship 98’(Steve Austin V. Shawn Michaels

Once this was complete I logged in as Stone Cold Steve Austin from my Vault terminal I was redirected to the App in order to be authenticated into the Vault!

Once the iDP(Identity Provider) recognizes its Stone Cold Steve Austin, he can now use Vault and unlock the title before he wrestle’s Shawn Michaels at Wrestle Mania and ensure it doesn’t get stolen. If Shawn Michael happens to use shawn.michaels@wwf.com and attempts to unlock the Vault he will not have access because there is no policy for him to access the KV in the Vault.

This lab was not easy by any means. I kept receiving different errors. For example, I made a mistake and didn’t properly put the correct URI in the Okta App. Whenever I tried logging in as Steve Austin through Vault I got the following message

400 Bad Request: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings.

But after troubleshooting I was able to figure out what went wrong.

Combining both Okta and Hashicorp’s Vault is vital for Zero Trust Architecture. And that bottom line because STONE COLD SAID SO.