Building Automated Infrastructure Policy and Trust Systems
0 likes166 views
The document discusses building automated policy and trust systems in modern datacenters while addressing security challenges. It emphasizes the importance of establishing trust in infrastructure, operating systems, and applications using protocols like SPIFFE and tools like Spire, Istio, and OPA. The focus is on creating a trusted, secure compute fabric for running applications efficiently and securely in both traditional and cloud-native environments.
![building automated policy
and trust systems:
[ vega / dvorkin ]
the secure compute fabric](https://image.slidesharecdn.com/buildingautomatedinfrastructurepolicyandtrustsystems-180420235601/85/Building-Automated-Infrastructure-Policy-and-Trust-Systems-1-320.jpg)
![[ everything is broken ]
everything just work](https://image.slidesharecdn.com/buildingautomatedinfrastructurepolicyandtrustsystems-180420235601/85/Building-Automated-Infrastructure-Policy-and-Trust-Systems-7-320.jpg)
![secure boot
[ gPXE for OS/HV/VMs. ]
….
….
compute fabric
any server
smartNIC with trust/encryption + policy offload [ optional ]
trust: fabric → hw → apps
[ SPIFFE, etc. ]
+ gPXE
trusted
with modern security features (ie: TPM)
secure boot serverOS
infrastructure SW [ K8s, Docker, … ]
application SW [ container images ]
….
trust authority (SPIRE: SPIFFE workload API)
flat L3 network
OS
app app
Images are scanned, signed and validated as part of CI/CD pipeline](https://image.slidesharecdn.com/buildingautomatedinfrastructurepolicyandtrustsystems-180420235601/85/Building-Automated-Infrastructure-Policy-and-Trust-Systems-16-320.jpg)
![secure boot server
gPXE image
→ PXE boot gPXE preboot image
→ scan, validate, update firmware [ BIOS, … ]
validatorcollector
→ collect inventory [ built-in identifiers, serials, … ]SPIRE
agent
→ assign identity
→ establish trust with the fabric
→ determine the image to boot
IMG
loader
→ download the image (via HTTPS)
→ boot the image
trust authority (SPIRE-server: SPIFFE workload API)](https://image.slidesharecdn.com/buildingautomatedinfrastructurepolicyandtrustsystems-180420235601/85/Building-Automated-Infrastructure-Policy-and-Trust-Systems-17-320.jpg)
![secure boot server
OS
validator collector
→ collect inventory [ built-in identifiers, serials, … ]SPIRE
agent
→ assign identity
→ establish trust with the fabric
→ validate inventory and OS config
app orch.
trust authority (SPIRE-server: SPIFFE workload API)
→ ready for the apps](https://image.slidesharecdn.com/buildingautomatedinfrastructurepolicyandtrustsystems-180420235601/85/Building-Automated-Infrastructure-Policy-and-Trust-Systems-18-320.jpg)
![secure boot server
OS
authz collector
→ collect properties [ labels, metadata, linux-level, … ]SPIRE
agent
→ assign identity
→ establish trust with the fabric
→ authorize the app
app orch.
trust authority (SPIRE-server: SPIFFE workload API)
app](https://image.slidesharecdn.com/buildingautomatedinfrastructurepolicyandtrustsystems-180420235601/85/Building-Automated-Infrastructure-Policy-and-Trust-Systems-19-320.jpg)
Building Automated Infrastructure Policy and Trust Systems
- 1. building automated policy and trust systems: [ vega / dvorkin ] the secure compute fabric
- 2. the modern datacenter acrobat
- 5. whether you get the picture or not, threats are always lurking around.
- 6. more data does not make you more secure
- 7. [ everything is broken ] everything just work
- 8. in the cloud, there’s no perimeter
- 10. IP address is a poor persistent identifier
- 11. the persistence of static configurations
- 12. trust solves the problem better than filtering
- 13. but how can we ever establish trust?
- 14. …. …. ... ... ... ... is infra trusted? OSis OS trusted? OS OS OS app app app app app app app appis app trusted? by other apps by the OS by the infra
- 15. SPIFFE -- identity trust protocol. ref implementation: SPIRE ISTIO -- service mesh OPA -- open policy agent. framework for authorization gPXE -- secure boot
- 16. secure boot [ gPXE for OS/HV/VMs. ] …. …. compute fabric any server smartNIC with trust/encryption + policy offload [ optional ] trust: fabric → hw → apps [ SPIFFE, etc. ] + gPXE trusted with modern security features (ie: TPM) secure boot serverOS infrastructure SW [ K8s, Docker, … ] application SW [ container images ] …. trust authority (SPIRE: SPIFFE workload API) flat L3 network OS app app Images are scanned, signed and validated as part of CI/CD pipeline
- 17. secure boot server gPXE image → PXE boot gPXE preboot image → scan, validate, update firmware [ BIOS, … ] validatorcollector → collect inventory [ built-in identifiers, serials, … ]SPIRE agent → assign identity → establish trust with the fabric → determine the image to boot IMG loader → download the image (via HTTPS) → boot the image trust authority (SPIRE-server: SPIFFE workload API)
- 18. secure boot server OS validator collector → collect inventory [ built-in identifiers, serials, … ]SPIRE agent → assign identity → establish trust with the fabric → validate inventory and OS config app orch. trust authority (SPIRE-server: SPIFFE workload API) → ready for the apps
- 19. secure boot server OS authz collector → collect properties [ labels, metadata, linux-level, … ]SPIRE agent → assign identity → establish trust with the fabric → authorize the app app orch. trust authority (SPIRE-server: SPIFFE workload API) app
- 20. …. …. ... ... ... ... OS OS OS OS service mesh: ISTIO|envoy trust framework: SPIFFE|SPIRE authorization | admission control framework: OPA app app app app app app app app app app app app inter-application dependencies are trust based and authorized
- 21. trusted automated compute fabric to run both traditional and cloud native application in across private environments. focus on secure booting and connectivity. ● Get infra bootstrapped in minutes ● Get secure apps running in seconds ● Secure end-to-end
- 22. thank you