SlideShare a Scribd company logo

[HashiConf EU] Securing Cloud Native Communication, From End User to Service

Download as PPTX, PDF
Daniel Bryant, profile picture
Daniel Bryant

The document emphasizes that security is a collective responsibility, particularly in the context of modernizing applications which often leads to diverse infrastructures and networks. It highlights the importance of defense in depth strategies, outlining methods for securing both edge and service communications while ensuring good user and developer experiences. Finally, it addresses the need for internal network isolation through segmentation and the adoption of service meshes for enhanced security and traffic management.

Technology
1 of 49
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Copyright © 2019 HashiCorp Securing Cloud Native Communication: From End User to Service Daniel Bryant Product Architect, Datawire
“Traditional IT" network security
tl;dr ▪ Security is everyone’s responsibility ▪ Application modernisation leads to heterogeneous infra/networks ▪ Defence in depth is vital: edge/service comms security is one part of this ▪ Mind the gap(s)! ▪ All security must have good UX / DevEx
Who are we? Nic Jackson Developer Advocate, HashiCorp @sheriffjackson Daniel Bryant Product Architect, Datawire @danielbryantuk
Security is everyone’s responsibility
So, we don’t want to scare you, but... 214 Records containing personal data are exploited every second
So, we don’t want to scare you, but... $3,860,000 Is the average cost of a data breach
So, we don’t want to scare you, but... $350,00,000 Is the cost of a breach containing over 50 million records
So, we don’t want to scare you, but... 72% Increase in attacks between 2017 and 2018 Gemalto Breach Level Index: https://breachlevelindex.com/ IBM Cost of a Data Breach Study: https://www.ibm.com/security/data-breach
Application modernisation: Gift and curse
Defence in depth
Defence in depth is vital ▪ Harden and scan infrastructure ▪ Scan code, dependencies, packages ▪ Encrypt data at rest ▪ Encrypt data in transit ▪ Principle of least privilege
▪ Harden and scan infrastructure ▪ Scan code, dependencies, packages ▪ Encrypt data at rest ▪ Encrypt data in transit ▪ Principle of least privilege Defence in depth is vital
Exploring end-to-end communication
Exploring end-to-end communication
Exploring end-to-end communication
API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends: k8s, VMs, bare metal etc ▪ TLS termination: enforcing minimum TLS version ▪ End-user authentication/authorization (add token/JWT for propagation) ▪ Rate limiting: DDoS protection, etc
Ambassador config
API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends: k8s, VMs, bare metal etc ▪ TLS termination: enforcing minimum TLS version ▪ End-user authentication/authorization (add token/JWT for propagation) ▪ Rate limiting: DDoS protection, etc
https://docs.cert-manager.io/en/latest/ https://www.getambassador.io/user-guide/cert-manager/
Quick Aside: CDNs https://cloudpiercer.org/paper/CloudPiercer.pdf https://bit.ly/2JA0UAh
Exploring end-to-end communication
Service Mesh: Proxy mesh, Fabric model... ▪ Exposes internal services to internal consumers ▪ Encapsulates service infra: across k8s, VMs, bare metal etc ▪ mTLS: service identity and traffic encryption ▪ ACLs and intentions: infra/service identity-based access ▪ Enforce metadata (but apps need to propagate headers/tokens)
Exploring end-to-end communication
Consul config
[HashiConf EU] Securing Cloud Native Communication, From End User to Service
Exploring end-to-end communication
Identity and network segmentation
© 2019 HashiCorp 29 Bypass the perimeter by attacking services
© 2019 HashiCorp 30 We need internal network isolation
© 2019 HashiCorp 31 Network segmentation
© 2019 HashiCorp 32 Service segmentation
© 2019 HashiCorp 33 Problem: Dynamic environments...
© 2019 HashiCorp 34 Network / Service segmentation with intention-based security
Exploring end-to-end communication
Consul config
Copyright © 2019 HashiCorp Demo
[HashiConf EU] Securing Cloud Native Communication, From End User to Service
Conclusion ▪ Security is everyone’s responsibility ▪ Application modernisation leads to heterogeneous infra/networks ▪ Defence in depth is vital: edge/service comms security is one part of this ▪ Mind the gap(s)! ▪ All security must have good UX / DevEx
References ▪ Context: – https://www.infoq.com/articles/api-gateway-service-mesh-app-modernisation/ ▪ Reference: – https://www.getambassador.io/user-guide/consul-connect-ambassador/ – https://www.getambassador.io/user-guide/consul/ – https://www.consul.io/docs/platform/k8s/ambassador.html – https://www.hashicorp.com/blog/hashicorp-consul-supports-microsoft-s-new-service-mesh-framework Experiment in an Instruqt sandbox: https://instruqt.com/hashicorp/tracks/sock-shop-tutorial Code examples: https://github.com/emojify-app
Copyright © 2019 HashiCorp Questions?
Copyright © 2019 HashiCorp Thanks! @sheriffjackson | @danielbryantuk
Copyright © 2019 HashiCorp Bonus
Service Mesh: Three Pillars ▪ Observability – “Golden signals”: latency, errors, traffic, saturation (USE, RED) – Both global and service-to-service ▪ Reliability – Abstracting health checks, retries, circuit breakers etc. – Providing sane default to protect system ▪ Security – Authn/z propagation, mTLS, network segmentation
Security must have good UX
Exploring end-to-end communication
https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc Control planes and data planes Data plane Control plane
Control planes: Differing use cases ▪ North-south – Unknown / untrusted clients – Limited exposure of services (Mapping) – Centralised ops ingress defaults + decentralised product team cfg ▪ East-west – Dynamic service information update required (multiple sources) – Identity required for all services (mTLS + ACLs) – “Sane” internal defaults + decentralised dev cfg
Ambassador + Consul

More Related Content

PPTX
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
Nexusguard
 
PDF
Cyber security providers adopt strategic defences
Markit
 
PPTX
Blockchain in cyber security
Prateek Panda
 
DOCX
Cloud keybank privacy and owner authorization
Pvrtechnologies Nellore
 
PDF
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Secunoid Systems Inc
 
PDF
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
scoopnewsgroup
 
PDF
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Infosecurity2010
 
PDF
[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM
Carlos Valderrama
 
BKNIX Peering Forum 2017 : DDoS Attack Trend and Defense Strategy
Nexusguard
 
Cyber security providers adopt strategic defences
Markit
 
Blockchain in cyber security
Prateek Panda
 
Cloud keybank privacy and owner authorization
Pvrtechnologies Nellore
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Secunoid Systems Inc
 
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
scoopnewsgroup
 
Andrew Yeomans, Infosecurity.nl, 3 november 2010, Jaarbeurs Utrecht
Infosecurity2010
 
[4YFN]Cyber Security Innovation, an urgent call to cyber heroes SM
Carlos Valderrama
 

What's hot (20)

PPTX
Aligning Risk with Growth - Cloud Security for startups
Moshe Ferber
 
PDF
Infographic - Why DDoS Mitigation Solutions are important
Haltdos
 
PDF
Industrial Control Cybersecurity USA Cyber Senate conference
James Nesbitt
 
PDF
Conférence ARBOR ACSS 2018
African Cyber Security Summit
 
PDF
2019 cou kolokotronis_nicholas - nicholas kolokotronis
Liza Charalambous
 
PDF
DDoS Protection For Top 4 Industries | MazeBolt Technologies
MazeBolt Technologies
 
RTF
Review of internet denial of service attack and defense mechanisms
Robert Dahl, CISSP
 
PDF
Security Issues Of Virtual Private Networks: A Survey
IJCSIS Research Publications
 
PPTX
How could Smart Contracts affect the Insurance Industry?
George Theofilis
 
PPTX
David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
Infosecurity2010
 
PPTX
Cloud security training, certified cloud security professional
Bryan Len
 
PDF
What to look for in a hosted supplier
Softworld
 
ODP
ChaosVPN 5mof
openfly
 
DOCX
Bound maxima as a traffic feature under d do s flood attacks.
yito24
 
PDF
Final----News-Release----LEC-and-Distrix-Partner-to-Enhance-IIoT-Security----...
Thomas Mehlhorn
 
PPTX
Cubeitz 1 Million Bit Encryption
Ian Ray
 
PPTX
Cloud computing security
gangal
 
PPTX
FOSSCOM - Synaphea presentations
George Theofilis
 
PPTX
OTTO - Internet2 TechX 2017
Mike Schwartz
 
PPTX
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Aligning Risk with Growth - Cloud Security for startups
Moshe Ferber
 
Infographic - Why DDoS Mitigation Solutions are important
Haltdos
 
Industrial Control Cybersecurity USA Cyber Senate conference
James Nesbitt
 
Conférence ARBOR ACSS 2018
African Cyber Security Summit
 
2019 cou kolokotronis_nicholas - nicholas kolokotronis
Liza Charalambous
 
DDoS Protection For Top 4 Industries | MazeBolt Technologies
MazeBolt Technologies
 
Review of internet denial of service attack and defense mechanisms
Robert Dahl, CISSP
 
Security Issues Of Virtual Private Networks: A Survey
IJCSIS Research Publications
 
How could Smart Contracts affect the Insurance Industry?
George Theofilis
 
David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht
Infosecurity2010
 
Cloud security training, certified cloud security professional
Bryan Len
 
What to look for in a hosted supplier
Softworld
 
ChaosVPN 5mof
openfly
 
Bound maxima as a traffic feature under d do s flood attacks.
yito24
 
Final----News-Release----LEC-and-Distrix-Partner-to-Enhance-IIoT-Security----...
Thomas Mehlhorn
 
Cubeitz 1 Million Bit Encryption
Ian Ray
 
Cloud computing security
gangal
 
FOSSCOM - Synaphea presentations
George Theofilis
 
OTTO - Internet2 TechX 2017
Mike Schwartz
 
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Ad

Similar to [HashiConf EU] Securing Cloud Native Communication, From End User to Service (20)

PPTX
[London HashiCorp] Securing Cloud Native Communication: From end user to serv...
Daniel Bryant
 
PPTX
[CNCF Webinar] Securing Cloud Native Communication, From End User to Service
Daniel Bryant
 
PPTX
KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"
Daniel Bryant
 
PPTX
HashiCorp 2019: "Secure Routing and Traffic Management with Ambassador and Co...
Daniel Bryant
 
PPTX
[HashiConf 2019] "Securing Cloud Native Communication with Ambassador and Con...
Daniel Bryant
 
PDF
Communications Technologies
Sarah Jimenez
 
PDF
Atelier Technique ARBOR NETWORKS ACSS 2018
African Cyber Security Summit
 
PDF
SECURE DATA TRANSFER BASED ON CLOUD COMPUTING
IRJET Journal
 
PDF
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Floyd DCosta
 
PDF
Block Armour Zero Trust Cybersecurity Mesh for Telcom
BlockArmour1
 
PDF
Secure Your Sky_ Mastering Cloud Web Security.pdf
NK Carpenter
 
PPT
ICRTITCS-2012 Conference Publication
Tejaswi Agarwal
 
PPTX
Cyber security fundamentals (Cantonese)
Cloudflare
 
PDF
Cloud technology to ensure the protection of fundamental methods and use of i...
SubmissionResearchpa
 
PDF
Introduction to cloud security
IAEME Publication
 
PDF
Introduction of Cloudflare Solution for Mobile Payment
Jean Ryu
 
PDF
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
PDF
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
inventionjournals
 
PPTX
Cloud security for financial services
Moshe Ferber
 
PDF
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
IJNSA Journal
 
[London HashiCorp] Securing Cloud Native Communication: From end user to serv...
Daniel Bryant
 
[CNCF Webinar] Securing Cloud Native Communication, From End User to Service
Daniel Bryant
 
KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"
Daniel Bryant
 
HashiCorp 2019: "Secure Routing and Traffic Management with Ambassador and Co...
Daniel Bryant
 
[HashiConf 2019] "Securing Cloud Native Communication with Ambassador and Con...
Daniel Bryant
 
Communications Technologies
Sarah Jimenez
 
Atelier Technique ARBOR NETWORKS ACSS 2018
African Cyber Security Summit
 
SECURE DATA TRANSFER BASED ON CLOUD COMPUTING
IRJET Journal
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Floyd DCosta
 
Block Armour Zero Trust Cybersecurity Mesh for Telcom
BlockArmour1
 
Secure Your Sky_ Mastering Cloud Web Security.pdf
NK Carpenter
 
ICRTITCS-2012 Conference Publication
Tejaswi Agarwal
 
Cyber security fundamentals (Cantonese)
Cloudflare
 
Cloud technology to ensure the protection of fundamental methods and use of i...
SubmissionResearchpa
 
Introduction to cloud security
IAEME Publication
 
Introduction of Cloudflare Solution for Mobile Payment
Jean Ryu
 
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
inventionjournals
 
Cloud security for financial services
Moshe Ferber
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
IJNSA Journal
 
Ad

More from Daniel Bryant (20)

PDF
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
Daniel Bryant
 
PDF
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
Daniel Bryant
 
PDF
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
Daniel Bryant
 
PDF
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
Daniel Bryant
 
PPTX
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
Daniel Bryant
 
PDF
Fall 22: "From Kubernetes to PaaS to... err, what's next"
Daniel Bryant
 
PDF
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
Daniel Bryant
 
PDF
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
Daniel Bryant
 
PDF
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
Daniel Bryant
 
PDF
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
PDF
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
Daniel Bryant
 
PDF
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
Daniel Bryant
 
PDF
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
Daniel Bryant
 
PDF
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
PDF
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
Daniel Bryant
 
PDF
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 
PDF
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
Daniel Bryant
 
PDF
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
PDF
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
PPTX
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
Daniel Bryant
 
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
Daniel Bryant
 
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
Daniel Bryant
 
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
Daniel Bryant
 
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
Daniel Bryant
 
Fall 22: "From Kubernetes to PaaS to... err, what's next"
Daniel Bryant
 
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
Daniel Bryant
 
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
Daniel Bryant
 
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
Daniel Bryant
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
Daniel Bryant
 
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
Daniel Bryant
 
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
Daniel Bryant
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
Daniel Bryant
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
Daniel Bryant
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 

Recently uploaded (20)

PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Approach and Philosophy of On baking technology
30anthuong17
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

[HashiConf EU] Securing Cloud Native Communication, From End User to Service