SlideShare a Scribd company logo

KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"

Download as PPTX, PDF
Daniel Bryant, profile picture
Daniel Bryant

The document discusses the increasing importance of securing cloud-native communications amid application modernization and hybrid platforms, emphasizing the need for decoupling apps and infrastructure securely. It highlights critical security practices such as defense in depth, network segmentation, and service mesh usage to protect data in motion. Key statistics on data breaches underline the urgency of these security measures for organizations.

Technology
Related topics:
API Gateway
1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Copyright © 2019 HashiCorp Securing Cloud Native Communication: From End User to Service Daniel Bryant Product Architect, Datawire Nic Jackson Developer Advocate, HashiCorp
tl;dr ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
Who are we? Nic Jackson Developer Advocate, HashiCorp @sheriffjackson Daniel Bryant Product Architect, Datawire @danielbryantuk
So, we don’t want to scare you, but...
So, we don’t want to scare you, but... 214 Records containing personal data are exploited every second
So, we don’t want to scare you, but... 2.2% Of compromised records are protected by encryption
So, we don’t want to scare you, but... 65% Of cases are linked to identity theft
So, we don’t want to scare you, but... $3,860,000 Is the average cost of a data breach
So, we don’t want to scare you, but... $350,00,000 Is the cost of a breach containing over 50 million records
So, we don’t want to scare you, but... 72% Increase in attacks between 2017 and 2018 Gemalto Breach Level Index: https://breachlevelindex.com/ IBM Cost of a Data Breach Study: https://www.ibm.com/security/data-breach
KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"
We’re assuming that you have secured your data at rest… ...and hardened compute
But what about data in motion? Are your comms vulnerable?
And what about during application modernisation? Network heterogeneity typically increases: - Private DC, cloud, k8s...
https://www.rgoarchitects.com/Files/fallacies.pdf
Exploring end-to-end communication
KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"
API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends (k8s, VMs, bare metal etc) ▪ TLS termination (enforcing minimum TLS version) ▪ End-user authentication/authorization ▪ Rate limiting (DDoS protection, etc)
KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"
Service Mesh: Proxy mesh, Fabric model... ▪ Exposes internal services to internal consumers ▪ Encapsulates service infra (across k8s, VMs, bare metal etc) ▪ mTLS: service identity and traffic encryption ▪ ACLs and intentions: who can do what, and to whom ▪ Implements cross-functional concerns (out-of-process)
Service Mesh: Three Pillars ▪ Observability – “Golden signals”: latency, errors, traffic, saturation (USE, RED) – Both global and service-to-service ▪ Reliability – Abstracting health checks, retries, circuit breakers etc. – Providing sane default to protect system ▪ Security – Authn/z propagation, mTLS, network segmentation
Exploring end-to-end communication
KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"
© 2019 HashiCorp 24 Bypass the perimeter by attacking services
© 2019 HashiCorp 25 We need internal network isolation
© 2019 HashiCorp 26 Network segmentation
© 2019 HashiCorp 27 Service segmentation
© 2019 HashiCorp 28 Problem: Dynamic environments...
© 2019 HashiCorp 29 Network / Service segmentation with intention-based security
Exploring end-to-end communication
https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc Control planes and data planes Data plane Control plane
Control planes: Differing use cases ▪ North-south – Unknown / untrusted clients – Limited exposure of services (Mapping) – Centralised ops ingress defaults + decentralised product team cfg ▪ East-west – Dynamic service information update required (multiple sources) – Identity required for all services (mTLS + ACLs) – “Sane” internal defaults + decentralised dev cfg
Ambassador + Consul
Copyright © 2019 HashiCorp Demo
Conclusion ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
References ▪ Context: – https://www.infoq.com/articles/api-gateway-service-mesh-app-modernisation/ ▪ Reference: – https://www.getambassador.io/user-guide/consul-connect-ambassador/ – https://www.getambassador.io/user-guide/consul/ – https://www.consul.io/docs/platform/k8s/ambassador.html Experiment in an Instruqt sandbox: https://instruqt.com/hashicorp/tracks/sock-shop-tutorial Code examples: https://github.com/emojify-app
Copyright © 2019 HashiCorp Questions?
Copyright © 2019 HashiCorp Thanks! @sheriffjackson | @danielbryantuk

More Related Content

PDF
Securing Databases with Dynamic Credentials and HashiCorp Vault
Mitchell Pronschinske
 
PDF
Post quantum cryptography in vault (hashi talks 2020)
Mitchell Pronschinske
 
PDF
Infrastructure-as-code: bridging the gap between Devs and Ops
Mykyta Protsenko
 
PPTX
How ddd, cqrs and event sourcing constitute the architecture of the future
MSDEVMTL
 
PDF
CloudFlare DDoS attacks 101: what are they and how to protect your site?
Cloudflare
 
PPTX
Meetup Microservices Commandments
Bill Zajac
 
PDF
Introduction to Virtual Kubelet
Mitchell Pronschinske
 
PPTX
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
Cisco DevNet
 
Securing Databases with Dynamic Credentials and HashiCorp Vault
Mitchell Pronschinske
 
Post quantum cryptography in vault (hashi talks 2020)
Mitchell Pronschinske
 
Infrastructure-as-code: bridging the gap between Devs and Ops
Mykyta Protsenko
 
How ddd, cqrs and event sourcing constitute the architecture of the future
MSDEVMTL
 
CloudFlare DDoS attacks 101: what are they and how to protect your site?
Cloudflare
 
Meetup Microservices Commandments
Bill Zajac
 
Introduction to Virtual Kubelet
Mitchell Pronschinske
 
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
Cisco DevNet
 

What's hot (20)

PDF
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
PDF
初探 OpenTelemetry - 蒐集遙測數據的新標準
Marcus Tung
 
PPTX
MongoDB World 2018: MongoDB for High Volume Time Series Data Streams
MongoDB
 
PDF
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB
 
PDF
DDS tutorial with connector
Javier Povedano
 
PDF
Cloud for Kubernetes : Session3
WhaTap Labs
 
PDF
MongoDB World 2018: Building a New Transactional Model
MongoDB
 
PPTX
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Jeffrey Holden
 
PDF
Flowchain: A case study on building a Blockchain for the IoT
LinuxCon ContainerCon CloudOpen China
 
PDF
Nats meetup sf 20150826
Apcera
 
PDF
Introduction and Overview of OpenStack for IaaS
Keith Basil
 
PDF
Openstack 101
Kamesh Pemmaraju
 
PDF
Google Cloud Platform Kubernetes Workshop IYTE
Gokhan Boranalp
 
PPTX
Open stack in sina
Hui Cheng
 
PDF
IT Minds Mindblown Networking Event 2016
Kasper Nissen
 
PDF
Ci/CD - Stop wasting time, Automate your deployments
Jerry Jalava
 
PDF
Deploying .NET services with Disnix
Sander van der Burg
 
PPTX
DevOps with Kubernetes and Helm - Jenkins World Edition
Jessica Deen
 
PPTX
Orchestration & provisioning
buildacloud
 
PDF
Let's not rewrite it all
Michelle Brush
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
初探 OpenTelemetry - 蒐集遙測數據的新標準
Marcus Tung
 
MongoDB World 2018: MongoDB for High Volume Time Series Data Streams
MongoDB
 
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
MongoDB
 
DDS tutorial with connector
Javier Povedano
 
Cloud for Kubernetes : Session3
WhaTap Labs
 
MongoDB World 2018: Building a New Transactional Model
MongoDB
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Jeffrey Holden
 
Flowchain: A case study on building a Blockchain for the IoT
LinuxCon ContainerCon CloudOpen China
 
Nats meetup sf 20150826
Apcera
 
Introduction and Overview of OpenStack for IaaS
Keith Basil
 
Openstack 101
Kamesh Pemmaraju
 
Google Cloud Platform Kubernetes Workshop IYTE
Gokhan Boranalp
 
Open stack in sina
Hui Cheng
 
IT Minds Mindblown Networking Event 2016
Kasper Nissen
 
Ci/CD - Stop wasting time, Automate your deployments
Jerry Jalava
 
Deploying .NET services with Disnix
Sander van der Burg
 
DevOps with Kubernetes and Helm - Jenkins World Edition
Jessica Deen
 
Orchestration & provisioning
buildacloud
 
Let's not rewrite it all
Michelle Brush
 
Ad

Similar to KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service" (20)

PPTX
[CNCF Webinar] Securing Cloud Native Communication, From End User to Service
Daniel Bryant
 
PPTX
[London HashiCorp] Securing Cloud Native Communication: From end user to serv...
Daniel Bryant
 
PPTX
[HashiConf EU] Securing Cloud Native Communication, From End User to Service
Daniel Bryant
 
PPTX
HashiCorp 2019: "Secure Routing and Traffic Management with Ambassador and Co...
Daniel Bryant
 
PPTX
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
PDF
Challenges In Modern Application
Rahul Kumar Gupta
 
PPTX
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
PDF
Docker microservices and the service mesh
Docker, Inc.
 
PDF
OSGi for European and Japanese smart cities - experiences and lessons learnt ...
mfrancis
 
PPTX
Role of edge gateways in relation to service mesh adoption
Christian Posta
 
PDF
Making Security Approachable for Developers and Operators
ArmonDadgar
 
PDF
Presentation of my paper in the IEEE Symposium on Computer and Communications...
Dalton Valadares
 
PPTX
Service Mesh in the Real World [Raleigh NC Meetup]
Solo.io
 
PDF
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
PDF
Move Auth, Policy, and Resilience to the Platform
Christian Posta
 
PDF
Cybersecurity Issues in Emerging Technologies 1st Edition Leandros Maglaras (...
fisberngodoo
 
PDF
Application security as crucial to the modern distributed trust model
LINE Corporation
 
PDF
Why Endpoint Security Matters: Safeguarding Your Virtual Frontiers
Crawsec
 
PPTX
Iot(security)
Shreya Pohekar
 
[CNCF Webinar] Securing Cloud Native Communication, From End User to Service
Daniel Bryant
 
[London HashiCorp] Securing Cloud Native Communication: From end user to serv...
Daniel Bryant
 
[HashiConf EU] Securing Cloud Native Communication, From End User to Service
Daniel Bryant
 
HashiCorp 2019: "Secure Routing and Traffic Management with Ambassador and Co...
Daniel Bryant
 
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
Challenges In Modern Application
Rahul Kumar Gupta
 
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
Docker microservices and the service mesh
Docker, Inc.
 
OSGi for European and Japanese smart cities - experiences and lessons learnt ...
mfrancis
 
Role of edge gateways in relation to service mesh adoption
Christian Posta
 
Making Security Approachable for Developers and Operators
ArmonDadgar
 
Presentation of my paper in the IEEE Symposium on Computer and Communications...
Dalton Valadares
 
Service Mesh in the Real World [Raleigh NC Meetup]
Solo.io
 
IoT Security and Privacy Considerations
Kenny Huang Ph.D.
 
Move Auth, Policy, and Resilience to the Platform
Christian Posta
 
Cybersecurity Issues in Emerging Technologies 1st Edition Leandros Maglaras (...
fisberngodoo
 
Application security as crucial to the modern distributed trust model
LINE Corporation
 
Why Endpoint Security Matters: Safeguarding Your Virtual Frontiers
Crawsec
 
Iot(security)
Shreya Pohekar
 
Ad

More from Daniel Bryant (20)

PDF
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
Daniel Bryant
 
PDF
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
Daniel Bryant
 
PDF
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
Daniel Bryant
 
PDF
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
Daniel Bryant
 
PPTX
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
Daniel Bryant
 
PDF
Fall 22: "From Kubernetes to PaaS to... err, what's next"
Daniel Bryant
 
PDF
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
Daniel Bryant
 
PDF
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
Daniel Bryant
 
PDF
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
Daniel Bryant
 
PDF
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
PDF
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
Daniel Bryant
 
PDF
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
Daniel Bryant
 
PDF
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
Daniel Bryant
 
PDF
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
PDF
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
Daniel Bryant
 
PDF
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 
PDF
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
Daniel Bryant
 
PDF
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
PDF
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
PPTX
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
Daniel Bryant
 
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
Daniel Bryant
 
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
Daniel Bryant
 
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
Daniel Bryant
 
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
Daniel Bryant
 
Fall 22: "From Kubernetes to PaaS to... err, what's next"
Daniel Bryant
 
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
Daniel Bryant
 
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
Daniel Bryant
 
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
Daniel Bryant
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
Daniel Bryant
 
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
Daniel Bryant
 
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
Daniel Bryant
 
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
Daniel Bryant
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
Daniel Bryant
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
Daniel Bryant
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
Daniel Bryant
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
Daniel Bryant
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
Daniel Bryant
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Teaching material agriculture food technology
LiaRayya
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Cloud computing and distributed systems.
kkkkkhan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Approach and Philosophy of On baking technology
30anthuong17
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"

  • 1. Copyright © 2019 HashiCorp Securing Cloud Native Communication: From End User to Service Daniel Bryant Product Architect, Datawire Nic Jackson Developer Advocate, HashiCorp
  • 2. tl;dr ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
  • 3. Who are we? Nic Jackson Developer Advocate, HashiCorp @sheriffjackson Daniel Bryant Product Architect, Datawire @danielbryantuk
  • 4. So, we don’t want to scare you, but...
  • 5. So, we don’t want to scare you, but... 214 Records containing personal data are exploited every second
  • 6. So, we don’t want to scare you, but... 2.2% Of compromised records are protected by encryption
  • 7. So, we don’t want to scare you, but... 65% Of cases are linked to identity theft
  • 8. So, we don’t want to scare you, but... $3,860,000 Is the average cost of a data breach
  • 9. So, we don’t want to scare you, but... $350,00,000 Is the cost of a breach containing over 50 million records
  • 10. So, we don’t want to scare you, but... 72% Increase in attacks between 2017 and 2018 Gemalto Breach Level Index: https://breachlevelindex.com/ IBM Cost of a Data Breach Study: https://www.ibm.com/security/data-breach
  • 12. We’re assuming that you have secured your data at rest… ...and hardened compute
  • 13. But what about data in motion? Are your comms vulnerable?
  • 14. And what about during application modernisation? Network heterogeneity typically increases: - Private DC, cloud, k8s...
  • 18. API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends (k8s, VMs, bare metal etc) ▪ TLS termination (enforcing minimum TLS version) ▪ End-user authentication/authorization ▪ Rate limiting (DDoS protection, etc)
  • 20. Service Mesh: Proxy mesh, Fabric model... ▪ Exposes internal services to internal consumers ▪ Encapsulates service infra (across k8s, VMs, bare metal etc) ▪ mTLS: service identity and traffic encryption ▪ ACLs and intentions: who can do what, and to whom ▪ Implements cross-functional concerns (out-of-process)
  • 21. Service Mesh: Three Pillars ▪ Observability – “Golden signals”: latency, errors, traffic, saturation (USE, RED) – Both global and service-to-service ▪ Reliability – Abstracting health checks, retries, circuit breakers etc. – Providing sane default to protect system ▪ Security – Authn/z propagation, mTLS, network segmentation
  • 24. © 2019 HashiCorp 24 Bypass the perimeter by attacking services
  • 25. © 2019 HashiCorp 25 We need internal network isolation
  • 26. © 2019 HashiCorp 26 Network segmentation
  • 27. © 2019 HashiCorp 27 Service segmentation
  • 28. © 2019 HashiCorp 28 Problem: Dynamic environments...
  • 29. © 2019 HashiCorp 29 Network / Service segmentation with intention-based security
  • 32. Control planes: Differing use cases ▪ North-south – Unknown / untrusted clients – Limited exposure of services (Mapping) – Centralised ops ingress defaults + decentralised product team cfg ▪ East-west – Dynamic service information update required (multiple sources) – Identity required for all services (mTLS + ACLs) – “Sane” internal defaults + decentralised dev cfg
  • 34. Copyright © 2019 HashiCorp Demo
  • 35. Conclusion ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
  • 36. References ▪ Context: – https://www.infoq.com/articles/api-gateway-service-mesh-app-modernisation/ ▪ Reference: – https://www.getambassador.io/user-guide/consul-connect-ambassador/ – https://www.getambassador.io/user-guide/consul/ – https://www.consul.io/docs/platform/k8s/ambassador.html Experiment in an Instruqt sandbox: https://instruqt.com/hashicorp/tracks/sock-shop-tutorial Code examples: https://github.com/emojify-app
  • 37. Copyright © 2019 HashiCorp Questions?
  • 38. Copyright © 2019 HashiCorp Thanks! @sheriffjackson | @danielbryantuk