O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"

295 visualizações

Publicada em

Everyone building or operating cloud native applications must understand the fundamentals of security issues and modern threat models. Although this topic is vast, in this talk Nic and Daniel will focus on the end-to-end communication and higher-level networking threats, and explore how the combination of an edge proxy and service mesh using TLS and mTLS can be used to mitigate many man-in-the-middle attacks.

Key takeaways include:

- An understanding of the "three pillars" of service mesh functionality: observability, reliability, and security. A service mesh is in a unique place to enforce security features like mTLS
- Learn how to ensure that there are no exploitable "gaps" within the end-to-end/user-to-service communication path.
- Explore the differences in ingress/mesh control planes, with brief demonstrations using Ambassador and Consul Connect

Publicada em: Tecnologia
  • Seja o primeiro a comentar

KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"

  1. 1. Copyright © 2019 HashiCorp Securing Cloud Native Communication: From End User to Service Daniel Bryant Product Architect, Datawire Nic Jackson Developer Advocate, HashiCorp
  2. 2. tl;dr ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
  3. 3. Who are we? Nic Jackson Developer Advocate, HashiCorp @sheriffjackson Daniel Bryant Product Architect, Datawire @danielbryantuk
  4. 4. So, we don’t want to scare you, but...
  5. 5. So, we don’t want to scare you, but... 214 Records containing personal data are exploited every second
  6. 6. So, we don’t want to scare you, but... 2.2% Of compromised records are protected by encryption
  7. 7. So, we don’t want to scare you, but... 65% Of cases are linked to identity theft
  8. 8. So, we don’t want to scare you, but... $3,860,000 Is the average cost of a data breach
  9. 9. So, we don’t want to scare you, but... $350,00,000 Is the cost of a breach containing over 50 million records
  10. 10. So, we don’t want to scare you, but... 72% Increase in attacks between 2017 and 2018 Gemalto Breach Level Index: https://breachlevelindex.com/ IBM Cost of a Data Breach Study: https://www.ibm.com/security/data-breach
  11. 11. We’re assuming that you have secured your data at rest… ...and hardened compute
  12. 12. But what about data in motion? Are your comms vulnerable?
  13. 13. And what about during application modernisation? Network heterogeneity typically increases: - Private DC, cloud, k8s...
  14. 14. https://www.rgoarchitects.com/Files/fallacies.pdf
  15. 15. Exploring end-to-end communication
  16. 16. API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends (k8s, VMs, bare metal etc) ▪ TLS termination (enforcing minimum TLS version) ▪ End-user authentication/authorization ▪ Rate limiting (DDoS protection, etc)
  17. 17. Service Mesh: Proxy mesh, Fabric model... ▪ Exposes internal services to internal consumers ▪ Encapsulates service infra (across k8s, VMs, bare metal etc) ▪ mTLS: service identity and traffic encryption ▪ ACLs and intentions: who can do what, and to whom ▪ Implements cross-functional concerns (out-of-process)
  18. 18. Service Mesh: Three Pillars ▪ Observability – “Golden signals”: latency, errors, traffic, saturation (USE, RED) – Both global and service-to-service ▪ Reliability – Abstracting health checks, retries, circuit breakers etc. – Providing sane default to protect system ▪ Security – Authn/z propagation, mTLS, network segmentation
  19. 19. Exploring end-to-end communication
  20. 20. © 2019 HashiCorp 24 Bypass the perimeter by attacking services
  21. 21. © 2019 HashiCorp 25 We need internal network isolation
  22. 22. © 2019 HashiCorp 26 Network segmentation
  23. 23. © 2019 HashiCorp 27 Service segmentation
  24. 24. © 2019 HashiCorp 28 Problem: Dynamic environments...
  25. 25. © 2019 HashiCorp 29 Network / Service segmentation with intention-based security
  26. 26. Exploring end-to-end communication
  27. 27. https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc Control planes and data planes Data plane Control plane
  28. 28. Control planes: Differing use cases ▪ North-south – Unknown / untrusted clients – Limited exposure of services (Mapping) – Centralised ops ingress defaults + decentralised product team cfg ▪ East-west – Dynamic service information update required (multiple sources) – Identity required for all services (mTLS + ACLs) – “Sane” internal defaults + decentralised dev cfg
  29. 29. Ambassador + Consul
  30. 30. Copyright © 2019 HashiCorp Demo
  31. 31. Conclusion ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
  32. 32. References ▪ Context: – https://www.infoq.com/articles/api-gateway-service-mesh-app-modernisation/ ▪ Reference: – https://www.getambassador.io/user-guide/consul-connect-ambassador/ – https://www.getambassador.io/user-guide/consul/ – https://www.consul.io/docs/platform/k8s/ambassador.html Experiment in an Instruqt sandbox: https://instruqt.com/hashicorp/tracks/sock-shop-tutorial Code examples: https://github.com/emojify-app
  33. 33. Copyright © 2019 HashiCorp Questions?
  34. 34. Copyright © 2019 HashiCorp Thanks! @sheriffjackson | @danielbryantuk

×