No matter whether you are migrating your Kafka cluster to Confluent Cloud, running a cloud-hybrid environment or are in a different situation where data protection and encryption of sensitive information is required, Confluent Service Mesh allows you to transparently encrypt your data without the need to make code changes to you existing applications.
4. @yourtwitterhandle | developer.confluent.io
Our Partner Technical Enablement offering
Scheduled sessions On-demand
Join us for these live sessions
where our experts will guide you
through sessions of different level
and will be available to answer
your questions. Some examples of
sessions are below:
• Confluent 101: for new starters
• Hybrid Cloud Workshop:
learn by doing
• Path to Production series ,
Confluent Cloud workshops
series
• Product Updates
Learn the basics with a guided
experience, at your own pace with
our learning paths on-demand. You
will also find an always growing
repository of more advanced
presentations to dig-deeper. Some
examples are below:
• Aware/Novice/Competent
Learning paths
• Confluent Use Cases
• Positioning Confluent Value
• Confluent Cloud Networking
• … and many more
AskTheExpert
we’ll offer a channel dedicated to
streaming questions
• Build CoE inside partners by
getting people with similar
interest together
• Connect with opportunities
and discover trends at focus
partners
• Build a Technical Community
• Q&A
• Tech Talk
10. The Confluent Q3 ‘23 Launch
Deliver Intelligent, Secure, and Cost-effective Data Pipelines
10
Cloud-Native Complete Everywhere
Storage Price Reduction: Cost-effectively store data at any scale without growing compute at 20% lower prices
CC for Apache Flink®
(Open Preview)
+
Enterprise Clusters
Secure, cost-effective, and serverless Kafka
powered by the Kora Engine
Confluent Terraform Provider updates
+
Enhance security and compliance while
continuing to reduce operational burden
through automated infrastructure
management
HashiCorp
Sentinel
Integration
Resource
Importer
Data
Catalog
Support
Cloud Audit Logs for Kafka Produce
& Consume
Experience full visibility and control of
sensitive data access in Confluent Cloud with
detailed audit events enabling swift response
to unauthorized access.
Cluster Linking updates
Cluster Linking with AWS Private Link:
Easily stream data between regions, teams or
environments within AWS private networks
Bi-directional Cluster Linking Optimize
disaster recovery and increase reliability with
bi-directional cluster linking
Data Portal in
Stream Governance
Safely unlock data and increase developer
productivity with a self-service, data-centric
portal for discovering, accessing, and
enriching real-time data streams flowing
across your organization
(coming soon)
Easily build high-quality, reusable data streams with the industry’s only cloud-native, serverless Flink
service
11. Data Portal in Stream
Governance
11
Seamlessly and securely request
access to data streams and trigger an
approval workflow that connects the
user with the data owner, all within the
Confluent Cloud UI
Easily build and manage data products
to power streaming pipelines and
applications by understanding,
accessing, and enriching existing data
streams
Complete
Safely unlock data and increase
developer productivity with a
self-service, data-centric portal for
discovering, accessing, and enriching
real-time data streams flowing across
your organization
Search, discover, and explore existing
topics, tags, and metadata across the
organization with end-to-end visibility to
choose the data most relevant for your
projects
Coming Soon
12. Introducing Data Portal in Stream Governance
Access your data streams through a developer-friendly, self-service UI
Search, discover, and
explore existing topics,
tags, and metadata
across the organization
Seamlessly request
access to data streams
and trigger an approval
workflow
Understand, access, & enrich
data streams to power
real-time data streaming
pipelines and applications
13. Bidirectional Cluster
Linking
13
Optimize disaster recovery and
increase reliability with bi-directional
cluster linking
Facilitate seamless consumer
migration with retained offsets for
consistent data processing with
Bi-directional cluster links
Increase efficiency and reduce data
recovery time by eliminating the need
for custom code
Streamline security configuration with
support for DR and active/active
architecture with Bi-directional links
that provides outbound and inbound
connections
Everywhere
**Note - bi-directional cluster linking is available for new cluster links only,
existing cluster link need to be deleted and re-activated to obtain this
functionality.
14. Enhanced Disaster Recovery Capabilities with
Bidirectional Cluster Linking
14
Cluster Link
bidirectional
Connection and Authentication
Connection and Authentication
Cluster A Cluster B
Applications
in region B
Cluster A Cluster B
Cluster Link
bidirectional
Topics on
Cluster A
Mirror
Topics on
Cluster B
Mirror Topics
on Cluster A
Topics on
Cluster B
ACLs / RBAC for Cluster
B
API Key or OAuth for Cluster
A
API Key or OAuth for Cluster B
ACLs / RBAC for Cluster A
Applications
in region A
Data &
Metadata
Data &
Metadata
15. Cluster Linking with
AWS Private Link
15
Simplified setup: Utilize Network Link
Service and Endpoint for a reliable
connection between clusters
Enhanced network-level security: AWS
PrivateLink isolates Confluent Cloud
clusters, preventing external resources
and Cluster Linking access
Seamless cluster linking: Establish a
secure networking path between
separate Confluent Cloud networks for
efficient data exchange
Everywhere
Easily stream data between regions,
teams or environments within AWS
private networks
16. The Confluent Q3 ‘23 Launch
Deliver Intelligent, Secure, and Cost-effective Data Pipelines
Cloud-Native Complete Everywhere
Storage Price Reduction: Cost-effectively store data at any scale without growing compute at 20% lower prices
Easily build high-quality, reusable data streams with the industry’s only cloud-native, serverless Flink
service
Apache Flink® on CC
(Open Preview)
+
Enterprise Clusters
Secure, cost-effective, and serverless Kafka
powered by the Kora Engine
Confluent Terraform Provider updates
+
Enhance security and compliance while
continuing to reduce operational burden
through automated infrastructure
management
HashiCorp
Sentinel
Integration
Resource
Importer
Data
Catalog
Support
Cloud Audit Logs for Kafka Produce
& Consume
Experience full visibility and control of
sensitive data access in Confluent Cloud with
detailed audit events enabling swift response
to unauthorized access.
Cluster Linking updates
Cluster Linking with AWS Private Link:
Easily stream data between regions, teams or
environments within AWS private networks
Bi-directional Cluster Linking Optimize
disaster recovery and increase reliability with
bi-directional cluster linking
Data Portal in
Stream Governance
Safely unlock data and increase developer
productivity with a self-service, data-centric
portal for discovering, accessing, and
enriching real-time data streams flowing
across your organization
(coming soon)
20. “A service mesh is a tool for adding observability, security,
and reliability features to “cloud native” applications by
transparently inserting this functionality at the platform
layer rather than the application layer. The service mesh is
rapidly becoming a standard part of the cloud native stack,
especially for Kubernetes adopters.”
20
-linkerd.io
21. “A service mesh is a tool for adding observability, security,
and reliability features to “cloud native” applications by
transparently inserting this functionality at the platform
layer rather than the application layer. The service mesh is
rapidly becoming a standard part of the cloud native stack,
especially for Kubernetes adopters.”
21
-linkerd.io
22. “A service mesh is a tool for adding observability, security,
and reliability features to “cloud native” applications by
transparently inserting this functionality at the platform
layer rather than the application layer. The service mesh is
rapidly becoming a standard part of the cloud native stack,
especially for Kubernetes adopters.”
22
-linkerd.io
31. End-to-end Encryption Features
• Local key management and JKS support
• Gemalto, Hashicorp, many security appliances
• Cloud provider key management service support
• AES, RSA encryption, SHA256 hashing
• AVRO, JSON, Protobuf, XML, String, Byte arrays,
Byte buffer level encryption and tokenization
• Field access control
• Format preserving encryption (NIST SP 800-38G)
• Support for metadata and data classification
• Support for master keys (Encryption of a data key
with a wrapping key)
• Support for key rotation
• Support for event digital signature support to
validate producers
Consumer
Protected
Producer
KMS/Tokenizer
Schema
Registry
35. Key Exchange Process
Kafka
Broker
Key
Store/KMS
Get Master Key
Key
Store/KMS
Encryption
Decryption
Get Data Key
Secured
Serializer
Encrypt Event
Encrypt Data Key
Send encrypted event and encrypted data key
Encryption
Decryption
Secured
Deserializer
Fetch Events
Get Master Key
Decrypt Data Key
Decrypt Event
Use decrypted data
key for decryption
Use data key for
encryption
Use master key for
decryption
Use master key
for encryption
36. Data Protection
with Confluent
Service Mesh
and Encryption
accelerator
36
CSM producer sidecar is
responsible for data
protection independently
of the client type.
Protected
Producer Consumer
KMS/Tokenizer
CSM consumer sidecar is
responsible for safely
exposing data in clear and
can also handle field
access control.
CSM CSM
39. Data Protection with Access Control via CSM
Original message
Original message
{
"name": "Joe Example",
"address": "123 Main St",
"ssn_id": "123-45-6789",
"account": "678900000234",
"Order_time": 1560070133853,
"current_balance": 67,
"itemid": "Item_9"
}
{
"name": "Hyt Piqdfggr",
"address": "852 Jdrf Wd",
"ssn_id": "dKI4gflV6r339Q==",
"account": "PrM1vyf/CxwoqQ==",
"Order_time": 1560070133853,
"current_balance": 67,
"itemid": "Item_9"
}
Protected
{
"name": "Joe Example",
"address": "123 Main St",
"ssn_id": "123-45-6789",
"account": "678900000234",
"Order_time": 1560070133853,
"current_balance": 67,
"itemid": "Item_9"
}
{
"name": "Joe Example",
"address": "123 Main St",
"ssn_id": "dKI4gflV6r339Q==",
"account": "PrM1vyf/CxwoqQ==",
"Order_time": 1560070133853,
"current_balance": 67,
"itemid": "Item_9"
}
Original message
with Access Control
40. OPA - Open Policy Agent
https://www.openpolicyagent.org/
OPA testing and examples: The Rego Playground
41. Policy Based Field Level Access Control
Which fields
should be
hidden or
redacted?
Producer Consumer
Open Policy Agent
Pluggable
Code
Confluent Service
Mesh
Pluggable
Code
Confluent Service
Mesh
42. USA
financial
Policy Based Field Level Access Control
Original message
{
"name": "Joe Example",
"address": "123 Main St",
"ssn_id": "123-45-6789",
"account": "678900000234",
"Order_time": 1560070133853,
"current_balance": 67,
"itemid": "Item_9"
“country”: “usa”
}
{
"account": "678900000234",
"Order_time": 1560070133853,
"itemid": "Item_9"
}
{
"name": "Joe Example",
"address": "123 Main St",
"ssn_id": "123-45-6789",
"account": "678900000234",
"Order_time": 1560070133853,
"current_balance": 67,
"itemid": "Item_9"
}
USA
financial
pii
Brazil
financial
pii
Open Policy
Agent
nothing sent
Pluggable
Code
Confluent
Service Mesh
44. OPA Configuration and Integration
Link OPA Policies in Classifications
Add OPA Policies (rego)
Local OPA module (Session Authorizer)
local path to rego file
rego path (decision,
package)
46. Mutual TLS (mTLS) or Kerberos
Producer Consumer
MTLS /
Kerberos
MTLS /
Kerberos
O
N
PREM
O
N
LY
🤬
FAIL
47. With CSM in the Mix
Client
Pluggable
Code
CSM
MTLS
principal
User1 => key/secret
User2 => key/secret
SASL
(key/secret
)
Lookup Auth from Principal
during
SSL
H
andshake
48. Example CSM MTLS Flow
Extract Principal
from Cert
Some
Database
CSM
SSL Handshake
Client
Lookup key/secret
from DB with Principal
as key
Return key/secret
Confluent
Cloud
Authenticate sasl
with key/secret
Finish Handshake
51. Typical Hybrid
CSM-Setup
- hybrid setup
- self-managed connect
- local CSM and clients
- ksqlDB and CP in
Confluent Cloud
- ksqlDB on
field-level-encrypted
topics
- AWS KMS for keys (AWS,
Azure, Vault, …)
52. CSM in a sidecar
- external service writing
to plain-text topic
- kstreams app filtering
data and writing to
encrypted topic
- local client connecting to
CCloud via CSM/directly
53. CSM as (Gateway)
Service on VMs
- CSM deployed on
containers/VMs
- HA achieved with
multiple CSM-replicas
and LB
- reminder: CSM is
stateless (!)
- Scaling
horizontally/vertically
- load-balancers for
external CSM-access
58. CSM as a Gateway
to Confluent Cloud
Transparent
end-to-end
encryption
Field-level
authorization and
access-control with
policy-based
field-level
encryption
Use existing
authentication
mechanisms in
cloud migrations
61. CSM Ingress on k8s / SNI:
Formatter for Listener Overrides
62. Use case: Kubernetes Ingress
Ingress Scenario:
● CSM maps each broker to one port
that is exposed as a k8s service
● Ingress will not allow to open ports
dynamically (or more than a few
specific ports at all - 80, 8080, 443)
64. Solution: SNI Routing
SNI: Server Name Indication - Wikipedia
(https://github.com/Schm1tz1/sni-routing-examples)
● Hosting of multiple (virtual) services
with same (physical) frontend and
different backends
● Used in Ingress for (de)multiplexing
TCP traffic
● Routing to backend services using
information from TLS handshake
(hello)
● Similar pattern based on HTTP
headers very common in for
Web-Servers
65. Formatter for Listener Overrides and SNI
Changes to "CSM standard setup":
● CSM configured to return virtual
hostnames that can be mapped
back to internal ports (example:
host.name.formatter=b$p.$h:9092)
● Matching Certificates (wildcard)
● Ingress with SNI rules / mapping for
these hostnames
● External DNS entries (wildcard)
pointing to ingress IPs
67. Features Comparison
Client-side Encryption CSM-based Encryption
Field-level encryption ✅ (Java,.NET only) ✅
Payload-level encryption ✅ ✅
Tokenization/Masking ✅ (Java,.NET only) ✅
Format-Preserving Encryption ✅ (Java,.NET only) ✅
Supports Kafka Streams ✅ ✅
Supports Kafka Connect JSON, AVRO only ✅
Supports ksqlDB ✅ ✅
Supports REST Proxy ❌ ✅
Popular KMS integrations ✅ (Java,.NET only) ✅
Supports access control ✅ ✅
Node.js, python, C++ support limited features ✅
Other (Go, Ruby) lang support ❌ ✅
Component-based install ✅ Not required
68. E2EE Libraries
Features and integrations
✅ Feature
included
❌ Feature
prioritized but
not complete
❌ Feature
not included
or prioritized
na Not
Applicable