Daniel Bryant, profile picture
Uploaded byDaniel Bryant
PPTX, PDF1,655 views

KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"

The document discusses the increasing importance of securing cloud-native communications amid application modernization and hybrid platforms, emphasizing the need for decoupling apps and infrastructure securely. It highlights critical security practices such as defense in depth, network segmentation, and service mesh usage to protect data in motion. Key statistics on data breaches underline the urgency of these security measures for organizations.

Technology
Related topics:
API Gateway

Embed presentation

Download to read offline
Copyright © 2019 HashiCorp Securing Cloud Native Communication: From End User to Service Daniel Bryant Product Architect, Datawire Nic Jackson Developer Advocate, HashiCorp
tl;dr ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
Who are we? Nic Jackson Developer Advocate, HashiCorp @sheriffjackson Daniel Bryant Product Architect, Datawire @danielbryantuk
So, we don’t want to scare you, but...
So, we don’t want to scare you, but... 214 Records containing personal data are exploited every second
So, we don’t want to scare you, but... 2.2% Of compromised records are protected by encryption
So, we don’t want to scare you, but... 65% Of cases are linked to identity theft
So, we don’t want to scare you, but... $3,860,000 Is the average cost of a data breach
So, we don’t want to scare you, but... $350,00,000 Is the cost of a breach containing over 50 million records
So, we don’t want to scare you, but... 72% Increase in attacks between 2017 and 2018 Gemalto Breach Level Index: https://breachlevelindex.com/ IBM Cost of a Data Breach Study: https://www.ibm.com/security/data-breach
We’re assuming that you have secured your data at rest… ...and hardened compute
But what about data in motion? Are your comms vulnerable?
And what about during application modernisation? Network heterogeneity typically increases: - Private DC, cloud, k8s...
https://www.rgoarchitects.com/Files/fallacies.pdf
Exploring end-to-end communication
API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends (k8s, VMs, bare metal etc) ▪ TLS termination (enforcing minimum TLS version) ▪ End-user authentication/authorization ▪ Rate limiting (DDoS protection, etc)
Service Mesh: Proxy mesh, Fabric model... ▪ Exposes internal services to internal consumers ▪ Encapsulates service infra (across k8s, VMs, bare metal etc) ▪ mTLS: service identity and traffic encryption ▪ ACLs and intentions: who can do what, and to whom ▪ Implements cross-functional concerns (out-of-process)
Service Mesh: Three Pillars ▪ Observability – “Golden signals”: latency, errors, traffic, saturation (USE, RED) – Both global and service-to-service ▪ Reliability – Abstracting health checks, retries, circuit breakers etc. – Providing sane default to protect system ▪ Security – Authn/z propagation, mTLS, network segmentation
Exploring end-to-end communication
© 2019 HashiCorp 24 Bypass the perimeter by attacking services
© 2019 HashiCorp 25 We need internal network isolation
© 2019 HashiCorp 26 Network segmentation
© 2019 HashiCorp 27 Service segmentation
© 2019 HashiCorp 28 Problem: Dynamic environments...
© 2019 HashiCorp 29 Network / Service segmentation with intention-based security
Exploring end-to-end communication
https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc Control planes and data planes Data plane Control plane
Control planes: Differing use cases ▪ North-south – Unknown / untrusted clients – Limited exposure of services (Mapping) – Centralised ops ingress defaults + decentralised product team cfg ▪ East-west – Dynamic service information update required (multiple sources) – Identity required for all services (mTLS + ACLs) – “Sane” internal defaults + decentralised dev cfg
Ambassador + Consul
Copyright © 2019 HashiCorp Demo
Conclusion ▪ We’re seeing an increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
References ▪ Context: – https://www.infoq.com/articles/api-gateway-service-mesh-app-modernisation/ ▪ Reference: – https://www.getambassador.io/user-guide/consul-connect-ambassador/ – https://www.getambassador.io/user-guide/consul/ – https://www.consul.io/docs/platform/k8s/ambassador.html Experiment in an Instruqt sandbox: https://instruqt.com/hashicorp/tracks/sock-shop-tutorial Code examples: https://github.com/emojify-app
Copyright © 2019 HashiCorp Questions?
Copyright © 2019 HashiCorp Thanks! @sheriffjackson | @danielbryantuk

More Related Content

PDF
Securing Databases with Dynamic Credentials and HashiCorp Vault
byMitchell Pronschinske
 
PDF
Post quantum cryptography in vault (hashi talks 2020)
byMitchell Pronschinske
 
PDF
Infrastructure-as-code: bridging the gap between Devs and Ops
byMykyta Protsenko
 
PPTX
How ddd, cqrs and event sourcing constitute the architecture of the future
byMSDEVMTL
 
PDF
CloudFlare DDoS attacks 101: what are they and how to protect your site?
byCloudflare
 
PPTX
Meetup Microservices Commandments
byBill Zajac
 
PDF
Introduction to Virtual Kubelet
byMitchell Pronschinske
 
PPTX
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
byCisco DevNet
 
Securing Databases with Dynamic Credentials and HashiCorp Vault
byMitchell Pronschinske
 
Post quantum cryptography in vault (hashi talks 2020)
byMitchell Pronschinske
 
Infrastructure-as-code: bridging the gap between Devs and Ops
byMykyta Protsenko
 
How ddd, cqrs and event sourcing constitute the architecture of the future
byMSDEVMTL
 
CloudFlare DDoS attacks 101: what are they and how to protect your site?
byCloudflare
 
Meetup Microservices Commandments
byBill Zajac
 
Introduction to Virtual Kubelet
byMitchell Pronschinske
 
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
byCisco DevNet
 

What's hot

PDF
Cloud-native applications with Java and Kubernetes - Yehor Volkov
byKuberton
 
PDF
初探 OpenTelemetry - 蒐集遙測數據的新標準
byMarcus Tung
 
PPTX
MongoDB World 2018: MongoDB for High Volume Time Series Data Streams
byMongoDB
 
PDF
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
byMongoDB
 
PDF
DDS tutorial with connector
byJavier Povedano
 
PDF
Cloud for Kubernetes : Session3
byWhaTap Labs
 
PDF
MongoDB World 2018: Building a New Transactional Model
byMongoDB
 
PPTX
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
byJeffrey Holden
 
PDF
Flowchain: A case study on building a Blockchain for the IoT
byLinuxCon ContainerCon CloudOpen China
 
PDF
Nats meetup sf 20150826
byApcera
 
PDF
Introduction and Overview of OpenStack for IaaS
byKeith Basil
 
PDF
Openstack 101
byKamesh Pemmaraju
 
PDF
Google Cloud Platform Kubernetes Workshop IYTE
byGokhan Boranalp
 
PPTX
Open stack in sina
byHui Cheng
 
PDF
IT Minds Mindblown Networking Event 2016
byKasper Nissen
 
PDF
Ci/CD - Stop wasting time, Automate your deployments
byJerry Jalava
 
PDF
Deploying .NET services with Disnix
bySander van der Burg
 
PPTX
DevOps with Kubernetes and Helm - Jenkins World Edition
byJessica Deen
 
PPTX
Orchestration & provisioning
bybuildacloud
 
PDF
Let's not rewrite it all
byMichelle Brush
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
byKuberton
 
初探 OpenTelemetry - 蒐集遙測數據的新標準
byMarcus Tung
 
MongoDB World 2018: MongoDB for High Volume Time Series Data Streams
byMongoDB
 
MongoDB World 2018: Transactions and Durability: Putting the “D” in ACID
byMongoDB
 
DDS tutorial with connector
byJavier Povedano
 
Cloud for Kubernetes : Session3
byWhaTap Labs
 
MongoDB World 2018: Building a New Transactional Model
byMongoDB
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
byJeffrey Holden
 
Flowchain: A case study on building a Blockchain for the IoT
byLinuxCon ContainerCon CloudOpen China
 
Nats meetup sf 20150826
byApcera
 
Introduction and Overview of OpenStack for IaaS
byKeith Basil
 
Openstack 101
byKamesh Pemmaraju
 
Google Cloud Platform Kubernetes Workshop IYTE
byGokhan Boranalp
 
Open stack in sina
byHui Cheng
 
IT Minds Mindblown Networking Event 2016
byKasper Nissen
 
Ci/CD - Stop wasting time, Automate your deployments
byJerry Jalava
 
Deploying .NET services with Disnix
bySander van der Burg
 
DevOps with Kubernetes and Helm - Jenkins World Edition
byJessica Deen
 
Orchestration & provisioning
bybuildacloud
 
Let's not rewrite it all
byMichelle Brush
 

Similar to KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"

PPTX
[CNCF Webinar] Securing Cloud Native Communication, From End User to Service
byDaniel Bryant
 
PPTX
[London HashiCorp] Securing Cloud Native Communication: From end user to serv...
byDaniel Bryant
 
PPTX
[HashiConf EU] Securing Cloud Native Communication, From End User to Service
byDaniel Bryant
 
PPTX
HashiCorp 2019: "Secure Routing and Traffic Management with Ambassador and Co...
byDaniel Bryant
 
PPTX
Security and Compliance for Enterprise Cloud Infrastructure
byCloudPassage
 
PDF
Challenges In Modern Application
byRahul Kumar Gupta
 
PPTX
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PDF
Docker microservices and the service mesh
byDocker, Inc.
 
PDF
OSGi for European and Japanese smart cities - experiences and lessons learnt ...
bymfrancis
 
PPTX
Role of edge gateways in relation to service mesh adoption
byChristian Posta
 
PDF
Making Security Approachable for Developers and Operators
byArmonDadgar
 
PDF
Presentation of my paper in the IEEE Symposium on Computer and Communications...
byDalton Valadares
 
PPTX
Service Mesh in the Real World [Raleigh NC Meetup]
bySolo.io
 
PDF
IoT Security and Privacy Considerations
byKenny Huang Ph.D.
 
PDF
Move Auth, Policy, and Resilience to the Platform
byChristian Posta
 
PDF
Cybersecurity Issues in Emerging Technologies 1st Edition Leandros Maglaras (...
byfisberngodoo
 
PDF
Application security as crucial to the modern distributed trust model
byLINE Corporation
 
PDF
Why Endpoint Security Matters: Safeguarding Your Virtual Frontiers
byCrawsec
 
PPTX
Iot(security)
byShreya Pohekar
 
[CNCF Webinar] Securing Cloud Native Communication, From End User to Service
byDaniel Bryant
 
[London HashiCorp] Securing Cloud Native Communication: From end user to serv...
byDaniel Bryant
 
[HashiConf EU] Securing Cloud Native Communication, From End User to Service
byDaniel Bryant
 
HashiCorp 2019: "Secure Routing and Traffic Management with Ambassador and Co...
byDaniel Bryant
 
Security and Compliance for Enterprise Cloud Infrastructure
byCloudPassage
 
Challenges In Modern Application
byRahul Kumar Gupta
 
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Docker microservices and the service mesh
byDocker, Inc.
 
OSGi for European and Japanese smart cities - experiences and lessons learnt ...
bymfrancis
 
Role of edge gateways in relation to service mesh adoption
byChristian Posta
 
Making Security Approachable for Developers and Operators
byArmonDadgar
 
Presentation of my paper in the IEEE Symposium on Computer and Communications...
byDalton Valadares
 
Service Mesh in the Real World [Raleigh NC Meetup]
bySolo.io
 
IoT Security and Privacy Considerations
byKenny Huang Ph.D.
 
Move Auth, Policy, and Resilience to the Platform
byChristian Posta
 
Cybersecurity Issues in Emerging Technologies 1st Edition Leandros Maglaras (...
byfisberngodoo
 
Application security as crucial to the modern distributed trust model
byLINE Corporation
 
Why Endpoint Security Matters: Safeguarding Your Virtual Frontiers
byCrawsec
 
Iot(security)
byShreya Pohekar
 

More from Daniel Bryant

PDF
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
byDaniel Bryant
 
PDF
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
byDaniel Bryant
 
PDF
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
byDaniel Bryant
 
PDF
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
byDaniel Bryant
 
PPTX
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
byDaniel Bryant
 
PDF
Fall 22: "From Kubernetes to PaaS to... err, what's next"
byDaniel Bryant
 
PDF
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
byDaniel Bryant
 
PDF
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
byDaniel Bryant
 
PDF
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
byDaniel Bryant
 
PDF
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
byDaniel Bryant
 
PDF
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
byDaniel Bryant
 
PDF
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
byDaniel Bryant
 
PDF
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
byDaniel Bryant
 
PDF
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
byDaniel Bryant
 
PDF
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
byDaniel Bryant
 
PDF
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
byDaniel Bryant
 
PDF
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
byDaniel Bryant
 
PDF
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
byDaniel Bryant
 
PDF
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
byDaniel Bryant
 
PPTX
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
byDaniel Bryant
 
ITKonekt 2023: The Busy Platform Engineers Guide to API Gateways
byDaniel Bryant
 
CraftConf 2023 "Microservice Testing Techniques: Mocks vs Service Virtualizat...
byDaniel Bryant
 
PlatformCon 23: "The Busy Platform Engineers Guide to API Gateways"
byDaniel Bryant
 
Java Meetup 23: 'Debugging Microservices "Remocally" in Kubernetes with Telep...
byDaniel Bryant
 
DevRelCon 2022: "Is Product Led Growth (PLG) the “DevOps” of the DevRel World"
byDaniel Bryant
 
Fall 22: "From Kubernetes to PaaS to... err, what's next"
byDaniel Bryant
 
Building Microservice Systems Without Cooking Your Laptop: Going “Remocal” wi...
byDaniel Bryant
 
KubeCrash 22: Debugging Microservices "Remocally" in Kubernetes with Telepres...
byDaniel Bryant
 
JAX London 22: Debugging Microservices "Remocally" in Kubernetes with Telepre...
byDaniel Bryant
 
CloudBuilders 2022: "The Past, Present, and Future of Cloud Native API Gateways"
byDaniel Bryant
 
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
byDaniel Bryant
 
Devoxx UK 22: Debugging Java Microservices "Remocally" in Kubernetes with Tel...
byDaniel Bryant
 
DevXDay KubeCon NA 2021: "From Kubernetes to PaaS to Developer Control Planes"
byDaniel Bryant
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
byDaniel Bryant
 
Container Days: Easy Debugging of Microservices Running on Kubernetes with Te...
byDaniel Bryant
 
Canadian CNCF: "Emissary-ingress 101: An introduction to the CNCF incubation-...
byDaniel Bryant
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
byDaniel Bryant
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
byDaniel Bryant
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
byDaniel Bryant
 
HashiCorp Webinar: "Getting started with Ambassador and Consul on Kubernetes ...
byDaniel Bryant
 

Recently uploaded

PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Designing a Blog Using Wordpress
bymarkzubi50
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 

KubeCon EU 2019 "Securing Cloud Native Communication: From End User to Service"

  • 1.
    Copyright © 2019HashiCorp Securing Cloud Native Communication: From End User to Service Daniel Bryant Product Architect, Datawire Nic Jackson Developer Advocate, HashiCorp
  • 2.
    tl;dr ▪ We’re seeingan increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
  • 3.
    Who are we? NicJackson Developer Advocate, HashiCorp @sheriffjackson Daniel Bryant Product Architect, Datawire @danielbryantuk
  • 4.
    So, we don’twant to scare you, but...
  • 5.
    So, we don’twant to scare you, but... 214 Records containing personal data are exploited every second
  • 6.
    So, we don’twant to scare you, but... 2.2% Of compromised records are protected by encryption
  • 7.
    So, we don’twant to scare you, but... 65% Of cases are linked to identity theft
  • 8.
    So, we don’twant to scare you, but... $3,860,000 Is the average cost of a data breach
  • 9.
    So, we don’twant to scare you, but... $350,00,000 Is the cost of a breach containing over 50 million records
  • 10.
    So, we don’twant to scare you, but... 72% Increase in attacks between 2017 and 2018 Gemalto Breach Level Index: https://breachlevelindex.com/ IBM Cost of a Data Breach Study: https://www.ibm.com/security/data-breach
  • 12.
    We’re assuming thatyou have secured your data at rest… ...and hardened compute
  • 13.
    But what aboutdata in motion? Are your comms vulnerable?
  • 14.
    And what aboutduring application modernisation? Network heterogeneity typically increases: - Private DC, cloud, k8s...
  • 15.
  • 16.
  • 18.
    API Gateway: Edgeproxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends (k8s, VMs, bare metal etc) ▪ TLS termination (enforcing minimum TLS version) ▪ End-user authentication/authorization ▪ Rate limiting (DDoS protection, etc)
  • 20.
    Service Mesh: Proxymesh, Fabric model... ▪ Exposes internal services to internal consumers ▪ Encapsulates service infra (across k8s, VMs, bare metal etc) ▪ mTLS: service identity and traffic encryption ▪ ACLs and intentions: who can do what, and to whom ▪ Implements cross-functional concerns (out-of-process)
  • 21.
    Service Mesh: ThreePillars ▪ Observability – “Golden signals”: latency, errors, traffic, saturation (USE, RED) – Both global and service-to-service ▪ Reliability – Abstracting health checks, retries, circuit breakers etc. – Providing sane default to protect system ▪ Security – Authn/z propagation, mTLS, network segmentation
  • 22.
  • 24.
    © 2019 HashiCorp24 Bypass the perimeter by attacking services
  • 25.
    © 2019 HashiCorp25 We need internal network isolation
  • 26.
    © 2019 HashiCorp26 Network segmentation
  • 27.
    © 2019 HashiCorp27 Service segmentation
  • 28.
    © 2019 HashiCorp28 Problem: Dynamic environments...
  • 29.
    © 2019 HashiCorp29 Network / Service segmentation with intention-based security
  • 30.
  • 31.
  • 32.
    Control planes: Differinguse cases ▪ North-south – Unknown / untrusted clients – Limited exposure of services (Mapping) – Centralised ops ingress defaults + decentralised product team cfg ▪ East-west – Dynamic service information update required (multiple sources) – Identity required for all services (mTLS + ACLs) – “Sane” internal defaults + decentralised dev cfg
  • 33.
  • 34.
    Copyright © 2019HashiCorp Demo
  • 35.
    Conclusion ▪ We’re seeingan increase in application modernisation/hybrid platforms ▪ Decoupling apps and infrastructure is key: incrementally and securely ▪ All security must have good UX / DevEx ▪ Defence in depth is vital -- network / service security is one part of this ▪ Mind the gap(s)!
  • 36.
    References ▪ Context: – https://www.infoq.com/articles/api-gateway-service-mesh-app-modernisation/ ▪Reference: – https://www.getambassador.io/user-guide/consul-connect-ambassador/ – https://www.getambassador.io/user-guide/consul/ – https://www.consul.io/docs/platform/k8s/ambassador.html Experiment in an Instruqt sandbox: https://instruqt.com/hashicorp/tracks/sock-shop-tutorial Code examples: https://github.com/emojify-app
  • 37.
    Copyright © 2019HashiCorp Questions?
  • 38.
    Copyright © 2019HashiCorp Thanks! @sheriffjackson | @danielbryantuk