SlideShare a Scribd company logo

Implementing Zero Trust Security in IBM Cloud Pak for Integration

Kim Clark
Kim Clark

Implementing zero trust principles in IBM Cloud Pak for Integration involves several key aspects: 1. Treating all identities (users, applications, components, administrators) as untrusted and establishing an identity perimeter. 2. Minimizing privileges by restricting what actions containers and service accounts can perform and limiting their access to secrets, the Kubernetes API, and the underlying operating system. 3. Implementing defense in depth across the network, with microsegmentation between environments, applications, and tiers to control inter-pod and inter-tier communication.

Technology
1 of 28
Download to read offline
Implementing “Zero Trust” in IBM Cloud Pak for Integration Kim Clark Integration Architect IBM James Hewitt Cloud Pak for Integration Development Architect IBM © 2021 IBM Corporation Recording: http://ibm.biz/cp4i-security-webinar Slides: http://ibm.biz/cp4i-security-pdf
agile integration APIM APIM APIM API Management APIM API Management APIM APIM Integration http://ibm.biz/agile-integration …is largely about embracing cloud native principles in integration http://ibm.biz/agile-integration-webinar © 2021 IBM Corporation
Microservice architecture Ingredients of cloud native from Initial concepts Adoption hurdles Success factors Agile methods Lifecycle automation DevOps and site reliability eng. Team autonomy Fine-grained components Appropriate decoupling Minimal state Immutable deployment Zero trust Elastic, agnostic, secure platform Lightweight runtimes Operational automation Observability and monitoring Container technology Agility through Automation Sustainably empowered Secured by default Managed in aggregate People Architecture Technology © 2021 IBM Corporation http://ibm.biz/cloudnativedefined
What do we mean by Zero Trust* in the context of this presentation? Approaches/strategies Threat modelling Think like a hacker Defense in depth Buzz phrases • Identity as a perimeter • Micro segmentation • Adaptive security • … Themes • Assume any vulnerability will be exploited • Don't trust anyone or anything • Assume attackers are on the inside already “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources….” NIST – Zero Trust Architecture (2020) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf © 2021 IBM Corporation * The term “zero trust” in computing has actually been around since at least 1994, but the concept and details have evolved significantly over time.
© 2021 IBM Corporation Workload host Operating System Workload host Operating System Code Workload host Operating System Code admins devs users SCM An example of the move to defense in depth CICD pipeline SCM Container Platform DevOps & SRE Telemetry Control Plane Workload host Operating System Container Container Code Workload host Operating System Container Code Container Code Container Code Workload host Operating System Container Code Container Code Container Code Container Code users Container Code Container Code Container Code Code Code Code Code
IBM Cloud Pak for Integration IBM Z IBM LinuxOne IBM Power Systems End points IBM Cloud AWS Private Google Cloud VMware Microsoft Azure Cloud Pak for Integration Enterprise messaging End-to-end security Application integration Event streaming High speed data transfer API management
Two perspectives on how zero trust affects Cloud Pak for Integration 1. How customers use the product Cloud Pak for Integration Enterprise messaging End-to-end security Application integration Event streaming High speed data transfer API management 2. How we (IBM) architect the product This presentation is focused on how we implemented the product. The better we architect for zero trust, the simpler it will be for customers to use it securely by default
Characteristics of modern integration solutions? Fine grained: Independently deployed integrations, smaller queue managers. Agnostic infrastructure: Container platforms enabling operational consistency and portability Multi-style: Involving application integration, API management, messaging, events. Hybrid-cloud: Integration is less centralized, and often located nearer to applications wherever they reside – in any cloud or on premises. © 2021 IBM Corporation On premises SaaS SaaS SaaS SaaS IaaS PaaS PaaS PaaS Polyglot (e.g. microservice application) • Language runtimes • Specialist runtimes (e.g. integration) Exposure points • APIs • Events
Some* perspectives on Zero Trust (*this is far from an exhaustive list) 1. Identity as a perimeter 2. Privileges should be minimized 3. Data must always be safe 4. Secrets…are secret © 2021 IBM Corporation
Aspect 1: Identity as a perimeter* End user identity Application identity Component identity Administrator identity (*this concept dates back to at least 2004, probably further, but it has significantly evolved) Container Platform i q API Gateway User + Component identity Admin. identity SaaS Application User identity (federated?) Mobile App. Component identity User + App. identity Operator User + Component identity Component identity End User Component App. Admin. User Component identity Identity types Platform Control Plane i Component identity © 2021 IBM Corporation Integration container Messaging container i Integration code q Queue manager definition
© 2021 IBM Corporation Aspect 2: Privilege should be minimized Platform privileges Host privileges Resource privileges Network privileges Container Platform Integration container q Messaging container i Integration code q Queue manager definition q i API Gateway i i i Operating System CPU memory disk Operating System Operating System Operating System Operating System Platform Control Plane Operating System Hosts Resources Network
Aspect 3: Data must always be safe Data at rest Data in transit Data access Container Platform i i q i q i API Gateway MQ channel (secured) HTTPS mTLS Encrypted on disk Encrypted on disk © 2021 IBM Corporation Integration container Messaging container i Integration code q Queue manager definition
Aspect 4: Secrets… are secret Separation from code Opaque storage Internal generation Container Platform i i q i q i API Gateway Certificates for mTLS? SaaS Application SaaS Credentials HSM © 2021 IBM Corporation Queue Manager Credentials Service bindings? Vault? etcd SCM Integration container Messaging container i Integration code q Queue manager definition Encrypted? Encrypted?
Protecting against code attacks 1. Operating system Access to the underlying operating system impacts all containers on the worker node Options: Security Context Constraint (SCC) 2. Network Over network access to attack/infiltrate other containers. Options: Network policies, service mesh, routes/services, namespaces 3. Kubernetes API Manipulate the cluster causing the controllers to take actions. Options: Service accounts, role-based access control (RBAC) 4. Secrets Code could access credentials and certificates Options: Service accounts, RBAC, vault Kubernetes Master Nodes Control Plane API Server Controllers Kubernetes Worker Node CoreOS Container Code Container Code Kubernetes API access Operating System access Network access © 2021 IBM Corporation 1 3 Kubernetes Worker Node Container Code 2 Vault 4 Accessing secrets
CICD pipeline © 2021 IBM Corporation How do you avoid bad code entering the system in the first place? Container Code SCM Container Platform DevOps & SREs Build Test Deploy Control Plane Operator Include vulnerability tests Container Code Container Code Container Code Container Code Release container repository Container image Code Access only via SCM, no direct deployment Automated pipeline Certified container repository Only pipeline has access to control plane Immutable deployment image Only operator has permissions to deploy, and only to specific namespaces namespace 1 namespace 2 Deploy to specific namespaces But zero trust principles mean you can’t assume that even this is sufficient!
Kubernetes Worker Node How can code in a container attack via the Operating System? An unrestricted containers have full access to the host hardware and software. They could compromise the node and all containers running on it. Examples • Install packet sniffers, bitcoin miners • Run as root, make system calls with root access • Mount any directory from the host filesystem (and therefore read/write other pod’s data) • Attack other components via the network © 2021 IBM Corporation CPU memory disk Container Code Container Code Operating System access Network Container Code Operating System
Security Context Constraints OpenShift governs interaction of a container with the host via a Security Context Constraints (SCCs). These control, what actions a pod can perform (e.g. whether its containers can run as root), and what it has access to (host files, network, ports etc.). SCCs are in fact assigned to the Pod which implicitly limits what the containers within it can do. SCC policy types are defined at cluster scope, the two most relevant of which are: • Restricted (default if none specified): Permits a container only safe capabilities that cannot impact other containers on the node. • Privileged (requires administrator action): Code can “break out” of its container and impact other containers on the node. And of interest: • Anyuid (higher priority when available): Allows containers to run as the ID embedded in the image. When implementing “roll your own” containers it is often tempting to use Privileged SCC because its easier. IBMs development teams for the Cloud Pak for Integration are required to use restricted SCC. © 2021 IBM Corporation Kubernetes Worker Node CPU memory disk Container Code Container Code SCC controlled access CoreOS
Network attacks External: (north-south) Attacker from beyond the cluster, gains access to the cluster network Internal: (east-west) Compromised code inside the cluster has access to the internal cluster network © 2021 IBM Corporation Kubernetes Worker Node Container Code Container Code Kubernetes Worker Node Container Code External attack Internal attack Network
© 2021 IBM Corporation Container platform micro-segmentation – by environment, application, tier Container Platform Workload host Workload host Workload host Workload host Workload host Workload host App A – Web tier DEV App A – Web tier TEST App B – Web tier DEV App B – Web tier TEST App A – Application tier DEV App B – Application tier DEV App A – Data tier DEV App B – Data tier DEV App A – Application tier TEST App B – Application tier TEST App A – Data tier TEST App B – Data tier TEST Workload host Workload host Workload host Workload host Workload host Workload host App A – Web tier PROD App B – Web tier PROD App A – Application tier PROD App B – Application tier PROD App A – Data tier PROD App B – Data tier PROD
© 2021 IBM Corporation Network defense in depth in Kubernetes Container Platform Workload host Workload host Web tier Application tier Data tier Protect pod boundary (a) Restrict inter-pod communication (a, b) Create multi-pod boundaries (a, c) Control inter tier communication (a) Control external access to the cluster (a, e) Govern exposure by subscription (e) Options a) Network polices: These can specify • Ingress and egress rules for traffic arriving and leaving the cluster • Which pods, namespaces and IP blocks can communicate with one another. b) mTLS: Pods themselves may additionally implement (mutual) TLS and credential checking. c) Mutli-tenant mode: OpenShift includes a mode in which namespaces are network isolated, but then more granular network policies won’t work. d) Service mesh: A service mesh such as Istio simplifies the securing of routing between pods (e.g. mTLS). They also enable traffic management and enable many other useful routing patterns. e) API Management: Provides a governed API gateway, restricting access to APIs based on application identity, also providing a portal for discovery and self administration of API subscriptions. Appropriate isolation is enforced at every level. In IBM Cloud Pak for Integration, we provide network policies for all our pods. This ensures they will work if customer introduces a deny all policy to a namespace (a best practice). Note that if a service mesh is introduced, this implicitly introduces a deny all policy.
How can code in a container attack via the Kubernetes API? By default, Kubernetes injects a service account token into every pod, making every pod “authenticated”. Examples • Run other pods with different images, and other service accounts. • Read secrets • Mount storage • Denial of Service (break things) • Change its own configuration © 2021 IBM Corporation Kubernetes Master Nodes Control Plane API Server Controllers Kubernetes Worker Node CoreOS Container Code Container Code Kubernetes API access 3
Kubernetes API Role based access control (RBAC) The Kubernetes control plane looks after all the objects (resources) in the cluster: Pods, Namespaces, ConfigMaps etc. To query and manipulate those objects, you need to make requests to the Kubernetes API. Command-line tools such as kubectl go through this API, but you can also call it directly via REST. You cannot interact with the API without an identity, and that identity must be bound to a role that provides access to the objects you want to work with. Rules are set for roles defining precisely what action (verbs) can be performed on what objects (resources). Roles can be bound to namespaces (through role bindings), and across all namespaces (through cluster role bindings). Code in containers can also access the API, and it too needs an identity. That identity is not a user. It is a service account. IBM Cloud Pak for Integration minimizes the permissions in the service accounts it uses. Any unusual permissions are qualified in the documentation. Kubernetes Control Plane Container Code Kubernetes RBAC Binding Many Many Many One Role Resources Verbs Many Many Many © 2021 IBM Corporation Rule Kubernetes API Service Account Service Account/User Account User Account One One One
Kubernetes API Service accounts & namespaces Containers need an identity to interact with the Kubernetes API server. That identity is not a user. It is a service account. Service accounts are namespace scoped. • Each container pod is assigned exactly one of the service accounts in a namespace. • There is no restriction on which service accounts in a namespace a pod can be assigned • A namespace with a powerful service account is a potential security risk IBM Cloud Pak for Integration separates operators and operands into different namespaces where appropriate, providing each with only the permissions it needs. Kubernetes Control Plane © 2021 IBM Corporation Container Code Operator Container Code namespace2 Service Account D has permission to deploy code to namespace2 namespace1 Kubernetes API Service Account D Service Account A Controller Container Code Service Account B Service Account C Any service account in the namespace can be assigned Service Accounts A, B, and C have minimal permissions on Kubernetes API
How can code in a container attack via secrets? Malicious code in a container has access to all the secrets mounted by that pod. Additionally, if the associated service account has privileges it can read more secrets. Within Kubernetes environments Vault access is also often authenticated based on service account. Examples • Get credentials for database access • Get certificates to use in mTLS © 2021 IBM Corporation Kubernetes Master Nodes Control Plane API Server Controllers Kubernetes Worker Node CoreOS Container Code Container Code Accessing Kubernetes Secrets Vault Accessing vaults
How should you manage access to secrets? No secret information should ever be placed unencrypted in source control, whether in code or configuration files, so what are the options? K8s Secrets • It is not encrypted by default, just placed in etcd, but it can be. • By default they are namespace scoped. RBAC rules can perform coarse grained access control. • Administration of the secrets requires K8s access, so it is very much a K8s only solution. • K8s secrets are typically surfaced as files on a dedicated file mount (although can be placed in environment variables). • Where do you put the secrets before they get into K8s? What if you need them in more than one namespace. What if the namespace you stored them in gets removed, but you still need the secrets? • No support dynamic generation of per-instance secrets • No assistance with certificate rotation © 2021 IBM Corporation External secrets management such as HashiCorp Vault • Encrypted by default and stored in a choice of persistence options. • Fine grained access control. Can be linked to K8s service accounts. • External to K8s so can be used for broader secrets requirements. • Secrets can be retrieved at runtime, although a common model is to have them injected onto the container file system. • Provides a permanent secrets store with a lifecycle beyond namespaces, clusters etc. • Enables dynamic generation of per-instance secrets with, with specific access controls (e.g. creation of credentials for “read-only” access to a database, with automatic time and/or activity based revocation). • Can help with certificate rotation
There are always consequences to increased security. Additional resources, more complex processes, reduced agility etc. No-one achieves “zero” in zero trust. Threat modelling goes hand in hand with risk assessment (‘What level of paranoia would you like to adopt…’) Mitigations at a given cost, provide you the best compromise towards zero trust. Thoughts on the consequences of zero trust © 2021 IBM Corporation
© 2021 IBM Corporation • Components and people should have no privileges by default • All privileges are explicitly bestowed based on identity
More information © 2021 IBM Corporation Zero Trust What is zero trust https://www.ibm.com/topics/zero-trust NIST – Zero Trust Architecture (2020) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf Agile Integration and Cloud Native Agile Integration http://ibm.biz/agile-integration What does cloud native really mean? http://ibm.biz/cloudnativedefined Cloud native agile integration https://ibm.biz/agile-integration-cloud-native IBM Integration https://developer.ibm.com/integration Cloud Pak for Integration https://www.ibm.com/cloud/cloud-pak-for-integration Staying up to date: https://community.ibm.com/community/user/imwuc/globalgroups/cloudintegration Detailed documentation Cluster scoped permissions https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.1?topic=reference-cluster-scoped-permissions Security context constraints https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.1?topic=reference-security-context-constraints Certificate management https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.1?topic=administration-replacing-default-keys-certificates Role Management https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.1?topic=administration-roles

Recommended

Agile Integration eBook from 2018
Agile Integration eBook from 2018Agile Integration eBook from 2018
Agile Integration eBook from 2018Kim Clark
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway
 
Cloud native integration
Cloud native integrationCloud native integration
Cloud native integrationKim Clark
 
DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksIBM DataPower Gateway
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Understanding Cisco Next Generation SD-WAN Solution
Understanding Cisco Next Generation SD-WAN SolutionUnderstanding Cisco Next Generation SD-WAN Solution
Understanding Cisco Next Generation SD-WAN SolutionCisco Canada
 
Uncover the mysteries of infrastructure as code (iac)!
Uncover the mysteries of infrastructure as code (iac)!Uncover the mysteries of infrastructure as code (iac)!
Uncover the mysteries of infrastructure as code (iac)!Prashant Kalkar
 

Recommended

Agile Integration eBook from 2018
Agile Integration eBook from 2018Agile Integration eBook from 2018
Agile Integration eBook from 2018Kim Clark
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway
 
Cloud native integration
Cloud native integrationCloud native integration
Cloud native integrationKim Clark
 
DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksIBM DataPower Gateway
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Understanding Cisco Next Generation SD-WAN Solution
Understanding Cisco Next Generation SD-WAN SolutionUnderstanding Cisco Next Generation SD-WAN Solution
Understanding Cisco Next Generation SD-WAN SolutionCisco Canada
 
Uncover the mysteries of infrastructure as code (iac)!
Uncover the mysteries of infrastructure as code (iac)!Uncover the mysteries of infrastructure as code (iac)!
Uncover the mysteries of infrastructure as code (iac)!Prashant Kalkar
 
Ericsson Distributed Cloud
Ericsson Distributed CloudEricsson Distributed Cloud
Ericsson Distributed CloudEricsson
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 
IBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprintIBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprintMatt Roberts
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationPCCW GLOBAL
 
Fortinet Icon Library
Fortinet Icon LibraryFortinet Icon Library
Fortinet Icon LibraryFortinet
 
Building the SD-Branch using uCPE
Building the SD-Branch using uCPEBuilding the SD-Branch using uCPE
Building the SD-Branch using uCPEMichelle Holley
 
IBM API Connect - overview
IBM API Connect - overviewIBM API Connect - overview
IBM API Connect - overviewRamy Bassem
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
OpenShift Multicluster
OpenShift MulticlusterOpenShift Multicluster
OpenShift MulticlusterJuan Vicente Herrera Ruiz de Alejo
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API ManagementRui Santos
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Overview - ESBs and IBM Integration Bus
Overview - ESBs and IBM Integration BusOverview - ESBs and IBM Integration Bus
Overview - ESBs and IBM Integration BusJuarez Junior
 
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...Amazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemuguntafloridawusergroup
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpiMohammed Abdallah
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overviewMark Argent
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 

More Related Content

What's hot

Ericsson Distributed Cloud
Ericsson Distributed CloudEricsson Distributed Cloud
Ericsson Distributed CloudEricsson
 
IBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprintIBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprintMatt Roberts
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationPCCW GLOBAL
 
Fortinet Icon Library
Fortinet Icon LibraryFortinet Icon Library
Fortinet Icon LibraryFortinet
 
Building the SD-Branch using uCPE
Building the SD-Branch using uCPEBuilding the SD-Branch using uCPE
Building the SD-Branch using uCPEMichelle Holley
 
IBM API Connect - overview
IBM API Connect - overviewIBM API Connect - overview
IBM API Connect - overviewRamy Bassem
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API ManagementRui Santos
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Overview - ESBs and IBM Integration Bus
Overview - ESBs and IBM Integration BusOverview - ESBs and IBM Integration Bus
Overview - ESBs and IBM Integration BusJuarez Junior
 
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...Amazon Web Services
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemuguntafloridawusergroup
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpiMohammed Abdallah
 

What's hot (20)

Ericsson Distributed Cloud
Ericsson Distributed CloudEricsson Distributed Cloud
Ericsson Distributed Cloud
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
 
IBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprintIBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprint
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM Presentation
 
Fortinet Icon Library
Fortinet Icon LibraryFortinet Icon Library
Fortinet Icon Library
 
Building the SD-Branch using uCPE
Building the SD-Branch using uCPEBuilding the SD-Branch using uCPE
Building the SD-Branch using uCPE
 
IBM API Connect - overview
IBM API Connect - overviewIBM API Connect - overview
IBM API Connect - overview
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
OpenShift Multicluster
OpenShift MulticlusterOpenShift Multicluster
OpenShift Multicluster
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Overview - ESBs and IBM Integration Bus
Overview - ESBs and IBM Integration BusOverview - ESBs and IBM Integration Bus
Overview - ESBs and IBM Integration Bus
 
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...
AWS re:Invent 2016: From Monolithic to Microservices: Evolving Architecture P...
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemugunta
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpi
 

Similar to Implementing Zero Trust Security in IBM Cloud Pak for Integration

Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overviewMark Argent
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 
Skip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsSkip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsHaidee McMahon
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17LennartF
 
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud PrivateIBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud PrivateIBM France Lab
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integrationTrevor Dolby
 
Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Kim Clark
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021VMware Tanzu
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsAbdul Khan
 
IBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformIBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformMichael Elder
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignAmazon Web Services
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Istio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleIstio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleRam Vennam
 
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...Cisco DevNet
 
Multi-cloud deployment with IBM MQ
Multi-cloud deployment with IBM MQMulti-cloud deployment with IBM MQ
Multi-cloud deployment with IBM MQMatt Roberts
 
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
20200113 - IBM Cloud Côte d'Azur - DeepDive KubernetesIBM France Lab
 

Similar to Implementing Zero Trust Security in IBM Cloud Pak for Integration (20)

Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Skip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsSkip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized apps
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17
 
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud PrivateIBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration
 
Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
 
IBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformIBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container Platform
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Istio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as ScaleIstio - A Service Mesh for Microservices as Scale
Istio - A Service Mesh for Microservices as Scale
 
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
DEVNET-1009 Cisco Intercloud Fabric for Business (ICFB), Helping Enterprises...
 
Multi-cloud deployment with IBM MQ
Multi-cloud deployment with IBM MQMulti-cloud deployment with IBM MQ
Multi-cloud deployment with IBM MQ
 
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
 

More from Kim Clark

Cloud native defined
Cloud native definedCloud native defined
Cloud native definedKim Clark
 
2008-2014 Integration Design - Course Summary for slideshare.pdf
2008-2014 Integration Design - Course Summary for slideshare.pdf2008-2014 Integration Design - Course Summary for slideshare.pdf
2008-2014 Integration Design - Course Summary for slideshare.pdfKim Clark
 
Interface characteristics - Kim Clark and Brian Petrini
Interface characteristics - Kim Clark and Brian PetriniInterface characteristics - Kim Clark and Brian Petrini
Interface characteristics - Kim Clark and Brian PetriniKim Clark
 
Automating agile integration
Automating agile integrationAutomating agile integration
Automating agile integrationKim Clark
 
The resurgence of event driven architecture
The resurgence of event driven architectureThe resurgence of event driven architecture
The resurgence of event driven architectureKim Clark
 
Convergence of Integration and Application Development
Convergence of Integration and Application DevelopmentConvergence of Integration and Application Development
Convergence of Integration and Application DevelopmentKim Clark
 
Scaling Integration
Scaling IntegrationScaling Integration
Scaling IntegrationKim Clark
 
The evolving story for Agile Integration Architecture in 2019
The evolving story for Agile Integration Architecture in 2019The evolving story for Agile Integration Architecture in 2019
The evolving story for Agile Integration Architecture in 2019Kim Clark
 
Agile integration architecture in relation to APIs and messaging
Agile integration architecture in relation to APIs and messagingAgile integration architecture in relation to APIs and messaging
Agile integration architecture in relation to APIs and messagingKim Clark
 
Multi-cloud integration architecture
Multi-cloud integration architectureMulti-cloud integration architecture
Multi-cloud integration architectureKim Clark
 
Where can you use serverless?  How does it relate to APIs, integration and mi...
Where can you use serverless?  How does it relate to APIs, integration and mi...Where can you use serverless?  How does it relate to APIs, integration and mi...
Where can you use serverless?  How does it relate to APIs, integration and mi...Kim Clark
 
Building enterprise depth APIs with the IBM hybrid integration portfolio
Building enterprise depth APIs with the IBM hybrid integration portfolioBuilding enterprise depth APIs with the IBM hybrid integration portfolio
Building enterprise depth APIs with the IBM hybrid integration portfolioKim Clark
 
3298 microservices and how they relate to esb api and messaging - inter con...
3298 microservices and how they relate to esb api and messaging - inter con...3298 microservices and how they relate to esb api and messaging - inter con...
3298 microservices and how they relate to esb api and messaging - inter con...Kim Clark
 
Hybrid integration reference architecture
Hybrid integration reference architectureHybrid integration reference architecture
Hybrid integration reference architectureKim Clark
 
MuCon 2015 - Microservices in Integration Architecture
MuCon 2015 - Microservices in Integration ArchitectureMuCon 2015 - Microservices in Integration Architecture
MuCon 2015 - Microservices in Integration ArchitectureKim Clark
 
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Kim Clark
 
Placement of BPM runtime components in an SOA environment
Placement of BPM runtime components in an SOA environmentPlacement of BPM runtime components in an SOA environment
Placement of BPM runtime components in an SOA environmentKim Clark
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...Kim Clark
 
Differentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersDifferentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersKim Clark
 

More from Kim Clark (19)

Cloud native defined
Cloud native definedCloud native defined
Cloud native defined
 
2008-2014 Integration Design - Course Summary for slideshare.pdf
2008-2014 Integration Design - Course Summary for slideshare.pdf2008-2014 Integration Design - Course Summary for slideshare.pdf
2008-2014 Integration Design - Course Summary for slideshare.pdf
 
Interface characteristics - Kim Clark and Brian Petrini
Interface characteristics - Kim Clark and Brian PetriniInterface characteristics - Kim Clark and Brian Petrini
Interface characteristics - Kim Clark and Brian Petrini
 
Automating agile integration
Automating agile integrationAutomating agile integration
Automating agile integration
 
The resurgence of event driven architecture
The resurgence of event driven architectureThe resurgence of event driven architecture
The resurgence of event driven architecture
 
Convergence of Integration and Application Development
Convergence of Integration and Application DevelopmentConvergence of Integration and Application Development
Convergence of Integration and Application Development
 
Scaling Integration
Scaling IntegrationScaling Integration
Scaling Integration
 
The evolving story for Agile Integration Architecture in 2019
The evolving story for Agile Integration Architecture in 2019The evolving story for Agile Integration Architecture in 2019
The evolving story for Agile Integration Architecture in 2019
 
Agile integration architecture in relation to APIs and messaging
Agile integration architecture in relation to APIs and messagingAgile integration architecture in relation to APIs and messaging
Agile integration architecture in relation to APIs and messaging
 
Multi-cloud integration architecture
Multi-cloud integration architectureMulti-cloud integration architecture
Multi-cloud integration architecture
 
Where can you use serverless?  How does it relate to APIs, integration and mi...
Where can you use serverless?  How does it relate to APIs, integration and mi...Where can you use serverless?  How does it relate to APIs, integration and mi...
Where can you use serverless?  How does it relate to APIs, integration and mi...
 
Building enterprise depth APIs with the IBM hybrid integration portfolio
Building enterprise depth APIs with the IBM hybrid integration portfolioBuilding enterprise depth APIs with the IBM hybrid integration portfolio
Building enterprise depth APIs with the IBM hybrid integration portfolio
 
3298 microservices and how they relate to esb api and messaging - inter con...
3298 microservices and how they relate to esb api and messaging - inter con...3298 microservices and how they relate to esb api and messaging - inter con...
3298 microservices and how they relate to esb api and messaging - inter con...
 
Hybrid integration reference architecture
Hybrid integration reference architectureHybrid integration reference architecture
Hybrid integration reference architecture
 
MuCon 2015 - Microservices in Integration Architecture
MuCon 2015 - Microservices in Integration ArchitectureMuCon 2015 - Microservices in Integration Architecture
MuCon 2015 - Microservices in Integration Architecture
 
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
 
Placement of BPM runtime components in an SOA environment
Placement of BPM runtime components in an SOA environmentPlacement of BPM runtime components in an SOA environment
Placement of BPM runtime components in an SOA environment
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...
 
Differentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it mattersDifferentiating between web APIs, SOA, & integration …and why it matters
Differentiating between web APIs, SOA, & integration …and why it matters
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Implementing Zero Trust Security in IBM Cloud Pak for Integration

  • 1. Implementing “Zero Trust” in IBM Cloud Pak for Integration Kim Clark Integration Architect IBM James Hewitt Cloud Pak for Integration Development Architect IBM © 2021 IBM Corporation Recording: http://ibm.biz/cp4i-security-webinar Slides: http://ibm.biz/cp4i-security-pdf
  • 2. agile integration APIM APIM APIM API Management APIM API Management APIM APIM Integration http://ibm.biz/agile-integration …is largely about embracing cloud native principles in integration http://ibm.biz/agile-integration-webinar © 2021 IBM Corporation
  • 3. Microservice architecture Ingredients of cloud native from Initial concepts Adoption hurdles Success factors Agile methods Lifecycle automation DevOps and site reliability eng. Team autonomy Fine-grained components Appropriate decoupling Minimal state Immutable deployment Zero trust Elastic, agnostic, secure platform Lightweight runtimes Operational automation Observability and monitoring Container technology Agility through Automation Sustainably empowered Secured by default Managed in aggregate People Architecture Technology © 2021 IBM Corporation http://ibm.biz/cloudnativedefined
  • 4. What do we mean by Zero Trust* in the context of this presentation? Approaches/strategies Threat modelling Think like a hacker Defense in depth Buzz phrases • Identity as a perimeter • Micro segmentation • Adaptive security • … Themes • Assume any vulnerability will be exploited • Don't trust anyone or anything • Assume attackers are on the inside already “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources….” NIST – Zero Trust Architecture (2020) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf © 2021 IBM Corporation * The term “zero trust” in computing has actually been around since at least 1994, but the concept and details have evolved significantly over time.
  • 5. © 2021 IBM Corporation Workload host Operating System Workload host Operating System Code Workload host Operating System Code admins devs users SCM An example of the move to defense in depth CICD pipeline SCM Container Platform DevOps & SRE Telemetry Control Plane Workload host Operating System Container Container Code Workload host Operating System Container Code Container Code Container Code Workload host Operating System Container Code Container Code Container Code Container Code users Container Code Container Code Container Code Code Code Code Code
  • 6. IBM Cloud Pak for Integration IBM Z IBM LinuxOne IBM Power Systems End points IBM Cloud AWS Private Google Cloud VMware Microsoft Azure Cloud Pak for Integration Enterprise messaging End-to-end security Application integration Event streaming High speed data transfer API management
  • 7. Two perspectives on how zero trust affects Cloud Pak for Integration 1. How customers use the product Cloud Pak for Integration Enterprise messaging End-to-end security Application integration Event streaming High speed data transfer API management 2. How we (IBM) architect the product This presentation is focused on how we implemented the product. The better we architect for zero trust, the simpler it will be for customers to use it securely by default
  • 8. Characteristics of modern integration solutions? Fine grained: Independently deployed integrations, smaller queue managers. Agnostic infrastructure: Container platforms enabling operational consistency and portability Multi-style: Involving application integration, API management, messaging, events. Hybrid-cloud: Integration is less centralized, and often located nearer to applications wherever they reside – in any cloud or on premises. © 2021 IBM Corporation On premises SaaS SaaS SaaS SaaS IaaS PaaS PaaS PaaS Polyglot (e.g. microservice application) • Language runtimes • Specialist runtimes (e.g. integration) Exposure points • APIs • Events
  • 9. Some* perspectives on Zero Trust (*this is far from an exhaustive list) 1. Identity as a perimeter 2. Privileges should be minimized 3. Data must always be safe 4. Secrets…are secret © 2021 IBM Corporation
  • 10. Aspect 1: Identity as a perimeter* End user identity Application identity Component identity Administrator identity (*this concept dates back to at least 2004, probably further, but it has significantly evolved) Container Platform i q API Gateway User + Component identity Admin. identity SaaS Application User identity (federated?) Mobile App. Component identity User + App. identity Operator User + Component identity Component identity End User Component App. Admin. User Component identity Identity types Platform Control Plane i Component identity © 2021 IBM Corporation Integration container Messaging container i Integration code q Queue manager definition
  • 11. © 2021 IBM Corporation Aspect 2: Privilege should be minimized Platform privileges Host privileges Resource privileges Network privileges Container Platform Integration container q Messaging container i Integration code q Queue manager definition q i API Gateway i i i Operating System CPU memory disk Operating System Operating System Operating System Operating System Platform Control Plane Operating System Hosts Resources Network
  • 12. Aspect 3: Data must always be safe Data at rest Data in transit Data access Container Platform i i q i q i API Gateway MQ channel (secured) HTTPS mTLS Encrypted on disk Encrypted on disk © 2021 IBM Corporation Integration container Messaging container i Integration code q Queue manager definition
  • 13. Aspect 4: Secrets… are secret Separation from code Opaque storage Internal generation Container Platform i i q i q i API Gateway Certificates for mTLS? SaaS Application SaaS Credentials HSM © 2021 IBM Corporation Queue Manager Credentials Service bindings? Vault? etcd SCM Integration container Messaging container i Integration code q Queue manager definition Encrypted? Encrypted?
  • 14. Protecting against code attacks 1. Operating system Access to the underlying operating system impacts all containers on the worker node Options: Security Context Constraint (SCC) 2. Network Over network access to attack/infiltrate other containers. Options: Network policies, service mesh, routes/services, namespaces 3. Kubernetes API Manipulate the cluster causing the controllers to take actions. Options: Service accounts, role-based access control (RBAC) 4. Secrets Code could access credentials and certificates Options: Service accounts, RBAC, vault Kubernetes Master Nodes Control Plane API Server Controllers Kubernetes Worker Node CoreOS Container Code Container Code Kubernetes API access Operating System access Network access © 2021 IBM Corporation 1 3 Kubernetes Worker Node Container Code 2 Vault 4 Accessing secrets
  • 15. CICD pipeline © 2021 IBM Corporation How do you avoid bad code entering the system in the first place? Container Code SCM Container Platform DevOps & SREs Build Test Deploy Control Plane Operator Include vulnerability tests Container Code Container Code Container Code Container Code Release container repository Container image Code Access only via SCM, no direct deployment Automated pipeline Certified container repository Only pipeline has access to control plane Immutable deployment image Only operator has permissions to deploy, and only to specific namespaces namespace 1 namespace 2 Deploy to specific namespaces But zero trust principles mean you can’t assume that even this is sufficient!
  • 16. Kubernetes Worker Node How can code in a container attack via the Operating System? An unrestricted containers have full access to the host hardware and software. They could compromise the node and all containers running on it. Examples • Install packet sniffers, bitcoin miners • Run as root, make system calls with root access • Mount any directory from the host filesystem (and therefore read/write other pod’s data) • Attack other components via the network © 2021 IBM Corporation CPU memory disk Container Code Container Code Operating System access Network Container Code Operating System
  • 17. Security Context Constraints OpenShift governs interaction of a container with the host via a Security Context Constraints (SCCs). These control, what actions a pod can perform (e.g. whether its containers can run as root), and what it has access to (host files, network, ports etc.). SCCs are in fact assigned to the Pod which implicitly limits what the containers within it can do. SCC policy types are defined at cluster scope, the two most relevant of which are: • Restricted (default if none specified): Permits a container only safe capabilities that cannot impact other containers on the node. • Privileged (requires administrator action): Code can “break out” of its container and impact other containers on the node. And of interest: • Anyuid (higher priority when available): Allows containers to run as the ID embedded in the image. When implementing “roll your own” containers it is often tempting to use Privileged SCC because its easier. IBMs development teams for the Cloud Pak for Integration are required to use restricted SCC. © 2021 IBM Corporation Kubernetes Worker Node CPU memory disk Container Code Container Code SCC controlled access CoreOS
  • 18. Network attacks External: (north-south) Attacker from beyond the cluster, gains access to the cluster network Internal: (east-west) Compromised code inside the cluster has access to the internal cluster network © 2021 IBM Corporation Kubernetes Worker Node Container Code Container Code Kubernetes Worker Node Container Code External attack Internal attack Network
  • 19. © 2021 IBM Corporation Container platform micro-segmentation – by environment, application, tier Container Platform Workload host Workload host Workload host Workload host Workload host Workload host App A – Web tier DEV App A – Web tier TEST App B – Web tier DEV App B – Web tier TEST App A – Application tier DEV App B – Application tier DEV App A – Data tier DEV App B – Data tier DEV App A – Application tier TEST App B – Application tier TEST App A – Data tier TEST App B – Data tier TEST Workload host Workload host Workload host Workload host Workload host Workload host App A – Web tier PROD App B – Web tier PROD App A – Application tier PROD App B – Application tier PROD App A – Data tier PROD App B – Data tier PROD
  • 20. © 2021 IBM Corporation Network defense in depth in Kubernetes Container Platform Workload host Workload host Web tier Application tier Data tier Protect pod boundary (a) Restrict inter-pod communication (a, b) Create multi-pod boundaries (a, c) Control inter tier communication (a) Control external access to the cluster (a, e) Govern exposure by subscription (e) Options a) Network polices: These can specify • Ingress and egress rules for traffic arriving and leaving the cluster • Which pods, namespaces and IP blocks can communicate with one another. b) mTLS: Pods themselves may additionally implement (mutual) TLS and credential checking. c) Mutli-tenant mode: OpenShift includes a mode in which namespaces are network isolated, but then more granular network policies won’t work. d) Service mesh: A service mesh such as Istio simplifies the securing of routing between pods (e.g. mTLS). They also enable traffic management and enable many other useful routing patterns. e) API Management: Provides a governed API gateway, restricting access to APIs based on application identity, also providing a portal for discovery and self administration of API subscriptions. Appropriate isolation is enforced at every level. In IBM Cloud Pak for Integration, we provide network policies for all our pods. This ensures they will work if customer introduces a deny all policy to a namespace (a best practice). Note that if a service mesh is introduced, this implicitly introduces a deny all policy.
  • 21. How can code in a container attack via the Kubernetes API? By default, Kubernetes injects a service account token into every pod, making every pod “authenticated”. Examples • Run other pods with different images, and other service accounts. • Read secrets • Mount storage • Denial of Service (break things) • Change its own configuration © 2021 IBM Corporation Kubernetes Master Nodes Control Plane API Server Controllers Kubernetes Worker Node CoreOS Container Code Container Code Kubernetes API access 3
  • 22. Kubernetes API Role based access control (RBAC) The Kubernetes control plane looks after all the objects (resources) in the cluster: Pods, Namespaces, ConfigMaps etc. To query and manipulate those objects, you need to make requests to the Kubernetes API. Command-line tools such as kubectl go through this API, but you can also call it directly via REST. You cannot interact with the API without an identity, and that identity must be bound to a role that provides access to the objects you want to work with. Rules are set for roles defining precisely what action (verbs) can be performed on what objects (resources). Roles can be bound to namespaces (through role bindings), and across all namespaces (through cluster role bindings). Code in containers can also access the API, and it too needs an identity. That identity is not a user. It is a service account. IBM Cloud Pak for Integration minimizes the permissions in the service accounts it uses. Any unusual permissions are qualified in the documentation. Kubernetes Control Plane Container Code Kubernetes RBAC Binding Many Many Many One Role Resources Verbs Many Many Many © 2021 IBM Corporation Rule Kubernetes API Service Account Service Account/User Account User Account One One One
  • 23. Kubernetes API Service accounts & namespaces Containers need an identity to interact with the Kubernetes API server. That identity is not a user. It is a service account. Service accounts are namespace scoped. • Each container pod is assigned exactly one of the service accounts in a namespace. • There is no restriction on which service accounts in a namespace a pod can be assigned • A namespace with a powerful service account is a potential security risk IBM Cloud Pak for Integration separates operators and operands into different namespaces where appropriate, providing each with only the permissions it needs. Kubernetes Control Plane © 2021 IBM Corporation Container Code Operator Container Code namespace2 Service Account D has permission to deploy code to namespace2 namespace1 Kubernetes API Service Account D Service Account A Controller Container Code Service Account B Service Account C Any service account in the namespace can be assigned Service Accounts A, B, and C have minimal permissions on Kubernetes API
  • 24. How can code in a container attack via secrets? Malicious code in a container has access to all the secrets mounted by that pod. Additionally, if the associated service account has privileges it can read more secrets. Within Kubernetes environments Vault access is also often authenticated based on service account. Examples • Get credentials for database access • Get certificates to use in mTLS © 2021 IBM Corporation Kubernetes Master Nodes Control Plane API Server Controllers Kubernetes Worker Node CoreOS Container Code Container Code Accessing Kubernetes Secrets Vault Accessing vaults
  • 25. How should you manage access to secrets? No secret information should ever be placed unencrypted in source control, whether in code or configuration files, so what are the options? K8s Secrets • It is not encrypted by default, just placed in etcd, but it can be. • By default they are namespace scoped. RBAC rules can perform coarse grained access control. • Administration of the secrets requires K8s access, so it is very much a K8s only solution. • K8s secrets are typically surfaced as files on a dedicated file mount (although can be placed in environment variables). • Where do you put the secrets before they get into K8s? What if you need them in more than one namespace. What if the namespace you stored them in gets removed, but you still need the secrets? • No support dynamic generation of per-instance secrets • No assistance with certificate rotation © 2021 IBM Corporation External secrets management such as HashiCorp Vault • Encrypted by default and stored in a choice of persistence options. • Fine grained access control. Can be linked to K8s service accounts. • External to K8s so can be used for broader secrets requirements. • Secrets can be retrieved at runtime, although a common model is to have them injected onto the container file system. • Provides a permanent secrets store with a lifecycle beyond namespaces, clusters etc. • Enables dynamic generation of per-instance secrets with, with specific access controls (e.g. creation of credentials for “read-only” access to a database, with automatic time and/or activity based revocation). • Can help with certificate rotation
  • 26. There are always consequences to increased security. Additional resources, more complex processes, reduced agility etc. No-one achieves “zero” in zero trust. Threat modelling goes hand in hand with risk assessment (‘What level of paranoia would you like to adopt…’) Mitigations at a given cost, provide you the best compromise towards zero trust. Thoughts on the consequences of zero trust © 2021 IBM Corporation
  • 27. © 2021 IBM Corporation • Components and people should have no privileges by default • All privileges are explicitly bestowed based on identity
  • 28. More information © 2021 IBM Corporation Zero Trust What is zero trust https://www.ibm.com/topics/zero-trust NIST – Zero Trust Architecture (2020) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf Agile Integration and Cloud Native Agile Integration http://ibm.biz/agile-integration What does cloud native really mean? http://ibm.biz/cloudnativedefined Cloud native agile integration https://ibm.biz/agile-integration-cloud-native IBM Integration https://developer.ibm.com/integration Cloud Pak for Integration https://www.ibm.com/cloud/cloud-pak-for-integration Staying up to date: https://community.ibm.com/community/user/imwuc/globalgroups/cloudintegration Detailed documentation Cluster scoped permissions https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.1?topic=reference-cluster-scoped-permissions Security context constraints https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.1?topic=reference-security-context-constraints Certificate management https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.1?topic=administration-replacing-default-keys-certificates Role Management https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.1?topic=administration-roles