[HashiConf EU] Securing Cloud Native Communication, From End User to Service
•Download as PPTX, PDF•
1 like•439 views
Everyone building or operating cloud native applications must understand the fundamentals of security issues and modern threat models. Although this topic is vast, in this talk Nic and Daniel will focus on the end-to-end communication and higher-level networking threats, and explore how the combination of an edge proxy and service mesh using TLS and mTLS can be used to mitigate many man-in-the-middle attacks. Key takeaways include: understand the "three pillars" of service mesh functionality - observability, reliability, and security; a service mesh is in a unique place to enforce security features like mTLS; learn how to ensure that there are no exploitable "gaps" within the end-to-end/user-to-service communication path, explore the differences in ingress/mesh control planes, with brief demonstrations using Ambassador and Consul Connect.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to [HashiConf EU] Securing Cloud Native Communication, From End User to Service
Similar to [HashiConf EU] Securing Cloud Native Communication, From End User to Service (20)
More from Daniel Bryant
More from Daniel Bryant (20)
Recently uploaded
Recently uploaded (20)
[HashiConf EU] Securing Cloud Native Communication, From End User to Service
- 1. Copyright © 2019 HashiCorp Securing Cloud Native Communication: From End User to Service Daniel Bryant Product Architect, Datawire
- 3. tl;dr ▪ Security is everyone’s responsibility ▪ Application modernisation leads to heterogeneous infra/networks ▪ Defence in depth is vital: edge/service comms security is one part of this ▪ Mind the gap(s)! ▪ All security must have good UX / DevEx
- 4. Who are we? Nic Jackson Developer Advocate, HashiCorp @sheriffjackson Daniel Bryant Product Architect, Datawire @danielbryantuk
- 5. Security is everyone’s responsibility
- 6. So, we don’t want to scare you, but... 214 Records containing personal data are exploited every second
- 7. So, we don’t want to scare you, but... $3,860,000 Is the average cost of a data breach
- 8. So, we don’t want to scare you, but... $350,00,000 Is the cost of a breach containing over 50 million records
- 9. So, we don’t want to scare you, but... 72% Increase in attacks between 2017 and 2018 Gemalto Breach Level Index: https://breachlevelindex.com/ IBM Cost of a Data Breach Study: https://www.ibm.com/security/data-breach
- 10. Application modernisation: Gift and curse
- 11. Defence in depth
- 12. Defence in depth is vital ▪ Harden and scan infrastructure ▪ Scan code, dependencies, packages ▪ Encrypt data at rest ▪ Encrypt data in transit ▪ Principle of least privilege
- 13. ▪ Harden and scan infrastructure ▪ Scan code, dependencies, packages ▪ Encrypt data at rest ▪ Encrypt data in transit ▪ Principle of least privilege Defence in depth is vital
- 17. API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends: k8s, VMs, bare metal etc ▪ TLS termination: enforcing minimum TLS version ▪ End-user authentication/authorization (add token/JWT for propagation) ▪ Rate limiting: DDoS protection, etc
- 19. API Gateway: Edge proxy, ingress, ADC... ▪ Exposes internal services to end-users (via multiple domains) ▪ Encapsulates backends: k8s, VMs, bare metal etc ▪ TLS termination: enforcing minimum TLS version ▪ End-user authentication/authorization (add token/JWT for propagation) ▪ Rate limiting: DDoS protection, etc
- 23. Service Mesh: Proxy mesh, Fabric model... ▪ Exposes internal services to internal consumers ▪ Encapsulates service infra: across k8s, VMs, bare metal etc ▪ mTLS: service identity and traffic encryption ▪ ACLs and intentions: infra/service identity-based access ▪ Enforce metadata (but apps need to propagate headers/tokens)
- 25. Consul config
- 28. Identity and network segmentation
- 29. © 2019 HashiCorp 29 Bypass the perimeter by attacking services
- 30. © 2019 HashiCorp 30 We need internal network isolation
- 31. © 2019 HashiCorp 31 Network segmentation
- 32. © 2019 HashiCorp 32 Service segmentation
- 33. © 2019 HashiCorp 33 Problem: Dynamic environments...
- 34. © 2019 HashiCorp 34 Network / Service segmentation with intention-based security
- 36. Consul config
- 37. Copyright © 2019 HashiCorp Demo
- 39. Conclusion ▪ Security is everyone’s responsibility ▪ Application modernisation leads to heterogeneous infra/networks ▪ Defence in depth is vital: edge/service comms security is one part of this ▪ Mind the gap(s)! ▪ All security must have good UX / DevEx
- 40. References ▪ Context: – https://www.infoq.com/articles/api-gateway-service-mesh-app-modernisation/ ▪ Reference: – https://www.getambassador.io/user-guide/consul-connect-ambassador/ – https://www.getambassador.io/user-guide/consul/ – https://www.consul.io/docs/platform/k8s/ambassador.html – https://www.hashicorp.com/blog/hashicorp-consul-supports-microsoft-s-new-service-mesh-framework Experiment in an Instruqt sandbox: https://instruqt.com/hashicorp/tracks/sock-shop-tutorial Code examples: https://github.com/emojify-app
- 41. Copyright © 2019 HashiCorp Questions?
- 42. Copyright © 2019 HashiCorp Thanks! @sheriffjackson | @danielbryantuk
- 43. Copyright © 2019 HashiCorp Bonus
- 44. Service Mesh: Three Pillars ▪ Observability – “Golden signals”: latency, errors, traffic, saturation (USE, RED) – Both global and service-to-service ▪ Reliability – Abstracting health checks, retries, circuit breakers etc. – Providing sane default to protect system ▪ Security – Authn/z propagation, mTLS, network segmentation
- 45. Security must have good UX
- 47. https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc Control planes and data planes Data plane Control plane
- 48. Control planes: Differing use cases ▪ North-south – Unknown / untrusted clients – Limited exposure of services (Mapping) – Centralised ops ingress defaults + decentralised product team cfg ▪ East-west – Dynamic service information update required (multiple sources) – Identity required for all services (mTLS + ACLs) – “Sane” internal defaults + decentralised dev cfg