The document discusses the integration of DevOps practices into operational security, addressing challenges like speed, complexity, and inconsistent security across cloud environments while advocating for a proactive approach to security in the development process. It outlines various deployment options, such as edge deployment and specific service or pod deployment, catering to different operational structures and security management preferences within organizations. Recommendations include the adoption of declarative templates and a collaborative approach between DevOps and SecOps teams to enhance security without hindering development efficiency.

1. | ©2018 F5 NETWORKS1
Secured APIM-as-a-Service
Frank Zhu

2. | ©2018 F5 NETWORKS2
Objective

3. | ©2018 F5 NETWORKS3
Bring DevOps best practices into Operations
Provision & Security
Turn Gate into Guardrail

4. | ©2018 F5 NETWORKS4
Challenges

5. | ©2018 F5 NETWORKS5
Digital Transformation Challenges
SpeedComplexity Attack Surface Collaboration
✓ Inconsistent Security
solution across
cloud environments
✓ Lack of DevOps
friendly security tools
(CI/CD pipeline)
✓ Implement security early in
the development process
✓ Deploy in modern
architecture
✓ Microservices creates
Additional attack vectors
& new attack types
✓ SecOps view of DevOps:
“They don’t take
security seriously”
✓ DevOps View of SecOps:
“They constantly are
interrupting our pipeline,
slowing us down, all for
the sake of security”

6. | ©2018 F5 NETWORKS6
The Solution

7. | ©2018 F5 NETWORKS7
Declarative
Support Base Templates
predefined or externalreference
Adaptation layer: Base Template Adaption
Option to customize the initial policy
{"policy": {
"name":"AppPolicy01",
"description":"AppV1.1 - DEMO FOR DECLARATIVE AND WEBHOOKS CAPABILITIES",
"template":{ "name":"POLICY_TEMPLATE_RAPID_DEPLOYMENT" },
"enforcementMode":"blocking",
"server-technologies":[
{
"serverTechnologyName":"MySQL"
} ],
"signature-settings":{
"signatureStaging": false
},
"modifications": [{
"entityChanges": {
"type": "explicit"
},
"entity": {
"name": "log"
},
"entityKind": "tm:asm:policies:filetypes:filetypestate",
"action": "delete",
"description": "Delete Disallowed File Type"
} ] }
Modification layer: Policy builder suggestions
Part of the modification layer and can be shared between
policies

8. | ©2020 F58
 Shift-Left 
API Testing
API
Implementation
API Definition API Onboarding
API
Deployment
API Runtime
Development OperationsSelf Service

9. | ©2018 F5 NETWORKS9
Secured APIM-as-a-Service

10. | ©2018 F5 NETWORKS10
Secured APIM-as-a-Microservice

11. | ©2018 F5 NETWORKS11
Deployment Options

12. | ©2018 F5 NETWORKS12
Deployment at the Edge (Tier 2)
Ingress
Controller
pod
pod
pod
pod
pod
Per-Pod proxy
Per-Service
proxy
Edge
NetOps/SecOps-Centric Approach
This is a prime use case for Edge load balancer
i.e. outside K8s.
NetOps/SecOps empower their App/DevOps
brethren to consume F5 application services in
an automated manner.

13. | ©2018 F5 NETWORKS13
Deployment on the Ingress Controller (Tier 3)
Ingress
Controller
pod
pod
pod
pod
pod
Per-Pod proxy
Per-Service
proxy
Edge
K8s SecOps/DevSecOps-Centric Approach
Appropriate solution when secured policies are
under direction of NetOps or DevOps teams.
Policies are defined and associated with
services using Kubernetes API.
NGINX Ingress Controller RBAC allows:
• Admin users to enforce policies per listener
• DevOps users to select policy per Ingress
Resource
Leverage Container Ingress Services to
scale NGINX Ingress Controller and add other
application services (LB, DNS, DDoS, IAM).

14. | ©2018 F5 NETWORKS14
Deployment forA Specific Service (Tier 3)
Ingress
Controller
pod
pod
pod
pod
pod
Per-Pod proxy
Per-Service
proxy
Edge
DevSecOps-Centric Approach
Appropriate solution when secured policies
are under direction of the DevSecOps team,
and specific to a small number of services.
Protection is implemented using a front-end
proxy service for the protected service(s).
• Easy to deploy securely
• Security updates require re-deployment of
per-service proxy tier
Allows for greater resource control and
reduces complexity of IC configuration.

15. | ©2018 F5 NETWORKS15
Deployment forA Specific Pod (Tier 3)
Ingress
Controller
pod
pod
pod
pod
pod
Per-Pod proxy
Per-Service
proxy
Edge
AppOwner-Centric Approach
Appropriate solution when App Owner has full
control of security for their application.
Protection is implemented using an embedded
proxy for each application pod.
• Implemented, tested and deployed using
CI/CD pipeline
• Security updates require re-deployment of
application pods
Suitable for services that require very close
control and testing of API configuration.

16. | ©2018 F5 NETWORKS16
Meet the Team

17. | ©2018 F5 NETWORKS17
DevOps squad: 6-8 resources:
1. Tech lead
2. Scrum Master
3. Test Developer
4. Deployment Developer
5. 2-4 Full-Stack Developers
Two-Pizza Team

19. | ©2018 F5 NETWORKS19
Discovery Questions

20. | ©2018 F5 NETWORKS20
1. How many APIsnowand overthe next year? How many Teams?
2. Internalor Externalconsumers?Determineswhat they need froma DevPortal& Auth Requirements
3. API stylesin use – REST,XML, gRPC,GraphQL.Nowvs Future.
4. Contractfirstapproach(Do theydesignbeforetheybuild APIs)? Existingspecs?
5. Deploymentflow(how many teams have to touchit)
6. Automationrequirements-DevOpspractices,CI/CD maturity
7. How are the APIs deliveredtoday?Reverseproxy,load balancer,simpleAPIgateway,APImgtsolution
8. What’s wrong with it? Whatchanged? Needthem to share what they really need.
9. Are they modernizing? Forreal,or brownfieldmix/mess
10. Lookingto augment,rip/replace,Performanceand latency
APIM Focus

21. | ©2018 F5 NETWORKS21
1. Existing WAFsolutions
2. The Deploymentoptionsrequirements
3. Describerthe existing communication/interactionbetweenDevelopmentand Operationsteams
4. How is the API implementationtested?Whattoolsare used?
5. Is there value to unify the securitytestsforAPI?
WAF Focus