SlideShare a Scribd company logo
1 | Copyright © 2022
Understanding Wireguard, TLS and Workload Identity:
The Backbone of Modern Service Networking
2 | Copyright © 2022
CHRISTIAN POSTA
VP, Global Field CTO, Solo.io
@christianposta
christian@solo.io
3 | Copyright © 2022
01
02
03
04
05
Why do we need modern
security?
Case Study: Google ALTS
Modern Networking Security
Workload Identity
Demos!
Agenda
4 | Copyright © 2022
c
Application Networking
Well Funded ($175M), $1B valuation
Satisfied Customers (130% Renewals)
Cloud-native Technology Leadership
Cloud-native Education Leadership
TODAY’S
BUSINESS
DIGITAL
BUSINESS
The Service Mesh and API Platform
for Kubernetes | Zero-Trust | Microservices
5 | Copyright © 2022
Service A can talk to Service B
6 | Copyright © 2022
Long Live IP!
7 | Copyright © 2022
Containerized Workloads
8 | Copyright © 2022
Beware!
9 | Copyright © 2022
Beware!
https://www.theverge.com/2014/12/8/7352581/sony-pictures-hacked-storystream
10 | Copyright © 2022
Tenets of a Modern, Secure Network
• Assume a Hostile Environment - There are malicious persona both inside and outside the
environment
• Presume Breach - Operate and Defend resources with the assumption that an adversary
has presence in your environment
• Never Trust, Always Verify - Deny by default. Every resource is explicitly authorized using
least privilege multiple attributes, and dynamic cybersecurity principles
• Scrutinize Explicitly - Access to resources is conditional and access can dynamically
change based on action and confidence levels resulting from those actions
• Apply Unified Analytics - for data, applications, assets, services to include behavioristics
and log each transaction
11 | Copyright © 2022
Writing Networking Policy
● Who is calling whom
● Constraining who can call whom
● Avoid MiTM, eavesdropping
● Quota / QoS / Limits
● Logging, auditing
● Policy enforcement via fine-grained authz
12 | Copyright © 2022
Example from Google
ALTS
13 | Copyright © 2022
Application Layer Transport Security
• Built in 2007 (TLS 1.1 was the latest version at this point)
• TLS 1.1 did not meet Google’s minimum security standards
• A simpler, more tailored impl of TLS
• More flexible workload identity model
• Certs use ECDH keys, Uses DH key exchange, can provide PFS and AE
• Uses Protocol Buffers to serialize certificates and protocol messages
https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
14 | Copyright © 2022
ALTS Design
• Transparent to applications / RPC invocations
• Simplified cryptography (limited key exchange/cipher algorithms)
• Authentication based on Identity NOT host machines
• Identity tied to chain of trust / key distribution (transparent to application)
• Authorization policies built around Identity model
https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
15 | Copyright © 2022
Transparent ALTS
16 | Copyright © 2022
Handshake / Record Protocol
17 | Copyright © 2022
ALTS is Proven at Scale
Should we build ALTS?
18 | Copyright © 2022
No. Modern Building Blocks Exist
Let’s take a look
19 | Copyright © 2022
Modern, Secure Service Networking
• Transparent to applications / RPC invocations
• Transparent encryption
• Simplified cryptography (limited key exchange/cipher algorithms)
• Authentication based on Identity NOT host machines
• Identity tied to chain of trust / key distribution (transparent to application)
• Authorization policies built around Identity model
20 | Copyright © 2022
Wireguard
Transparent encryption made easy
21 | Copyright © 2022
Wireguard
22 | Copyright © 2022
Wireguard
• A Kernel/OS module aimed at transparently encrypting IP between two nodes
for VPN use cases
• Simple code base (around 7k LOC vs e.g., 100K+ IPSec)
• No cipher/protocol negotiation; fixed cryptography
• For L3, encapsulate encrypted packets in UDP
• Intended to use ciphers that afford more performance
• Simplified configuration, out of band public-key exchange
https://www.wireguard.com/papers/wireguard.pdf
23 | Copyright © 2022
Configure public keys and it just works
24 | Copyright © 2022
Opinionated Crypto (Based on the Noise Framework)
• Elliptic Curve Diffie Hellman with Curve22519
• ChaCha20+Poly1305 for Authenticated Encryption
• BLAKE2s for hashing
• Optional Pre-Shared Key (PSK)
• If a vulnerability is found, upgrade everything
https://www.wireguard.com/papers/wireguard.pdf
25 | Copyright © 2022
Downsides of Wireguard
• Could be very difficult to upgrade “everything” all at once for a discovered
vulnerability
• Not FIPS compliant
• Will not be FIPS compliant
− https://twitter.com/matthew_d_green/status/1443558648878350339
• Doesn’t solve for workload Mutual Authentication, Identity, or Authorization
26 | Copyright © 2022
Options to Layer Authentication for svc-to-svc?
• Wireguard “authenticates” its peers but has no knowledge of svc identities
• JWT access tokens (ie, OAuth 2.0 + Secure Token Service)
• Custom mutual authentication mechanism (see Cilium)
• Layer client certificates and TLS on top
27 | Copyright © 2022
Cilium’s approach to mutual authentication
28 | Copyright © 2022
Cilium’s approach to mutual authentication
29 | Copyright © 2022
Cilium’s approach to mutual authentication
30 | Copyright © 2022
Transport Layer Security
TLS 1.3
31 | Copyright © 2022
Transport Layer Security
32 | Copyright © 2022
Transport Layer Security (TLS 1.2)
33 | Copyright © 2022
Transport Layer Security (TLS 1.3)
34 | Copyright © 2022
Client Authentication (mTLS)
35 | Copyright © 2022
Why use TLS 1.3?
• Faster
− Handshake takes fewer round trips
• Safer (drop support for unsafe cryptographic algorithms)
− Remove RSA key exchange (doesn’t provide Forward Secrecy)
− Remove CBC/RC4 ciphers
− Restrict DH parameters to known secure params
− Handshake is signed by the server, cannot be tricked into downgrade
− Chose AEAD ciphers
36 | Copyright © 2022
TLS Can do Authentication, Encryption, Integrity Checks
• FIPS compliant implementations
• Private keys do not get sent over the wire (like JWT tokens)
• Can be terminated at the applications for end-to-end session
• TLS 1.3 brings simplification for ciphers/protocol negotiation
• Looks a lot more like Google ALTS!
37 | Copyright © 2022
Downsides to TLS
• No standard way to specify identity
• Key issuance, revocation, rotation can be complex
• How do the applications handle key material safely?
• What if applications mis-configure?
• Every language/framework/library is different
38 | Copyright © 2022
Standard Workload Identity Framework
with SPIFFE
39 | Copyright © 2022
Secure Production Identity Framework (for Everyone)
• Open Source Identity Specification for workloads
• Intended to solve the “universal workload identity problem”
• Independent of application type, network, or platform/cloud
• Specified with URI strings
• Verified via signed credentials (x509, JWT, etc)
• API and workflow for attestation built into SPIFFE implementations
• Intended to eliminate passwords, other secrets, etc
40 | Copyright © 2022
SPIFFE
41 | Copyright © 2022
Who is Service A?
42 | Copyright © 2022
Identity described in SVID
43 | Copyright © 2022
Identity for Workloads
44 | Copyright © 2022
SPIRE is a Production Implementation of SPIFFE
45 | Copyright © 2022
Bringing it Together Transparently
TLS 1.3 + SPIFFE
46 | Copyright © 2022
Now we know who Service A is…
47 | Copyright © 2022
An example implementation: Istio Ambient Mesh
https://istio.io/latest/blog/2022/introducing-ambient-mesh/
48 | Copyright © 2022
Istio Ambient Mesh (w/ TLS 1.3 + SPIFFE)
• Transparent to applications / RPC invocations
• Transparent encryption
• Simplified cryptography (limited key exchange/cipher algorithms)
• Authentication based on Identity NOT host machines
• Identity tied to chain of trust / key distribution (transparent to application)
• Authorization policies built around Identity model
49 | Copyright © 2022
Demo
50 | Copyright © 2022
Additional Resources
● https://lp.solo.io/white-paper-zero-trust
● https://cloud.google.com/docs/security/encryption-in-transit/applica
tion-layer-transport-security
● https://istio.io/latest/blog/2022/introducing-ambient-mesh/
● https://www.wireguard.com/papers/wireguard.pdf
● https://www.solo.io/zero-trust/
● https://academy.solo.io
● https://istio.io
● https://cilium.io
https://lp.solo.io/istio-ambient-mesh-explained
Thank You!

More Related Content

What's hot

Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
Stefano Salsano
 
CloudStack Networking
CloudStack NetworkingCloudStack Networking
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
Robert Bohne
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
Christian Posta
 
Traffic Control with Envoy Proxy
Traffic Control with Envoy ProxyTraffic Control with Envoy Proxy
Traffic Control with Envoy Proxy
Mark McBride
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16
David Pasek
 
Extending HashiCorp Nomad with Plugins
Extending HashiCorp Nomad with PluginsExtending HashiCorp Nomad with Plugins
Extending HashiCorp Nomad with Plugins
Mitchell Pronschinske
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
Knoldus Inc.
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin	Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Vietnam Open Infrastructure User Group
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
A day in the life of a VSAN I/O - STO7875
A day in the life of a VSAN I/O - STO7875A day in the life of a VSAN I/O - STO7875
A day in the life of a VSAN I/O - STO7875
Duncan Epping
 
Google Cloud Anthos on HPE Simplivity
Google Cloud Anthos on HPE SimplivityGoogle Cloud Anthos on HPE Simplivity
Google Cloud Anthos on HPE Simplivity
Tanawit Chansuchai
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
All Things Open
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paas
rajdeep
 
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
CloudStack - Open Source Cloud Computing Project
 
Hyperconverged Infrastructure, It's the Future
Hyperconverged Infrastructure, It's the FutureHyperconverged Infrastructure, It's the Future
Hyperconverged Infrastructure, It's the Future
Howard Marks
 
Kubernetes CI/CD with Helm
Kubernetes CI/CD with HelmKubernetes CI/CD with Helm
Kubernetes CI/CD with Helm
Adnan Abdulhussein
 
Azure DevOps - Um case de sucesso
Azure DevOps - Um case de sucessoAzure DevOps - Um case de sucesso
Azure DevOps - Um case de sucesso
Armando Junior
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
Docker, Inc.
 
Introduction to OpenFlow, SDN and NFV
Introduction to OpenFlow, SDN and NFVIntroduction to OpenFlow, SDN and NFV
Introduction to OpenFlow, SDN and NFV
Kingston Smiler
 

What's hot (20)

Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
 
CloudStack Networking
CloudStack NetworkingCloudStack Networking
CloudStack Networking
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Traffic Control with Envoy Proxy
Traffic Control with Envoy ProxyTraffic Control with Envoy Proxy
Traffic Control with Envoy Proxy
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16
 
Extending HashiCorp Nomad with Plugins
Extending HashiCorp Nomad with PluginsExtending HashiCorp Nomad with Plugins
Extending HashiCorp Nomad with Plugins
 
CD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdfCD using ArgoCD(KnolX).pdf
CD using ArgoCD(KnolX).pdf
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin	Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
 
A day in the life of a VSAN I/O - STO7875
A day in the life of a VSAN I/O - STO7875A day in the life of a VSAN I/O - STO7875
A day in the life of a VSAN I/O - STO7875
 
Google Cloud Anthos on HPE Simplivity
Google Cloud Anthos on HPE SimplivityGoogle Cloud Anthos on HPE Simplivity
Google Cloud Anthos on HPE Simplivity
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paas
 
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
Introduction to CloudStack: How to Deploy and Manage Infrastructure-as-a-Serv...
 
Hyperconverged Infrastructure, It's the Future
Hyperconverged Infrastructure, It's the FutureHyperconverged Infrastructure, It's the Future
Hyperconverged Infrastructure, It's the Future
 
Kubernetes CI/CD with Helm
Kubernetes CI/CD with HelmKubernetes CI/CD with Helm
Kubernetes CI/CD with Helm
 
Azure DevOps - Um case de sucesso
Azure DevOps - Um case de sucessoAzure DevOps - Um case de sucesso
Azure DevOps - Um case de sucesso
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
Introduction to OpenFlow, SDN and NFV
Introduction to OpenFlow, SDN and NFVIntroduction to OpenFlow, SDN and NFV
Introduction to OpenFlow, SDN and NFV
 

Similar to Understanding Wireguard, TLS and Workload Identity

Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
Ram Vennam
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Wwc developing hyperledger applications v4
Wwc  developing hyperledger applications v4Wwc  developing hyperledger applications v4
Wwc developing hyperledger applications v4
LennartF
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
OnBoard Security, Inc. - a Qualcomm Company
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
Kaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain ServicesKaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain Services
Peter Broadhurst
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSService Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Software Guru
 
Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?
Cloud Native Rosenheim Meetup
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cohesive Networks
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Hacken_Ecosystem
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
SaiLinnThu2
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
chaitraresume
chaitraresumechaitraresume
chaitraresume
Chaitra Shankar
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
ADVA
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
Kim Clark
 

Similar to Understanding Wireguard, TLS and Workload Identity (20)

Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Wwc developing hyperledger applications v4
Wwc  developing hyperledger applications v4Wwc  developing hyperledger applications v4
Wwc developing hyperledger applications v4
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Kaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain ServicesKaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain Services
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSService Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
 
Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
chaitraresume
chaitraresumechaitraresume
chaitraresume
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
 

More from Christian Posta

Move Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the PlatformMove Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the Platform
Christian Posta
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
Christian Posta
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo Mesh
Christian Posta
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMesh
Christian Posta
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh Patterns
Christian Posta
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service Mesh
Christian Posta
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)
Christian Posta
 
The Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneThe Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data Plane
Christian Posta
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo Enterprise
Christian Posta
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoption
Christian Posta
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Christian Posta
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for Microservices
Christian Posta
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Christian Posta
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Christian Posta
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1
Christian Posta
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
Christian Posta
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
Christian Posta
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh Landscape
Christian Posta
 
Intro to Knative
Intro to KnativeIntro to Knative
Intro to Knative
Christian Posta
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscape
Christian Posta
 

More from Christian Posta (20)

Move Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the PlatformMove Auth, Policy, and Resilience to the Platform
Move Auth, Policy, and Resilience to the Platform
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo Mesh
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMesh
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh Patterns
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service Mesh
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)
 
The Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneThe Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data Plane
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo Enterprise
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoption
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for Microservices
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh Landscape
 
Intro to Knative
Intro to KnativeIntro to Knative
Intro to Knative
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscape
 

Recently uploaded

Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
Axel Rennoch
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 

Recently uploaded (20)

Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 

Understanding Wireguard, TLS and Workload Identity

  • 1. 1 | Copyright © 2022 Understanding Wireguard, TLS and Workload Identity: The Backbone of Modern Service Networking
  • 2. 2 | Copyright © 2022 CHRISTIAN POSTA VP, Global Field CTO, Solo.io @christianposta christian@solo.io
  • 3. 3 | Copyright © 2022 01 02 03 04 05 Why do we need modern security? Case Study: Google ALTS Modern Networking Security Workload Identity Demos! Agenda
  • 4. 4 | Copyright © 2022 c Application Networking Well Funded ($175M), $1B valuation Satisfied Customers (130% Renewals) Cloud-native Technology Leadership Cloud-native Education Leadership TODAY’S BUSINESS DIGITAL BUSINESS The Service Mesh and API Platform for Kubernetes | Zero-Trust | Microservices
  • 5. 5 | Copyright © 2022 Service A can talk to Service B
  • 6. 6 | Copyright © 2022 Long Live IP!
  • 7. 7 | Copyright © 2022 Containerized Workloads
  • 8. 8 | Copyright © 2022 Beware!
  • 9. 9 | Copyright © 2022 Beware! https://www.theverge.com/2014/12/8/7352581/sony-pictures-hacked-storystream
  • 10. 10 | Copyright © 2022 Tenets of a Modern, Secure Network • Assume a Hostile Environment - There are malicious persona both inside and outside the environment • Presume Breach - Operate and Defend resources with the assumption that an adversary has presence in your environment • Never Trust, Always Verify - Deny by default. Every resource is explicitly authorized using least privilege multiple attributes, and dynamic cybersecurity principles • Scrutinize Explicitly - Access to resources is conditional and access can dynamically change based on action and confidence levels resulting from those actions • Apply Unified Analytics - for data, applications, assets, services to include behavioristics and log each transaction
  • 11. 11 | Copyright © 2022 Writing Networking Policy ● Who is calling whom ● Constraining who can call whom ● Avoid MiTM, eavesdropping ● Quota / QoS / Limits ● Logging, auditing ● Policy enforcement via fine-grained authz
  • 12. 12 | Copyright © 2022 Example from Google ALTS
  • 13. 13 | Copyright © 2022 Application Layer Transport Security • Built in 2007 (TLS 1.1 was the latest version at this point) • TLS 1.1 did not meet Google’s minimum security standards • A simpler, more tailored impl of TLS • More flexible workload identity model • Certs use ECDH keys, Uses DH key exchange, can provide PFS and AE • Uses Protocol Buffers to serialize certificates and protocol messages https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
  • 14. 14 | Copyright © 2022 ALTS Design • Transparent to applications / RPC invocations • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
  • 15. 15 | Copyright © 2022 Transparent ALTS
  • 16. 16 | Copyright © 2022 Handshake / Record Protocol
  • 17. 17 | Copyright © 2022 ALTS is Proven at Scale Should we build ALTS?
  • 18. 18 | Copyright © 2022 No. Modern Building Blocks Exist Let’s take a look
  • 19. 19 | Copyright © 2022 Modern, Secure Service Networking • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
  • 20. 20 | Copyright © 2022 Wireguard Transparent encryption made easy
  • 21. 21 | Copyright © 2022 Wireguard
  • 22. 22 | Copyright © 2022 Wireguard • A Kernel/OS module aimed at transparently encrypting IP between two nodes for VPN use cases • Simple code base (around 7k LOC vs e.g., 100K+ IPSec) • No cipher/protocol negotiation; fixed cryptography • For L3, encapsulate encrypted packets in UDP • Intended to use ciphers that afford more performance • Simplified configuration, out of band public-key exchange https://www.wireguard.com/papers/wireguard.pdf
  • 23. 23 | Copyright © 2022 Configure public keys and it just works
  • 24. 24 | Copyright © 2022 Opinionated Crypto (Based on the Noise Framework) • Elliptic Curve Diffie Hellman with Curve22519 • ChaCha20+Poly1305 for Authenticated Encryption • BLAKE2s for hashing • Optional Pre-Shared Key (PSK) • If a vulnerability is found, upgrade everything https://www.wireguard.com/papers/wireguard.pdf
  • 25. 25 | Copyright © 2022 Downsides of Wireguard • Could be very difficult to upgrade “everything” all at once for a discovered vulnerability • Not FIPS compliant • Will not be FIPS compliant − https://twitter.com/matthew_d_green/status/1443558648878350339 • Doesn’t solve for workload Mutual Authentication, Identity, or Authorization
  • 26. 26 | Copyright © 2022 Options to Layer Authentication for svc-to-svc? • Wireguard “authenticates” its peers but has no knowledge of svc identities • JWT access tokens (ie, OAuth 2.0 + Secure Token Service) • Custom mutual authentication mechanism (see Cilium) • Layer client certificates and TLS on top
  • 27. 27 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 28. 28 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 29. 29 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 30. 30 | Copyright © 2022 Transport Layer Security TLS 1.3
  • 31. 31 | Copyright © 2022 Transport Layer Security
  • 32. 32 | Copyright © 2022 Transport Layer Security (TLS 1.2)
  • 33. 33 | Copyright © 2022 Transport Layer Security (TLS 1.3)
  • 34. 34 | Copyright © 2022 Client Authentication (mTLS)
  • 35. 35 | Copyright © 2022 Why use TLS 1.3? • Faster − Handshake takes fewer round trips • Safer (drop support for unsafe cryptographic algorithms) − Remove RSA key exchange (doesn’t provide Forward Secrecy) − Remove CBC/RC4 ciphers − Restrict DH parameters to known secure params − Handshake is signed by the server, cannot be tricked into downgrade − Chose AEAD ciphers
  • 36. 36 | Copyright © 2022 TLS Can do Authentication, Encryption, Integrity Checks • FIPS compliant implementations • Private keys do not get sent over the wire (like JWT tokens) • Can be terminated at the applications for end-to-end session • TLS 1.3 brings simplification for ciphers/protocol negotiation • Looks a lot more like Google ALTS!
  • 37. 37 | Copyright © 2022 Downsides to TLS • No standard way to specify identity • Key issuance, revocation, rotation can be complex • How do the applications handle key material safely? • What if applications mis-configure? • Every language/framework/library is different
  • 38. 38 | Copyright © 2022 Standard Workload Identity Framework with SPIFFE
  • 39. 39 | Copyright © 2022 Secure Production Identity Framework (for Everyone) • Open Source Identity Specification for workloads • Intended to solve the “universal workload identity problem” • Independent of application type, network, or platform/cloud • Specified with URI strings • Verified via signed credentials (x509, JWT, etc) • API and workflow for attestation built into SPIFFE implementations • Intended to eliminate passwords, other secrets, etc
  • 40. 40 | Copyright © 2022 SPIFFE
  • 41. 41 | Copyright © 2022 Who is Service A?
  • 42. 42 | Copyright © 2022 Identity described in SVID
  • 43. 43 | Copyright © 2022 Identity for Workloads
  • 44. 44 | Copyright © 2022 SPIRE is a Production Implementation of SPIFFE
  • 45. 45 | Copyright © 2022 Bringing it Together Transparently TLS 1.3 + SPIFFE
  • 46. 46 | Copyright © 2022 Now we know who Service A is…
  • 47. 47 | Copyright © 2022 An example implementation: Istio Ambient Mesh https://istio.io/latest/blog/2022/introducing-ambient-mesh/
  • 48. 48 | Copyright © 2022 Istio Ambient Mesh (w/ TLS 1.3 + SPIFFE) • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
  • 49. 49 | Copyright © 2022 Demo
  • 50. 50 | Copyright © 2022 Additional Resources ● https://lp.solo.io/white-paper-zero-trust ● https://cloud.google.com/docs/security/encryption-in-transit/applica tion-layer-transport-security ● https://istio.io/latest/blog/2022/introducing-ambient-mesh/ ● https://www.wireguard.com/papers/wireguard.pdf ● https://www.solo.io/zero-trust/ ● https://academy.solo.io ● https://istio.io ● https://cilium.io https://lp.solo.io/istio-ambient-mesh-explained