The document discusses the concept of zero trust security, emphasizing its importance in modern technology environments, particularly with the rise of microservices and cloud computing. It outlines key tenets of zero trust architecture such as dynamic access policies, the necessity of continuous monitoring, and principles for securing Kubernetes environments. Additionally, it suggests next steps for organizations to assess their security postures and implement zero trust practices effectively.

1. ©2022 F5
1

2. | ©2020 F5
2
PRINCIPAL SOFTWARE ENGINEER
NGINX KUBERNETES SOLUTIONS
Matthew Yacobucci
What Zero Trust security is and why it matters
About real-world challenges and how
to address them
Why an Ingress controller and service
mesh are essential components
How you can help fulfill Zero Trust
requirements for your organization

3. ©2022 F5
4
What percentage of your apps run on Kubernetes?
• Fewer than 20%
• 21-40%
• 41-60%
• 61-80%
• More than 80%
Zoom Poll – Question #1

4. ©2022 F5
5
What industry do you work in?
• Banking and Financial Services
• Public Sector
• Healthcare
• Technology
• eCommerce
• Service Provider
• Other (share in Zoom chat)
Zoom Poll – Question #2

5. ©2022 F5
6
Where is your organization with Zero Trust?
• We are curious about Zero Trust
• We are exploring how to implement Zero Trust
• We are strategizing how to implement Zero Trust
• We have a defined roadmap for implementing Zero Trust
• We have implemented Zero Trust
• Other (explain in chat)
Zoom Poll – Question #3

6. ©2022 F5
7
Why are you interested in Zero Trust?
• I’m a CISO
• I’m an architect or developer interested in security best practices
• I’m trying to make my app more secure
• I’m not interested… but I’m doing it because I have to do it
• I’m just here to learn
• Other (explain in chat)
Zoom Poll – Question #4

7. ©2022 F5
8
• Our security approaches evolve with how we use technology.
• The old model – the moat and castle.
• A single checkpoint was considered enough to enter the castle. Tied into something you know.
• The barbarians at the gates.
• Dwell time & lateral movement.
• Microservices and containerization.
• BYOD.
• Cloud-agnosticism.
Zero Trust – Why?

8. ©2022 F5
9
• An approach – NOT a product.
• Is it hype?
• Trust itself is a vulnerability (Kindervag).
• Try to shrink the perimeter down to zero – on every dimension (identity, device, network, time).
• The attacker is already in the castle.
• Not only that – you need to travel through hostile territory when you leave your own gates.
Zero Trust – Philosophy?

9. ©2022 F5
10
Zero Trust – What?
Tenets (NIST Special Publication 800-207 ”Zero Trust Architecture”)
1. All data sources and computing services are considered resources.
2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service,
and the requesting asset—and may include other behavioral and environmental attributes.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and
communications and uses it to improve its security posture.

10. ©2022 F5
11
Zero Trust – How?
• Security is a Design process
• Focus on business outcomes
• Design from the inside-out
• Least Privileges
• Inspect and log all traffic
• Nothing and no one is trusted – users, applications, networks, servers, services, nor APIs.
• Every single element at every single layer must be authenticated and tested for authorization.
• Temporal limits on authentication / authorization.
• When technology assets, apps, or services connect and exchange data, all communication is encrypted.
• ZT organizations (and by extension systems) operate at every level on a least-privilege basis, denying access to all parties save those explicitly authorized for a
particular resource. Ephemeral privileges.
• Perimeters may not completely disappear (legacy apps / hardware). Micro-segmentation of the network.
• Observability is an important aspect – if we assume the attacker is already inside the network, we need the ability to detect them through
monitoring their behavior.
• Automation and repeatability are paramount; especially as architectures become more complex and distributed.

11. ©2022 F5
12
Improve your security posture by:
• Automatically preventing unauthorized activity
• Reducing the accessible attack surface through access controls
• Quickly detecting behavioral anomalies and indicators of compromise
• Limiting access time through real-time least-privilege policies
• Making security contextual of all other variables, including environment and geography
• Blocking ongoing attacks through constant authentication and identity validation
Benefits of Adopting a Zero Trust Philosophy

12. ©2022 F5
13
https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
• Controlling access to the Kubernetes API
• Controlling the capabilities of a workload or user at runtime
• Protecting cluster components from compromise
• Kubescape is your friend
Kubernetes Cluster General Security Principles

13. ©2022 F5
14

14. ©2022 F5
15

15. ©2022 F5
16

16. ©2022 F5
17

17. ©2022 F5
18

18. ©2022 F5
19

19. ©2022 F5
20

20. ©2022 F5
21

21. ©2022 F5
22
Next Steps
• Have a conversation with your team
• Evaluate your current environment
• Evaluate technologies, current security stance, TMAs
• Determine what you have in place right now and will it work for K8s (Kubescape)
• Secure development lifecycle: what are your processes? (Supply-chain!)
• Identify the tools do you need to get started (hint: Ingress controller!, Kubescape, Container scanning)
Moving past your first steps...

22. | ©2021 F5
23
Q&A

23. ©2022 F5
24
Learn More
Read the Blog Get the eBook