SlideShare ist ein Scribd-Unternehmen logo

apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Laurent Petroque, F5 Networks

Als PPTX, PDF herunterladen
apidays
apidays

This document discusses using a service mesh to implement zero trust security in Kubernetes environments. It begins by explaining what problems a service mesh addresses in Kubernetes networking and then discusses how a service mesh can provide network policies, mutual TLS encryption between services, role-based access control, and other features to enforce zero trust principles. The document emphasizes that a service mesh allows fine-grained control of inter-service traffic and centralized management of microservices connections in a way that supports strong authentication of identities and authorization of access.

Technologie
1 von 27
Ace Zero Trust with a Service Mesh APIDAYS LIVE HONG KONG 2021
| ©2021 F5 2 DIRECTOR, SOLUTIONS ENGINEERING @ NGINX (PART OF F5) Laurent Petroque Whether you're ready for a service mesh How to choose a mesh that’s right for your apps The importance of a high-performance Kubernetes application data plane Zero Trust Security with a Service Mesh
| ©2021 F5 3 PRETTY WELL SUMS IT UP… Kubernetes Networking Is Hard
| ©2021 F5 4 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? Networking: K8, L3, L4, L5, L7 • K8s, and CNI, provides L4 servicing – IP endpoints • Many, complex options • https://kubernetes.io/docs/concepts/cluster-administration/networking/ • L7 Traffic Management is missing • Policy-based routing • Service-level access control • SSL/mTLS enforcement • Enter: Service Mesh
| ©2021 F5 5 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? What Is A Service Mesh? • A service mesh adds L7 traffic management & security: • sidecar deployment • policy management • application availability/health, • Service mesh isn’t just one “thing”, it’s a lot of managed and dependent components • Takes over where K8s networking stops (service/pod IP endpoints) • “Traffic management for containers”
| ©2021 F5 6 L7 Logic (Ingress) L3-L4 Networking L3 – L7 Network Management == Service Mesh An Overly Simplified Picture
| ©2021 F5 7 Risks of adopting a mesh too early… ✅ Complexity ✅ Complexity ✅ Complexity Preparing for a Mesh Useful References: • https://www.nginx.com/resources/datasheets/ngin x-service-mesh/ • https://www.nginx.com/blog/how-to-choose-a- service-mesh/
| ©2021 F5 8
| ©2021 F5 9
| ©2021 F5 10
| ©2021 F5 11
| ©2021 F5 12
| ©2021 F5 13
| ©2021 F5 14 IT DEPENDS… Selecting a Service Mesh Why are you looking for a service mesh? (what are your use cases?)
| ©2021 F5 15 Service Mesh Use Cases Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Visualize Traffic Generate transaction traces and real-time monitoring
| ©2021 F5 16 IT DEPENDS… Selecting a Service Mesh Why are you looking for a service mesh? (what are your use cases?) How will you use the service mesh?
| ©2021 F5 17 Developers Do you plan to add security to a legacy app that is moving into Kubernetes? Are you going to incorporate security as you refactor an app into a native Kubernetes app? Platform/Infrastructure Team Are you going to add the service mesh into your CI/CD pipeline so that it’s automatically deployed and configured with every new cluster and available when a developer spins up a new instance? How will you use the service mesh? IT DEPENDS WHO YOU ARE
| ©2021 F5 18 IT DEPENDS… Selecting a Service Mesh Why are you looking for a service mesh? (what are your use cases?) How will you use the service mesh? Is zero trust a factor in your selection?
| ©2021 F5 19 Zero Trust in a Service Mesh
| ©2021 F5 20 • Average cost of data breach is $3.92 million (source: IBM-sponsored study) • Average time to identify and contain a breach is 279 days • Average lifecycle of a malicious attack from breach to containment is 314 days CONFIDENTIAL Why think about Zero Trust Security?
| ©2021 F5 21 Networks should always be considered hostile. • Just because you’re inside the “castle” does not make you safe. Network locality is not sufficient for deciding trust in a network. • Just because you know someone next to you in the “castle”, doesn’t mean you should trust them. Every device, user, and request is authenticated and authorized. • Ensure that every person entering the “castle” has been properly identified and is allowed to enter. Network policies must be dynamic and calculated from as many sources of data as possible. • Ask as many people as possible when validating if someone is allowed to enter the “castle”. SOURCE: MICROSERVICE SECURITY & COMPLIANCE: ZERO TRUST SECURITY (ASPENMESH.IO) CONFIDENTIAL Zero Trust Networking Principles
| ©2021 F5 22 Service Identities – Protect from Service Impersonation • every device, user, and request is authenticated and authorized Mutual Transport Layer Securities (mTLS) – Protect from Packet Sniffing • encrypting service-to-service communication and achieving non-repudiation for requests Role Based Access Control (RBAC) – Prevent unauthorized access • easily define what services are allowed to communicate and what endpoints services and users are allowed to communicate with Network Policy - Prevent Data exfiltration • enforce networking rules at runtime CONFIDENTIAL The Power of Two: Zero Trust and Service Mesh Source: Microservice Security & Compliance: Zero Trust Security (aspenmesh.io)
| ©2021 F5 23 • Govern service-to-service traffic • Centralize management of microservices, controlling both ends of the connection • mTLS to encrypt and authenticate data CONFIDENTIAL Service Mesh and mTLS
| ©2021 F5 24 CONFIDENTIAL
| ©2021 F5 25 CONFIDENTIAL Scan the QR Code and enjoy a free NGINX Scan Service
| ©2021 F5 26 Laurent Petroque Linkedin: laurentpetroque Email: contactme_nginxapac@f5.com Download this complimentary O’Reilly eBook! https://www.nginx.com/resources/library/
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Laurent Petroque, F5 Networks

Empfohlen

apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays
 
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays
 
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulikapidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays
 
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays
 

Empfohlen

apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays
 
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays
 
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulikapidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulik
apidays
 
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays LIVE Singapore 2021 - Protecting the API ecosystem by Omaru Maruatona...
apidays
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
 
Hardware Lab. Andrew Kokhanovskyi. Kaa introduction
Hardware Lab. Andrew Kokhanovskyi. Kaa introductionHardware Lab. Andrew Kokhanovskyi. Kaa introduction
Hardware Lab. Andrew Kokhanovskyi. Kaa introduction
GeeksLab Odessa
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
Cryptzone
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Solace
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Nick Donaldson
 
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
apidays
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCP
Keepler Data Tech
 
apidays LIVE Jakarta - Building an Event-Driven Architecture by Harin Honesty...
apidays LIVE Jakarta - Building an Event-Driven Architecture by Harin Honesty...apidays LIVE Jakarta - Building an Event-Driven Architecture by Harin Honesty...
apidays LIVE Jakarta - Building an Event-Driven Architecture by Harin Honesty...
apidays
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone
 
Solace Strategic Update: October 2018
Solace Strategic Update: October 2018Solace Strategic Update: October 2018
Solace Strategic Update: October 2018
Solace
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
Priyanka Aash
 
APIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , Kong
APIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , KongAPIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , Kong
APIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , Kong
apidays
 
Webinar IoT Cloud Platforms and Middleware for Rapid Application Development
Webinar IoT Cloud Platforms and Middleware for Rapid Application DevelopmentWebinar IoT Cloud Platforms and Middleware for Rapid Application Development
Webinar IoT Cloud Platforms and Middleware for Rapid Application Development
Harbinger Systems - HRTech Builder of Choice
 
Built on Pulsar: A Commercial Consent Management System for 80 Million Citizens
Built on Pulsar: A Commercial Consent Management System for 80 Million CitizensBuilt on Pulsar: A Commercial Consent Management System for 80 Million Citizens
Built on Pulsar: A Commercial Consent Management System for 80 Million Citizens
StreamNative
 
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
CA API Management
 
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Codit
 
High performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingHigh performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computing
Juniper Networks
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
WSO2
 
Dell NVIDIA AI Powered Transformation in Financial Services Webinar
Dell NVIDIA AI Powered Transformation in Financial Services WebinarDell NVIDIA AI Powered Transformation in Financial Services Webinar
Dell NVIDIA AI Powered Transformation in Financial Services Webinar
Bill Wong
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service MeshData Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
NGINX, Inc.
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 

Weitere ähnliche Inhalte

Was ist angesagt?

Webinar IoT Cloud Platforms and Middleware for Rapid Application Development
Webinar IoT Cloud Platforms and Middleware for Rapid Application DevelopmentWebinar IoT Cloud Platforms and Middleware for Rapid Application Development
Webinar IoT Cloud Platforms and Middleware for Rapid Application Development
Harbinger Systems - HRTech Builder of Choice
 
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Codit
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
WSO2
 

Was ist angesagt? (20)

The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
Hardware Lab. Andrew Kokhanovskyi. Kaa introduction
Hardware Lab. Andrew Kokhanovskyi. Kaa introductionHardware Lab. Andrew Kokhanovskyi. Kaa introduction
Hardware Lab. Andrew Kokhanovskyi. Kaa introduction
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
 
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCP
 
apidays LIVE Jakarta - Building an Event-Driven Architecture by Harin Honesty...
apidays LIVE Jakarta - Building an Event-Driven Architecture by Harin Honesty...apidays LIVE Jakarta - Building an Event-Driven Architecture by Harin Honesty...
apidays LIVE Jakarta - Building an Event-Driven Architecture by Harin Honesty...
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
Solace Strategic Update: October 2018
Solace Strategic Update: October 2018Solace Strategic Update: October 2018
Solace Strategic Update: October 2018
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
 
APIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , Kong
APIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , KongAPIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , Kong
APIdays Paris 2019 - Adopting Service Mesh by Marco Palladino , Kong
 
Webinar IoT Cloud Platforms and Middleware for Rapid Application Development
Webinar IoT Cloud Platforms and Middleware for Rapid Application DevelopmentWebinar IoT Cloud Platforms and Middleware for Rapid Application Development
Webinar IoT Cloud Platforms and Middleware for Rapid Application Development
 
Built on Pulsar: A Commercial Consent Management System for 80 Million Citizens
Built on Pulsar: A Commercial Consent Management System for 80 Million CitizensBuilt on Pulsar: A Commercial Consent Management System for 80 Million Citizens
Built on Pulsar: A Commercial Consent Management System for 80 Million Citizens
 
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
 
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
Volwassen IoT-oplossingen met Microsoft Azure (Sam Vanhoutte at CONNECT17)
 
High performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computingHigh performance data center computing using manageable distributed computing
High performance data center computing using manageable distributed computing
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
 
Dell NVIDIA AI Powered Transformation in Financial Services Webinar
Dell NVIDIA AI Powered Transformation in Financial Services WebinarDell NVIDIA AI Powered Transformation in Financial Services Webinar
Dell NVIDIA AI Powered Transformation in Financial Services Webinar
 

Ähnlich wie apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Laurent Petroque, F5 Networks

Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
INTERFACE, by apidays - Challenges of exposing and connecting microservices
INTERFACE, by apidays - Challenges of exposing and connecting microservicesINTERFACE, by apidays - Challenges of exposing and connecting microservices
INTERFACE, by apidays - Challenges of exposing and connecting microservices
apidays
 
Implementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureImplementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices Infrastructure
DevSecOpsSg
 

Ähnlich wie apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Laurent Petroque, F5 Networks (20)

Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service MeshData Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft AzureModernizing Application Deployments with HashiCorp Consul on Microsoft Azure
Modernizing Application Deployments with HashiCorp Consul on Microsoft Azure
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
Service mesh
Service meshService mesh
Service mesh
 
Api observability
Api observability Api observability
Api observability
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep Dive
 
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
[APIdays Paris 2019] API Management in Service Mesh Using Istio and WSO2 API ...
 
Next Generation DDoS Services – can we do this with NFV? - CF Chui
Next Generation DDoS Services – can we do this with NFV? - CF ChuiNext Generation DDoS Services – can we do this with NFV? - CF Chui
Next Generation DDoS Services – can we do this with NFV? - CF Chui
 
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
APIdays Paris 2019 - Cloud native API Management for Microservices on a Servi...
 
Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
apidays LIVE Paris 2021 - Advanced Authentication patterns at the Edge by Den...
apidays LIVE Paris 2021 - Advanced Authentication patterns at the Edge by Den...apidays LIVE Paris 2021 - Advanced Authentication patterns at the Edge by Den...
apidays LIVE Paris 2021 - Advanced Authentication patterns at the Edge by Den...
 
Fundamentals of microservices
Fundamentals of microservicesFundamentals of microservices
Fundamentals of microservices
 
Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking
 
INTERFACE, by apidays - Challenges of exposing and connecting microservices
INTERFACE, by apidays - Challenges of exposing and connecting microservicesINTERFACE, by apidays - Challenges of exposing and connecting microservices
INTERFACE, by apidays - Challenges of exposing and connecting microservices
 
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
 
Service mesh in action with onap
Service mesh in action with onapService mesh in action with onap
Service mesh in action with onap
 
Implementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureImplementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices Infrastructure
 

Mehr von apidays

Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
apidays
 

Mehr von apidays (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
 
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
 
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
 
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
 
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
 
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
 
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
 
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
 
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Laurent Petroque, F5 Networks

  • 1. Ace Zero Trust with a Service Mesh APIDAYS LIVE HONG KONG 2021
  • 2. | ©2021 F5 2 DIRECTOR, SOLUTIONS ENGINEERING @ NGINX (PART OF F5) Laurent Petroque Whether you're ready for a service mesh How to choose a mesh that’s right for your apps The importance of a high-performance Kubernetes application data plane Zero Trust Security with a Service Mesh
  • 3. | ©2021 F5 3 PRETTY WELL SUMS IT UP… Kubernetes Networking Is Hard
  • 4. | ©2021 F5 4 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? Networking: K8, L3, L4, L5, L7 • K8s, and CNI, provides L4 servicing – IP endpoints • Many, complex options • https://kubernetes.io/docs/concepts/cluster-administration/networking/ • L7 Traffic Management is missing • Policy-based routing • Service-level access control • SSL/mTLS enforcement • Enter: Service Mesh
  • 5. | ©2021 F5 5 WHAT’S MISSING IN K8S AND WHAT DO YOU REALLY WANT AND NEED FROM A MESH? What Is A Service Mesh? • A service mesh adds L7 traffic management & security: • sidecar deployment • policy management • application availability/health, • Service mesh isn’t just one “thing”, it’s a lot of managed and dependent components • Takes over where K8s networking stops (service/pod IP endpoints) • “Traffic management for containers”
  • 6. | ©2021 F5 6 L7 Logic (Ingress) L3-L4 Networking L3 – L7 Network Management == Service Mesh An Overly Simplified Picture
  • 7. | ©2021 F5 7 Risks of adopting a mesh too early… ✅ Complexity ✅ Complexity ✅ Complexity Preparing for a Mesh Useful References: • https://www.nginx.com/resources/datasheets/ngin x-service-mesh/ • https://www.nginx.com/blog/how-to-choose-a- service-mesh/
  • 14. | ©2021 F5 14 IT DEPENDS… Selecting a Service Mesh Why are you looking for a service mesh? (what are your use cases?)
  • 15. | ©2021 F5 15 Service Mesh Use Cases Secure Traffic End-to-end encryption (Mutual TLS / mTLS), ACLs Manage All Service Traffic Load Balance, Circuit breaker, B|G, Rate Limiting… Orchestration Injection and sidecar management, K8s API integration Visualize Traffic Generate transaction traces and real-time monitoring
  • 16. | ©2021 F5 16 IT DEPENDS… Selecting a Service Mesh Why are you looking for a service mesh? (what are your use cases?) How will you use the service mesh?
  • 17. | ©2021 F5 17 Developers Do you plan to add security to a legacy app that is moving into Kubernetes? Are you going to incorporate security as you refactor an app into a native Kubernetes app? Platform/Infrastructure Team Are you going to add the service mesh into your CI/CD pipeline so that it’s automatically deployed and configured with every new cluster and available when a developer spins up a new instance? How will you use the service mesh? IT DEPENDS WHO YOU ARE
  • 18. | ©2021 F5 18 IT DEPENDS… Selecting a Service Mesh Why are you looking for a service mesh? (what are your use cases?) How will you use the service mesh? Is zero trust a factor in your selection?
  • 19. | ©2021 F5 19 Zero Trust in a Service Mesh
  • 20. | ©2021 F5 20 • Average cost of data breach is $3.92 million (source: IBM-sponsored study) • Average time to identify and contain a breach is 279 days • Average lifecycle of a malicious attack from breach to containment is 314 days CONFIDENTIAL Why think about Zero Trust Security?
  • 21. | ©2021 F5 21 Networks should always be considered hostile. • Just because you’re inside the “castle” does not make you safe. Network locality is not sufficient for deciding trust in a network. • Just because you know someone next to you in the “castle”, doesn’t mean you should trust them. Every device, user, and request is authenticated and authorized. • Ensure that every person entering the “castle” has been properly identified and is allowed to enter. Network policies must be dynamic and calculated from as many sources of data as possible. • Ask as many people as possible when validating if someone is allowed to enter the “castle”. SOURCE: MICROSERVICE SECURITY & COMPLIANCE: ZERO TRUST SECURITY (ASPENMESH.IO) CONFIDENTIAL Zero Trust Networking Principles
  • 22. | ©2021 F5 22 Service Identities – Protect from Service Impersonation • every device, user, and request is authenticated and authorized Mutual Transport Layer Securities (mTLS) – Protect from Packet Sniffing • encrypting service-to-service communication and achieving non-repudiation for requests Role Based Access Control (RBAC) – Prevent unauthorized access • easily define what services are allowed to communicate and what endpoints services and users are allowed to communicate with Network Policy - Prevent Data exfiltration • enforce networking rules at runtime CONFIDENTIAL The Power of Two: Zero Trust and Service Mesh Source: Microservice Security & Compliance: Zero Trust Security (aspenmesh.io)
  • 23. | ©2021 F5 23 • Govern service-to-service traffic • Centralize management of microservices, controlling both ends of the connection • mTLS to encrypt and authenticate data CONFIDENTIAL Service Mesh and mTLS
  • 24. | ©2021 F5 24 CONFIDENTIAL
  • 25. | ©2021 F5 25 CONFIDENTIAL Scan the QR Code and enjoy a free NGINX Scan Service
  • 26. | ©2021 F5 26 Laurent Petroque Linkedin: laurentpetroque Email: contactme_nginxapac@f5.com Download this complimentary O’Reilly eBook! https://www.nginx.com/resources/library/

Hinweis der Redaktion

  1. Reg numbers as of 6/2 AMER: 145 APCJ: 158 EMEA: 138
  2. Introduce yourself (no need to read the session takeaways)
  3. Talk about the challenges around K8s networking
  4. Identify where a mesh fits into your traffic management strategy (L7)
  5. Provide overview of service mesh
  6. Click 1: displays L7 Logic (Ingress) with arrow pointing to Ingress box When traffic enters the cluster via the Ingress controller, it’s managed at the L7 Click 2: displays L3-L3 Networking with arrows pointing to N/S arrows between Ingress-service and service-pod When traffic passes from the Ingress controller to service and from the service to the pods, it’s only L3-L4. This can be ok if your app is simple and you don’t have a requirement for end-to-end encryption Click 3: displays L3-L7 Network Management == Service Mesh with blue circle Addition of a service mesh gives you the ability to manage traffic within Kubernetes at the L7 level
  7. We’re not here to scare you away from trying a service mesh! We want to make sure you have a good experience and can get the most out of the technology We developed this readiness checklist because we were seeing people trying to adopt service mesh before they were ready, and it was causing complexity and headaches. The more “yeses”, the more likely you’re going to get value from a service mesh Links to paste into the chat for references: https://www.nginx.com/resources/datasheets/nginx-service-mesh/ https://www.nginx.com/blog/how-to-choose-a-service-mesh/
  8. #1: You are fully invested in Kubernetes for your production environment. Whether you’ve already moved production apps into Kubernetes or you’re just starting to test app migration to container workloads, your long‑term application management roadmap includes Kubernetes.
  9. #2: You require a zero‑trust production environment and need mutual TLS (mTLS) between services. You either already rely on a zero‑trust model for your production apps and need to maintain that level of security in your containerized environment, or you’re using the migration as a forcing function to increase your service‑level security.
  10. #3: Your app is complex in both number and depth of services. You have a large, distributed app. It has multiple API dependencies and most likely requires external dependencies.
  11. #4: You have a mature, production CI/CD pipeline. “Mature” depends on your organization. We apply the term to procedures that programmatically deploy Kubernetes infrastructure and apps, likely using tools including Git, Jenkins, Artifactory, or Selenium.
  12. #5: You are deploying frequently to production – at least once per day. This is where we find most people answer “no” – although they’ve moved apps into production Kubernetes, they aren’t yet using Kubernetes for the dream goal of constant revisions. It is important to ask: How often do you rollout changes?
  13. #6: Your DevOps team is ready to rock and start using the right tools for ultra‑modern app deployment! Even if the service mesh is going to be owned by your NetOps team, administration is often handled within the cluster by DevOps teams and they need to be ready to handle the addition of a mesh to their stack.
  14. Now that you’ve determine you’re ready for a mesh, Step 1: Why are you looking for a service mesh? In other words, what problems do you need the service mesh to solve?
  15. For example, your organization might mandate mTLS between services or you need end-to-end encryption, including both from the edge in (for ingress traffic) and from within the mesh (for egress traffic). Or perhaps you need enterprise‑grade traffic management tools for your new Kubernetes services. These are some common use cases for a service mesh Secure Traffic Performance: NGINX Plus data plane handling mTLS (envoy tips over after 600, where we go to 2000+) data plane matters story Orchestration Light weight control plane = small footprint, dev-friendly control plane “set it and forget it”, Service Traffic Advance LB – enterprise ADC (vs packet-pushing proxies) Visualize Traffic Prometheus/Grafana, uses SMI spec for portability/easier to replace exiting mesh with NSM, completely open – you can use any visualization tool you want, (open ecosystem)
  16. Step 2: How will you use the service mesh? This depends on who you are.
  17. If you’re a developer: Do you plan to add security to a legacy app that is moving into Kubernetes? Are you going to incorporate security as you refactor an app into a native Kubernetes app? If you’re responsible for platforms and infrastructure: Are you going to add the service mesh into your CI/CD pipeline so that it’s automatically deployed and configured with every new cluster and available when a developer spins up a new instance?
  18. Step 3: What factors influence your selection? Does your service mesh need to be infrastructure agnostic? Compatible with your visibility tools? Kubernetes‑native? Easy to use? Do you see a future when you’ll want to manage ingress and egress (north‑south) traffic at the edge with the same tool as service-to-service (east‑west) traffic within the mesh? Once you’ve worked through these questions, you’ll have a solid list of requirements to use as you evaluate options.
  19. The transition to faster, more flexible patterns like DevSecOps and microservices can be challenging for cybersecurity teams. Zero Trust offers a powerful method to manage the security of the constantly moving river of changes and access control handoffs.
  20. - Transitioning to Zero Trust Networking can dramatically increase your security posture, but until recent years, it has been a time consuming and difficult task that required extensive security knowledge within engineering teams, sophisticated internal tooling that could manage workload certificates, and service level authentication and authorization. - Service mesh technologies allow us to easily implement Zero Trust Networking across our microservices and clusters with little effort, minimal service disruption, and does not require your team to be security experts. 
  21. What Is mTLS? | F5 Labs
  22. Nginx is super easy to deploy and available with its open source edition, it is used by many, many organizations, as web server, reverse proxy, load balancer, api gateway, etc. This can however lead to unknow nginx instances spread across your organization, sometimes with NGINX Open Source and NGINX Plus managed by different groups. How do you ensure your nginx instances have up-to-date confirguratiuons and security settings?
  23. I am happy to introduce NGINX Instance Manager and we are now offering free health check service to HK organizations. Please scan the qr code to sign up and we will be contacting you soon.
  24. Introduce yourself (no need to read the session takeaways)