Everyone building or operating cloud native applications must understand the fundamentals of security issues and modern threat models. Although this topic is vast, in this talk Nic and Daniel will focus on the end-to-end communication and higher-level networking threats, and explore how the combination of an edge proxy and service mesh using TLS and mTLS can be used to mitigate many man-in-the-middle attacks.
Key takeaways include:
- An understanding of the "three pillars" of service mesh functionality: observability, reliability, and security. A service mesh is in a unique place to enforce security features like mTLS
- Learn how to ensure that there are no exploitable "gaps" within the end-to-end/user-to-service communication path.
- Explore the differences in ingress/mesh control planes, with brief demonstrations using Ambassador and Consul Connect
2. tl;dr
âȘ Weâre seeing an increase in application modernisation/hybrid platforms
âȘ Decoupling apps and infrastructure is key: incrementally and securely
âȘ All security must have good UX / DevEx
âȘ Defence in depth is vital -- network / service security is one part of this
âȘ Mind the gap(s)!
3. Who are we?
Nic Jackson
Developer Advocate, HashiCorp
@sheriffjackson
Daniel Bryant
Product Architect, Datawire
@danielbryantuk
5. So, we donât want to scare you, but...
214
Records containing personal data are exploited every second
6. So, we donât want to scare you, but...
2.2%
Of compromised records are protected by encryption
7. So, we donât want to scare you, but...
65%
Of cases are linked to identity theft
8. So, we donât want to scare you, but...
$3,860,000
Is the average cost of a data breach
9. So, we donât want to scare you, but...
$350,00,000
Is the cost of a breach containing over 50 million records
10. So, we donât want to scare you, but...
72%
Increase in attacks between 2017 and 2018
Gemalto Breach Level Index:
https://breachlevelindex.com/
IBM Cost of a Data Breach Study:
https://www.ibm.com/security/data-breach
18. API Gateway: Edge proxy, ingress, ADC...
âȘ Exposes internal services to end-users (via multiple domains)
âȘ Encapsulates backends (k8s, VMs, bare metal etc)
âȘ TLS termination (enforcing minimum TLS version)
âȘ End-user authentication/authorization
âȘ Rate limiting (DDoS protection, etc)
19.
20. Service Mesh: Proxy mesh, Fabric model...
âȘ Exposes internal services to internal consumers
âȘ Encapsulates service infra (across k8s, VMs, bare metal etc)
âȘ mTLS: service identity and traffic encryption
âȘ ACLs and intentions: who can do what, and to whom
âȘ Implements cross-functional concerns (out-of-process)
21. Service Mesh: Three Pillars
âȘ Observability
â âGolden signalsâ: latency, errors, traffic, saturation (USE, RED)
â Both global and service-to-service
âȘ Reliability
â Abstracting health checks, retries, circuit breakers etc.
â Providing sane default to protect system
âȘ Security
â Authn/z propagation, mTLS, network segmentation
35. Conclusion
âȘ Weâre seeing an increase in application modernisation/hybrid platforms
âȘ Decoupling apps and infrastructure is key: incrementally and securely
âȘ All security must have good UX / DevEx
âȘ Defence in depth is vital -- network / service security is one part of this
âȘ Mind the gap(s)!