By 2020, Gartner predicts 60% of digital businesses will suffer major service failures due to the inability of the IT security team to manage digital risk in new technology and use cases. As security failures quickly become headline news, CIOs and CISOs are under tremendous pressure to keep the business secure -- without slowing the business down. That's why incorporating security by design into applications and services is so crucial for the enterprise. In this session, we will discuss how applications networks are helping organizations federate security best practices, leverage machine learning to more proactively respond to threats and deliver defense in depth.
No friction between goals of business to expose capabilities and goals of security to restrict access
Targeted => network ; profile; oauth 2.0 grant type
Minimalized=> in commands and capabilitiies; business entities; Domain driven; filter data (ABAC);
Locked => default + every call is protected; TLS; (tokenization; encryption of data at rest)
Multi-keyed => OpenID Connect (access + id) ; private : access token + mutual TLS
Elastic => container scheduling; service lookup; business entitties are easier to scale
Reliable => use event driven; encrypt messages; no subscripiton in the DMZ; circuit breaker
Standardized => all the above
According to user segmentation and hence network segmentation
Least privilege
Username / password credentials are evil
Hide and guarantee integrity with encryption and digital signatures
Auth code where possible because client forced to authenticate
Never use resource owner password credentials
Recognize the limit of oauth. WE NEED RBAC OR ABAC
Protect all web apis with HTTPS
Never use plain http
Self-sign only within corporate
Mutual TLS on corporate and extranet
We have a need to grow and shrink with traffic
Devops facilitates rapid provisioning
Paas make all this easy with dynamic scaling
Distributed transactions are evil
Eventual consistency is good (lines with needs of business)
Guaranteed delivery
Better customer experience
Graceful handling of failures
Use fallback to deliver some default set of info (perhaps cached)
If we use standards the quality is much better
Vulnerabilities of public frameworks identified and solved.