environment securing microservices in a zero trust · securing microservices in a zero trust...
TRANSCRIPT
ABOUT ME
2
▪ https://github.com/prabath/me ▪ Twitter: prabath▪ 12 years with WSO2, leading open
source WSO2 Identity Server
CHALLENGES
▪ Broader attack surface▪ Performance▪ Deployment complexities▪ Observability▪ Sharing user context▪ Polyglot architecture
5
16
AUTHORIZATIONOpen Policy Agent (OPA)
▪ A lightweight general-purpose policy engine that can be co-located with your service.
▪ Policies are written in Rego ▪ Can integrate OPA as a sidecar, host-level daemon, or library.▪ Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka
https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa/
▪ Netflix is an early adopter of OPA
ZERO TRUST NETWORK PRINCIPLES
▪ The network is hostile, do not trust it!▪ Zero Trust is not about making a system trusted, but instead about eliminating
trust on the network.▪ IP addresses and location are no longer practical to establish sufficient trust for
network access.
21
ZERO TRUST NETWORK PRACTICES
▪ Keep security enforcement points as much as closer to the resources.▪ Avoid using bearer tokens.▪ Follow least privilege principle.▪ Do contextual access control and make access control decisions nea real-time.▪ Automation.▪ Distributed tracing and monitoring.
22