environment securing microservices in a zero trust · securing microservices in a zero trust...
TRANSCRIPT
ABOUT ME
2
▪ https://github.com/prabath/me ▪ Twitter: prabath▪ 12 years with WSO2, leading open
source WSO2 Identity Server
MONOLITHIC
3
MICROSERVICES
4
CHALLENGES
▪ Broader attack surface▪ Performance▪ Deployment complexities▪ Observability▪ Sharing user context▪ Polyglot architecture
5
6
GATEWAY PATTERN AT THE EDGE
7
GATEWAY PATTERN AT THE EDGE
8
SERVICE TO SERVICE SECURITY Trust the Network
9
SERVICE TO SERVICE SECURITY Mutual TLS
10
SERVICE TO SERVICE SECURITY Mutual TLS + Shared JWT
11
SERVICE TO SERVICE SECURITY Mutual TLS + JWT (Token Exchange)
12
SERVICE TO SERVICE SECURITY Mutual TLS + JWT (Proxy)
13
SERVICE TO SERVICE SECURITY Data Plane
14
SERVICE TO SERVICE SECURITY Control Plane
15
SERVICE TO SERVICE SECURITY Authorization: Embedded PDP / Call Home
16
AUTHORIZATIONOpen Policy Agent (OPA)
▪ A lightweight general-purpose policy engine that can be co-located with your service.
▪ Policies are written in Rego ▪ Can integrate OPA as a sidecar, host-level daemon, or library.▪ Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka
https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa/
▪ Netflix is an early adopter of OPA
17
SERVICE MESH
18
SERVICE MESHIstio
19
SERVICE MESHSPIFFE ~ Trust Bootstrap
20
SERVICE MESHFALLACIES OF DISTRIBUTED COMPUTING
ZERO TRUST NETWORK PRINCIPLES
▪ The network is hostile, do not trust it!▪ Zero Trust is not about making a system trusted, but instead about eliminating
trust on the network.▪ IP addresses and location are no longer practical to establish sufficient trust for
network access.
21
ZERO TRUST NETWORK PRACTICES
▪ Keep security enforcement points as much as closer to the resources.▪ Avoid using bearer tokens.▪ Follow least privilege principle.▪ Do contextual access control and make access control decisions nea real-time.▪ Automation.▪ Distributed tracing and monitoring.
22
23
End-to-End Flow
