In this talk, we talk about API and Security. During this presentation, we will explain important aspects of security and how to apply these aspects using Service Mesh and API Gateway.
6 API First An API-first approach means that for any given development project, your APIs are treated as “first-class citizens.” That everything about a project revolves around the idea that the end product will be consumed by mobile devices, and that APIs will be consumed by client applications. Source: https://swagger.io/resources/articles/adopting-an-api-first-approach/
8 API First #1 Development teams can work in parallel #2 Reduces the cost of developing apps #3 Increases the speed to market #4 Ensures good developer experiences Source: https://swagger.io/resources/articles/adopting-an-api-first-approach/
10 Authentication Authentication is the act of validating that users are whom they claim to be. This is the first step in any security process. Example: Employees in a company are required to authenticate through the network before accessing their company email
11 Authorization Authorization in a system security is the process of giving the user permission to access a specific resource or function. In secure environments, authorization must always follow authentication. Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access
12 Ownership of data Ownership of data is a part of data security and is related to the proper handling of data. It is the process of check the ownership of the data! Example: After an employee successfully authenticates, the employee can only manipulate data that is yours.
13 Authentication Authorization Confirms users who are they say there are Gives users permission to access a resource Ownership Confirms users data and permissions to handle it
17 Perimeter Security ● Defense-in-depth multiple layers of security ● Should be easy to integrate with in place systems like VPN, Firewall etc... ● Multiple Policy Enforcement Points increase security
22 North-South Traffic ● Clients is unknown in general ● Best place to put Bot detection and treat abusive traffic ● API Products expose business through APIs
24 Zero Trusted Network ● The cloud environment is heterogeneous ● Different types of workloads ● Integrate with Defense-in-depth concept ● All elements in network is untrusted ● All systems should get kind of grant before call others systems
43 “Micro” Gateway can help us! Hiding implementation details and acting as Bounded Context https://www.solo.io/blog/challenges-of-adopting-service-mesh-in-enterprise-organizations/
56 What is PeP?? The Policy Enforcement Point (PEP) is the piece of network or security equipment that controls user access and ensures the authorization decision made by the Policy Decision Point (PDP).
59 How mTLS works in Istio / Envoy 1. Service account token is assigned to Istio Proxy 2. Pilot agent send Token and CSR to Istiod 3. Istiod validate k8s token 4. The istiod signs the certificate and provides it to pilot agent 5. The pilot agent calls Envoy SDS to configure it https://www.manning.com/books/istio-in-action