$30 off During Our Annual Pro Sale. View Details »

API securing as a software developer at Cloud Era

API securing as a software developer at Cloud Era

In this talk, we talk about API and Security. During this presentation, we will explain important aspects of security and how to apply these aspects using Service Mesh and API Gateway.

Transcript

  1. API securing
    as a so ware
    developer at
    Cloud Era
    Cláudio Oliveira & Luram Archanjo

    View Slide

  2. Who am I?
    Luram Archanjo
    Software Engineer
    MBA in Java projects
    Java and Microservice enthusiastic
    2

    View Slide

  3. Who am I?
    Cláudio E. de Oliveira
    APIs Tech Lead at LuizaLabs
    Golang, Java, microservices &
    k8s
    3

    View Slide

  4. Agenda
    API First
    Principles of security as a developer
    Responsibilities
    - Traffic North & South
    - Traffic East & West
    Demo
    4

    View Slide

  5. 5
    Why talk about it?

    View Slide

  6. 6
    API First
    An API-first approach means that for any given development
    project, your APIs are treated as “first-class citizens.”
    That everything about a project revolves around the idea that
    the end product will be consumed by mobile devices, and that
    APIs will be consumed by client applications.
    Source: https://swagger.io/resources/articles/adopting-an-api-first-approach/

    View Slide

  7. 7
    API First - Step Back
    Backend

    View Slide

  8. 8
    API First
    #1 Development teams can work in parallel
    #2 Reduces the cost of developing apps
    #3 Increases the speed to market
    #4 Ensures good developer experiences
    Source: https://swagger.io/resources/articles/adopting-an-api-first-approach/

    View Slide

  9. 9
    Principles of security
    as a developer

    View Slide

  10. 10
    Authentication
    Authentication is the act of validating that users are whom
    they claim to be. This is the first step in any security process.
    Example: Employees in a company are required to authenticate
    through the network before accessing their company email

    View Slide

  11. 11
    Authorization
    Authorization in a system security is the process of giving the
    user permission to access a specific resource or function.
    In secure environments, authorization must always follow
    authentication.
    Example: After an employee successfully authenticates, the
    system determines what information the employees are allowed
    to access

    View Slide

  12. 12
    Ownership of data
    Ownership of data is a part of data security and is related to the
    proper handling of data.
    It is the process of check the ownership of the data!
    Example: After an employee successfully authenticates, the
    employee can only manipulate data that is yours.

    View Slide

  13. 13
    Authentication Authorization
    Confirms users who are
    they say there are
    Gives users permission to
    access a resource
    Ownership
    Confirms users data and
    permissions to handle it

    View Slide

  14. 14
    Cloud Native
    Security Principles

    View Slide

  15. 15
    Basics knowledge for API Security
    ● HTTPS
    ● ssl/tls
    ● Metrics
    ● OpenID Connect

    View Slide

  16. 16
    Perimeter Security

    View Slide

  17. 17
    Perimeter Security
    ● Defense-in-depth multiple layers of security
    ● Should be easy to integrate with in place systems
    like VPN, Firewall etc...
    ● Multiple Policy Enforcement Points increase
    security

    View Slide

  18. 18
    Infrastructure Security
    ● Language agnostic
    ● Infrastructure is secure (platforms)
    ● Increase governance level
    ● “Hot deployment”

    View Slide

  19. 19

    View Slide

  20. Traffic Types
    20

    View Slide

  21. 21
    North-South traffic

    View Slide

  22. 22
    North-South Traffic
    ● Clients is unknown in general
    ● Best place to put Bot detection and treat abusive
    traffic
    ● API Products expose business through APIs

    View Slide

  23. 23
    East-West traffic

    View Slide

  24. 24
    Zero Trusted Network
    ● The cloud environment is heterogeneous
    ● Different types of workloads
    ● Integrate with Defense-in-depth concept
    ● All elements in network is untrusted
    ● All systems should get kind of grant before call
    others systems

    View Slide

  25. 25
    A of them are open-source

    View Slide

  26. 26
    Big Picture

    View Slide

  27. 27
    Demo time

    View Slide

  28. 28

    View Slide

  29. 29
    Securing East-West

    View Slide

  30. 30
    mTLS

    View Slide

  31. 31
    Extracted from
    https://github.com/smallstep/autocert/blob/master/examples/hello-mtls/README.md

    View Slide

  32. 32

    View Slide

  33. 33

    View Slide

  34. 34
    Demo time

    View Slide

  35. 35

    View Slide

  36. Authn
    36

    View Slide

  37. 37
    Every sidecar can check jwt token
    and validate token integrity

    View Slide

  38. 38
    RequestAuthentication is for
    Identity and AuthorizationPolicy
    is the rule

    View Slide

  39. 39
    Ok...service mesh is
    enough to improve
    secure???

    View Slide

  40. 40

    View Slide

  41. 41
    Turns to!!!

    View Slide

  42. 42

    View Slide

  43. 43
    “Micro” Gateway can help us!
    Hiding implementation details
    and acting as Bounded Context
    https://www.solo.io/blog/challenges-of-adopting-service-mesh-in-enterprise-organizations/

    View Slide

  44. 44

    View Slide

  45. 45
    Demo time

    View Slide

  46. 46

    View Slide

  47. 47
    Securing North-South

    View Slide

  48. 48
    Securing North-South
    #1 Micro gateway vs Enterprise Gateway
    #2 OpenID Connect for external clients (end-users)
    #3 Handle abusive traffic rate limiting
    #4 API Products

    View Slide

  49. 49

    View Slide

  50. 50
    Demo time

    View Slide

  51. 51

    View Slide

  52. 52

    View Slide

  53. Thanks!
    Any questions?
    You can find us at
    53
    claudioed claudioed
    luramarchanjo luram_archanjo

    View Slide

  54. 54
    API First - Step Forward
    Frontend Team
    Backend Team
    Mock
    Backend
    Frontend

    View Slide

  55. 55
    Authentication Authorization
    Confirms users who are
    they say there are
    Gives users permission to
    access a resource
    ???
    ???

    View Slide

  56. 56
    What is PeP??
    The Policy Enforcement Point (PEP) is
    the piece of network or security
    equipment that controls user access
    and ensures the authorization
    decision made by the Policy Decision
    Point (PDP).

    View Slide

  57. 57
    https://www.manning.com/books/microservices-security-in-action

    View Slide

  58. 58
    Infrastructure Security

    View Slide

  59. 59
    How mTLS works in Istio / Envoy
    1. Service account token is assigned to Istio Proxy
    2. Pilot agent send Token and CSR to Istiod
    3. Istiod validate k8s token
    4. The istiod signs the certificate and provides it to pilot agent
    5. The pilot agent calls Envoy SDS to configure it
    https://www.manning.com/books/istio-in-action

    View Slide