Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Field Day 5 - Zero Trust Security with HashiCorp

Security Field Day 5 - Zero Trust Security with HashiCorp

For our Security Field Day presentation, we’ll be focused on our secure offerings. In today’s presentation we'll take a guided tour of how service mesh, identity-based access management, and secrets management can help implement Zero Trust without increasing development friction. By combining HashiCorp Boundary, Consul, and Vault, we'll evaluate how these new workflows affect the development process, and how we've secured the architecture.

Be8b596c46f4c9a1aec6a7586af33134?s=128

Rosemary Wang

March 25, 2021
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. © 2018 HashiCorp Zero Trust Security with HashiCorp 1

  2. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER CONSUL SERVER PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE SUBNETS EKS (KUBERNETES) BOUNDARY WORKER VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API CONSUL TERMINATING GATEWAY ENGINEER PSQL SSH AUTHENTICATE TO BOUNDARY TCP :80 github.com/joatmon08/hashicorp-stack-demoapp @joatmon08 / 2
  3. IDENTITY-DRIVEN CONTROLS Machine Authentication & Authorization Machine-to- Machine Access Human-to-

    Machine Access Human Authentication & Authorization @joatmon08 / 3
  4. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application PRODUCT NEEDS DATABASE CREDENTIALS @joatmon08 / 4
  5. Two Steps Generate new secrets (Secrets Engines) Database (PostgreSQL) Authenticate

    to Vault (Auth Methods) Kubernetes @joatmon08 / 5
  6. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER PRIVATE SUBNETS EKS (KUBERNETES) VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API 4. CREATE FILE WITH DATABASE USERNAME AND PASSWORD 1. AUTHENTICATE TO VAULT 3. RETURN DATABASE USERNAME AND PASSWORD 2. CREATE DATABASE USERNAME AND PASSWORD @joatmon08 / 6
  7. Two Steps Generate new secrets (Secrets Engines) Transit, GCP, AWS,

    Azure, PKI (Certificates), etc. Authenticate to Vault (Auth Methods) OIDC/JWT, LDAP, Okta, GitHub, etc. vaultproject.io/docs/auth vaultproject.io/docs/secrets @joatmon08 / 7
  8. Machine Authentication & Authorization Machine-to- Machine Access Human-to- Machine Access

    Human Authentication & Authorization IDENTITY-DRIVEN CONTROLS @joatmon08 / 8
  9. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application ONLY PRODUCT CAN ACCESS DATABASE ONLY PUBLIC CAN ACCESS PRODUCT AT /COFFEES @joatmon08 / 9
  10. Authorization by Service Identity mTLS BETWEEN PROXIES NETWORK POLICY THROUGH

    L4 & L7 (INTENTIONS) consul.io/docs/connect @joatmon08 / 10
  11. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION CONSUL SERVER PRIVATE SUBNETS EKS (KUBERNETES) PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT PRODUCT API PUBLIC API FRONTEND API 1. SERVICE REGISTERS TO CONSUL. 2. AGENT REPORTS SERVICE TO SERVER. @joatmon08 / 11
  12. Stretching Mesh Security Ingress Gateway (into the mesh) Terminating Gateway

    (out of the mesh) Mesh Gateway (between meshes) consul.io/docs/connect/gateways @joatmon08 / 12
  13. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION CONSUL SERVER PRIVATE SUBNETS EKS (KUBERNETES) PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT PRODUCT API PUBLIC API FRONTEND API 1. REGISTER DATABASE AS EXTERNAL SERVICE. 2. LINK DATABASE SERVICE TO TERMINATING GATEWAY. CONSUL TERMINATING GATEWAY @joatmon08 / 13
  14. Machine Authentication & Authorization Machine-to- Machine Access Human-to- Machine Access

    Human Authentication & Authorization IDENTITY-DRIVEN CONTROLS @joatmon08 / 14
  15. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application PRODUCT TEAM NEEDS TO ACCESS DATABASE TO LOAD DATA. PRODUCT TEAM NEEDS TO ACCESS FRONTEND FOR TESTING. *OPERATIONS TEAM NEEDS SSH AND DATABASE ACCESS. @joatmon08 / 15
  16. EKS (KUBERNETES) MY VPC 10.0.0.0/16 PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE

    SUBNETS EKS (KUBERNETES) BOUNDARY WORKER PRODUCTS DATABASE (POSTGRESQL) BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API OPERATIONS TEAM ENGINEER AUTHENTICATE TO BOUNDARY PSQL (5432) SSH (:22) TO EKS NODES @joatmon08 / 16
  17. EKS (KUBERNETES) MY VPC 10.0.0.0/16 PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE

    SUBNETS EKS (KUBERNETES) BOUNDARY WORKER PRODUCTS DATABASE (POSTGRESQL) BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API PRODUCT TEAM DEVELOPER AUTHENTICATE TO BOUNDARY PSQL (:5432) TCP (:80) @joatmon08 / 17
  18. @joatmon08 / 18 Identity Access Management ORGANIZATION CORE_INFRA PROJECT PRODUCTS_INFRA

    PROJECT OPERATIONS TEAM GROUP PRODUCTS TEAM GROUP ROSEMARY ROB EKS NODES (EC2 INSTANCES) TARGET TCP:22 PRODUCTS DATABASE (POSTGRESQL) TARGET TCP:5432 FRONTEND TARGET TCP :80 LEADERSHIP TEAM GROUP MELISSA READ-ONLY FOR ORGANIZATION boundaryproject.io/docs/concepts/domain-model
  19. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER CONSUL SERVER PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE SUBNETS EKS (KUBERNETES) BOUNDARY WORKER VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API CONSUL TERMINATING GATEWAY ENGINEER PSQL SSH AUTHENTICATE TO BOUNDARY TCP :80 github.com/joatmon08/hashicorp-stack-demoapp @joatmon08 / 19
  20. IDENTITY-DRIVEN CONTROLS SSO Machine Authentication & Authorization Machine-to- Machine Access

    Human-to- Machine Access Human Authentication & Authorization @joatmon08 / 20