Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Field Day 5 - Zero Trust Security with HashiCorp

Rosemary Wang
March 25, 2021
Technology
0
290

Security Field Day 5 - Zero Trust Security with HashiCorp

For our Security Field Day presentation, we’ll be focused on our secure offerings. In today’s presentation we'll take a guided tour of how service mesh, identity-based access management, and secrets management can help implement Zero Trust without increasing development friction. By combining HashiCorp Boundary, Consul, and Vault, we'll evaluate how these new workflows affect the development process, and how we've secured the architecture.

Rosemary Wang

March 25, 2021
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Can You Test Your Infrastructure as Code?
joatmon08
1
11
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
13
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
9
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
13
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
24
Building a Developer Platform? Ask these questions.
joatmon08
0
10
From Cloud-Hosted to Cloud-Native
joatmon08
0
44
Refactoring Applications for Dynamic Secrets
joatmon08
1
29
Catching Commits to Secure Infrastructure as Code
joatmon08
1
39

Other Decks in Technology

See All in Technology
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
MapLibreとAmazon Location Service
dayjournal
1
160
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
520
Janus
bkuhlmann
1
490
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
360
MySQL の SQL クエリチューニングの要所を掴む勉強会
andpad
3
6.4k
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
230
開発パフォーマンスを最大化するための開発体制
ham0215
2
420
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
410
web-application-security
matsuihidetoshi
0
170
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
240
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
8
2.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
A Philosophy of Restraint
colly
197
16k
Become a Pro
speakerdeck
PRO
11
4.5k
Designing for humans not robots
tammielis
248
25k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
Code Reviewing Like a Champion
maltzj
514
39k
Practical Orchestrator
shlominoach
182
9.7k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Testing 201, or: Great Expectations
jmmastey
28
6.4k
Documentation Writing (for coders)
carmenintech
60
3.9k
Docker and Python
trallard
34
2.7k

Transcript

  1. © 2018 HashiCorp Zero Trust Security with HashiCorp 1

  2. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER CONSUL SERVER PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE SUBNETS EKS (KUBERNETES) BOUNDARY WORKER VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API CONSUL TERMINATING GATEWAY ENGINEER PSQL SSH AUTHENTICATE TO BOUNDARY TCP :80 github.com/joatmon08/hashicorp-stack-demoapp @joatmon08 / 2

  3. IDENTITY-DRIVEN CONTROLS Machine Authentication & Authorization Machine-to- Machine Access Human-to-

    Machine Access Human Authentication & Authorization @joatmon08 / 3

  4. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application PRODUCT NEEDS DATABASE CREDENTIALS @joatmon08 / 4

  5. Two Steps Generate new secrets (Secrets Engines) Database (PostgreSQL) Authenticate

    to Vault (Auth Methods) Kubernetes @joatmon08 / 5

  6. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER PRIVATE SUBNETS EKS (KUBERNETES) VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API 4. CREATE FILE WITH DATABASE USERNAME AND PASSWORD 1. AUTHENTICATE TO VAULT 3. RETURN DATABASE USERNAME AND PASSWORD 2. CREATE DATABASE USERNAME AND PASSWORD @joatmon08 / 6

  7. Two Steps Generate new secrets (Secrets Engines) Transit, GCP, AWS,

    Azure, PKI (Certificates), etc. Authenticate to Vault (Auth Methods) OIDC/JWT, LDAP, Okta, GitHub, etc. vaultproject.io/docs/auth vaultproject.io/docs/secrets @joatmon08 / 7

  8. Machine Authentication & Authorization Machine-to- Machine Access Human-to- Machine Access

    Human Authentication & Authorization IDENTITY-DRIVEN CONTROLS @joatmon08 / 8

  9. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application ONLY PRODUCT CAN ACCESS DATABASE ONLY PUBLIC CAN ACCESS PRODUCT AT /COFFEES @joatmon08 / 9

  10. Authorization by Service Identity mTLS BETWEEN PROXIES NETWORK POLICY THROUGH

    L4 & L7 (INTENTIONS) consul.io/docs/connect @joatmon08 / 10

  11. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION CONSUL SERVER PRIVATE SUBNETS EKS (KUBERNETES) PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT PRODUCT API PUBLIC API FRONTEND API 1. SERVICE REGISTERS TO CONSUL. 2. AGENT REPORTS SERVICE TO SERVER. @joatmon08 / 11

  12. Stretching Mesh Security Ingress Gateway (into the mesh) Terminating Gateway

    (out of the mesh) Mesh Gateway (between meshes) consul.io/docs/connect/gateways @joatmon08 / 12

  13. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION CONSUL SERVER PRIVATE SUBNETS EKS (KUBERNETES) PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT PRODUCT API PUBLIC API FRONTEND API 1. REGISTER DATABASE AS EXTERNAL SERVICE. 2. LINK DATABASE SERVICE TO TERMINATING GATEWAY. CONSUL TERMINATING GATEWAY @joatmon08 / 13

  14. Machine Authentication & Authorization Machine-to- Machine Access Human-to- Machine Access

    Human Authentication & Authorization IDENTITY-DRIVEN CONTROLS @joatmon08 / 14

  15. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application PRODUCT TEAM NEEDS TO ACCESS DATABASE TO LOAD DATA. PRODUCT TEAM NEEDS TO ACCESS FRONTEND FOR TESTING. *OPERATIONS TEAM NEEDS SSH AND DATABASE ACCESS. @joatmon08 / 15

  16. EKS (KUBERNETES) MY VPC 10.0.0.0/16 PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE

    SUBNETS EKS (KUBERNETES) BOUNDARY WORKER PRODUCTS DATABASE (POSTGRESQL) BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API OPERATIONS TEAM ENGINEER AUTHENTICATE TO BOUNDARY PSQL (5432) SSH (:22) TO EKS NODES @joatmon08 / 16

  17. EKS (KUBERNETES) MY VPC 10.0.0.0/16 PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE

    SUBNETS EKS (KUBERNETES) BOUNDARY WORKER PRODUCTS DATABASE (POSTGRESQL) BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API PRODUCT TEAM DEVELOPER AUTHENTICATE TO BOUNDARY PSQL (:5432) TCP (:80) @joatmon08 / 17

  18. @joatmon08 / 18 Identity Access Management ORGANIZATION CORE_INFRA PROJECT PRODUCTS_INFRA

    PROJECT OPERATIONS TEAM GROUP PRODUCTS TEAM GROUP ROSEMARY ROB EKS NODES (EC2 INSTANCES) TARGET TCP:22 PRODUCTS DATABASE (POSTGRESQL) TARGET TCP:5432 FRONTEND TARGET TCP :80 LEADERSHIP TEAM GROUP MELISSA READ-ONLY FOR ORGANIZATION boundaryproject.io/docs/concepts/domain-model

  19. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER CONSUL SERVER PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE SUBNETS EKS (KUBERNETES) BOUNDARY WORKER VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API CONSUL TERMINATING GATEWAY ENGINEER PSQL SSH AUTHENTICATE TO BOUNDARY TCP :80 github.com/joatmon08/hashicorp-stack-demoapp @joatmon08 / 19

  20. IDENTITY-DRIVEN CONTROLS SSO Machine Authentication & Authorization Machine-to- Machine Access

    Human-to- Machine Access Human Authentication & Authorization @joatmon08 / 20