Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Field Day 5 - Zero Trust Security with...

Rosemary Wang
March 25, 2021
Technology
0
310

Security Field Day 5 - Zero Trust Security with HashiCorp

For our Security Field Day presentation, we’ll be focused on our secure offerings. In today’s presentation we'll take a guided tour of how service mesh, identity-based access management, and secrets management can help implement Zero Trust without increasing development friction. By combining HashiCorp Boundary, Consul, and Vault, we'll evaluate how these new workflows affect the development process, and how we've secured the architecture.

Rosemary Wang

March 25, 2021
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
15
Can You Test Your Infrastructure as Code?
joatmon08
1
51
Multi-Account, Multi-Region, Multi-Runtime
joatmon08
1
21
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
27
From Cloud-Hosted to Cloud-Native
joatmon08
0
53
Refactoring Applications for Dynamic Secrets
joatmon08
1
37

Other Decks in Technology

See All in Technology
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
180
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.6k
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
0
980
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
540
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
300
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
520
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
860
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
200
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
220
OCI Vault 概要
oracle4engineer
PRO
0
9.7k

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Adopting Sorbet at Scale
ufuk
73
9.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Code Reviewing Like a Champion
maltzj
520
39k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Rails Girls Zürich Keynote
gr2m
94
13k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Producing Creativity
orderedlist
PRO
341
39k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Why Our Code Smells
bkeepers
PRO
334
57k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k

Transcript

  1. © 2018 HashiCorp Zero Trust Security with HashiCorp 1

  2. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER CONSUL SERVER PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE SUBNETS EKS (KUBERNETES) BOUNDARY WORKER VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API CONSUL TERMINATING GATEWAY ENGINEER PSQL SSH AUTHENTICATE TO BOUNDARY TCP :80 github.com/joatmon08/hashicorp-stack-demoapp @joatmon08 / 2

  3. IDENTITY-DRIVEN CONTROLS Machine Authentication & Authorization Machine-to- Machine Access Human-to-

    Machine Access Human Authentication & Authorization @joatmon08 / 3

  4. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application PRODUCT NEEDS DATABASE CREDENTIALS @joatmon08 / 4

  5. Two Steps Generate new secrets (Secrets Engines) Database (PostgreSQL) Authenticate

    to Vault (Auth Methods) Kubernetes @joatmon08 / 5

  6. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER PRIVATE SUBNETS EKS (KUBERNETES) VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API 4. CREATE FILE WITH DATABASE USERNAME AND PASSWORD 1. AUTHENTICATE TO VAULT 3. RETURN DATABASE USERNAME AND PASSWORD 2. CREATE DATABASE USERNAME AND PASSWORD @joatmon08 / 6

  7. Two Steps Generate new secrets (Secrets Engines) Transit, GCP, AWS,

    Azure, PKI (Certificates), etc. Authenticate to Vault (Auth Methods) OIDC/JWT, LDAP, Okta, GitHub, etc. vaultproject.io/docs/auth vaultproject.io/docs/secrets @joatmon08 / 7

  8. Machine Authentication & Authorization Machine-to- Machine Access Human-to- Machine Access

    Human Authentication & Authorization IDENTITY-DRIVEN CONTROLS @joatmon08 / 8

  9. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application ONLY PRODUCT CAN ACCESS DATABASE ONLY PUBLIC CAN ACCESS PRODUCT AT /COFFEES @joatmon08 / 9

  10. Authorization by Service Identity mTLS BETWEEN PROXIES NETWORK POLICY THROUGH

    L4 & L7 (INTENTIONS) consul.io/docs/connect @joatmon08 / 10

  11. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION CONSUL SERVER PRIVATE SUBNETS EKS (KUBERNETES) PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT PRODUCT API PUBLIC API FRONTEND API 1. SERVICE REGISTERS TO CONSUL. 2. AGENT REPORTS SERVICE TO SERVER. @joatmon08 / 11

  12. Stretching Mesh Security Ingress Gateway (into the mesh) Terminating Gateway

    (out of the mesh) Mesh Gateway (between meshes) consul.io/docs/connect/gateways @joatmon08 / 12

  13. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION CONSUL SERVER PRIVATE SUBNETS EKS (KUBERNETES) PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT PRODUCT API PUBLIC API FRONTEND API 1. REGISTER DATABASE AS EXTERNAL SERVICE. 2. LINK DATABASE SERVICE TO TERMINATING GATEWAY. CONSUL TERMINATING GATEWAY @joatmon08 / 13

  14. Machine Authentication & Authorization Machine-to- Machine Access Human-to- Machine Access

    Human Authentication & Authorization IDENTITY-DRIVEN CONTROLS @joatmon08 / 14

  15. PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our

    Application PRODUCT TEAM NEEDS TO ACCESS DATABASE TO LOAD DATA. PRODUCT TEAM NEEDS TO ACCESS FRONTEND FOR TESTING. *OPERATIONS TEAM NEEDS SSH AND DATABASE ACCESS. @joatmon08 / 15

  16. EKS (KUBERNETES) MY VPC 10.0.0.0/16 PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE

    SUBNETS EKS (KUBERNETES) BOUNDARY WORKER PRODUCTS DATABASE (POSTGRESQL) BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API OPERATIONS TEAM ENGINEER AUTHENTICATE TO BOUNDARY PSQL (5432) SSH (:22) TO EKS NODES @joatmon08 / 16

  17. EKS (KUBERNETES) MY VPC 10.0.0.0/16 PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE

    SUBNETS EKS (KUBERNETES) BOUNDARY WORKER PRODUCTS DATABASE (POSTGRESQL) BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API PRODUCT TEAM DEVELOPER AUTHENTICATE TO BOUNDARY PSQL (:5432) TCP (:80) @joatmon08 / 17

  18. @joatmon08 / 18 Identity Access Management ORGANIZATION CORE_INFRA PROJECT PRODUCTS_INFRA

    PROJECT OPERATIONS TEAM GROUP PRODUCTS TEAM GROUP ROSEMARY ROB EKS NODES (EC2 INSTANCES) TARGET TCP:22 PRODUCTS DATABASE (POSTGRESQL) TARGET TCP:5432 FRONTEND TARGET TCP :80 LEADERSHIP TEAM GROUP MELISSA READ-ONLY FOR ORGANIZATION boundaryproject.io/docs/concepts/domain-model

  19. EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING

    CONNECTION VAULT SERVER CONSUL SERVER PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE SUBNETS EKS (KUBERNETES) BOUNDARY WORKER VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API CONSUL TERMINATING GATEWAY ENGINEER PSQL SSH AUTHENTICATE TO BOUNDARY TCP :80 github.com/joatmon08/hashicorp-stack-demoapp @joatmon08 / 19

  20. IDENTITY-DRIVEN CONTROLS SSO Machine Authentication & Authorization Machine-to- Machine Access

    Human-to- Machine Access Human Authentication & Authorization @joatmon08 / 20