Protecting your data with a Service Mesh

Transcript

1. Tetrate
   The service mesh company
   

   View Slide

2. A
   B
   Traditional access control for databases is provided by
   network reachability and DB credentials
   C
   

   View Slide

3. A
   B
   C
   If an attacker breaks into the system and gains access to
   the network, the data is compromised
   

   View Slide

4. A
   B
   C
   A service mesh provides proper Identity primitives to
   enforce runtime authentication
   Envoy
   Envoy
   Envoy
   Envoy
   

   View Slide

5. A
   B
   C
   It also provides authorization primitives
   to be enforced at runtime
   PEP
   PEP
   PEP
   PEP
   

   View Slide

6. A
   B
   C
   Access decisions can be made based on proper
   identity and high level concepts
   Envoy
   Envoy
   Envoy
   Envoy
   

   View Slide

7. EXAMPLE
   Unauthorized access
   

   View Slide

8. A
   B
   C
   NGAC provides a context-ful
   authorization framework
   Envoy
   Envoy
   Envoy
   Envoy
   NGAC / NDAC
   P
   D
   P
   

   View Slide

9. A
   B
   C
   L7 policies can be enforced, because the proxies
   understand L7 protocols
   Envoy
   Envoy
   Envoy
   Envoy
   NGAC / NDAC
   P
   D
   P
   

   View Slide

10. EXAMPLE
    L7 policy enforcement
    

    View Slide

11. A
    B
    C
    L7 policies can be enforced, because the proxies
    understand L7 protocols
    Envoy
    Envoy
    Envoy
    Envoy
    NGAC / NDAC
    P
    D
    P
    

    View Slide

12. A
    B
    C
    This context-ful framework can be used to enforce
    complex and dynamic policies that are environment-dependent
    Envoy
    Envoy
    Envoy
    Envoy
    NGAC / NDAC
    us-east1
    eu-west2
    P
    D
    P
    

    View Slide

13. EXAMPLE
    Policy combination:
    RBAC + Location + Time
    

    View Slide

14. Thanks
    

    View Slide