Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting your data with a Service Mesh

Protecting your data with a Service Mesh

In this talk, we will see a practical demo on how you can use a Service Mesh and its Identity and Authorization primitives to secure access to your data.

Ignasi Barrera

January 23, 2020
Tweet

More Decks by Ignasi Barrera

Other Decks in Research

Transcript

  1. Tetrate
    The service mesh company

    View full-size slide

  2. A
    B
    Traditional access control for databases is provided by
    network reachability and DB credentials
    C

    View full-size slide

  3. A
    B
    C
    If an attacker breaks into the system and gains access to
    the network, the data is compromised

    View full-size slide

  4. A
    B
    C
    A service mesh provides proper Identity primitives to
    enforce runtime authentication
    Envoy
    Envoy
    Envoy
    Envoy

    View full-size slide

  5. A
    B
    C
    It also provides authorization primitives
    to be enforced at runtime
    PEP
    PEP
    PEP
    PEP

    View full-size slide

  6. A
    B
    C
    Access decisions can be made based on proper
    identity and high level concepts
    Envoy
    Envoy
    Envoy
    Envoy

    View full-size slide

  7. EXAMPLE
    Unauthorized access

    View full-size slide

  8. A
    B
    C
    NGAC provides a context-ful
    authorization framework
    Envoy
    Envoy
    Envoy
    Envoy
    NGAC / NDAC
    P
    D
    P

    View full-size slide

  9. A
    B
    C
    L7 policies can be enforced, because the proxies
    understand L7 protocols
    Envoy
    Envoy
    Envoy
    Envoy
    NGAC / NDAC
    P
    D
    P

    View full-size slide

  10. EXAMPLE
    L7 policy enforcement

    View full-size slide

  11. A
    B
    C
    L7 policies can be enforced, because the proxies
    understand L7 protocols
    Envoy
    Envoy
    Envoy
    Envoy
    NGAC / NDAC
    P
    D
    P

    View full-size slide

  12. A
    B
    C
    This context-ful framework can be used to enforce
    complex and dynamic policies that are environment-dependent
    Envoy
    Envoy
    Envoy
    Envoy
    NGAC / NDAC
    us-east1
    eu-west2
    P
    D
    P

    View full-size slide

  13. EXAMPLE
    Policy combination:
    RBAC + Location + Time

    View full-size slide