Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting your data with a Service Mesh

Protecting your data with a Service Mesh

In this talk, we will see a practical demo on how you can use a Service Mesh and its Identity and Authorization primitives to secure access to your data.

Ignasi Barrera

January 23, 2020
Tweet

More Decks by Ignasi Barrera

Other Decks in Research

Transcript

  1. Tetrate The service mesh company

  2. A B Traditional access control for databases is provided by

    network reachability and DB credentials C
  3. A B C If an attacker breaks into the system

    and gains access to the network, the data is compromised
  4. A B C A service mesh provides proper Identity primitives

    to enforce runtime authentication Envoy Envoy Envoy Envoy
  5. A B C It also provides authorization primitives to be

    enforced at runtime PEP PEP PEP PEP
  6. A B C Access decisions can be made based on

    proper identity and high level concepts Envoy Envoy Envoy Envoy
  7. EXAMPLE Unauthorized access

  8. A B C NGAC provides a context-ful authorization framework Envoy

    Envoy Envoy Envoy NGAC / NDAC P D P
  9. A B C L7 policies can be enforced, because the

    proxies understand L7 protocols Envoy Envoy Envoy Envoy NGAC / NDAC P D P
  10. EXAMPLE L7 policy enforcement

  11. A B C L7 policies can be enforced, because the

    proxies understand L7 protocols Envoy Envoy Envoy Envoy NGAC / NDAC P D P
  12. A B C This context-ful framework can be used to

    enforce complex and dynamic policies that are environment-dependent Envoy Envoy Envoy Envoy NGAC / NDAC us-east1 eu-west2 P D P
  13. EXAMPLE Policy combination: RBAC + Location + Time

  14. Thanks