© 2018 Tigera, Inc. | Proprietary and Confidential A DevSecOps Approach To Zero Trust Network Security 1 Andy Randall Co-founder, Tigera

© 2018 Tigera, Inc. | Proprietary and Confidential DevOps 2 “DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality.” - Bass, Len; Weber, Ingo; Zhu, Liming DevOps: A Software Architect's Perspective. Development QA Operations Dev Ops

© 2018 Tigera, Inc. | Proprietary and Confidential 3

© 2018 Tigera, Inc. | Proprietary and Confidential DevSecOps 4 “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops

© 2018 Tigera, Inc. | Proprietary and Confidential “SHIFTING SECURITY LEFT” 5

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 6

No content

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 8

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 9

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 10

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 11

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 12

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 13

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 14

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 15

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 16

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 17

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 18

© 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 19

No content

© 2017 Tigera, Inc. KUBERNETES NETWORK POLICY 21

© 2017 Tigera, Inc. ISTIO SERVICE MESH 22

© 2017 Tigera, Inc. 24

© 2018 Tigera, Inc. | Proprietary and Confidential HONEY, I BUILT A ZERO TRUST NETWORK! 25 > The network is always assumed to be hostile > External and internal threats exist on the network at all times > Network locality is not sufficient for deciding trust in a network > Every device, user, and workflow is authenticated and authorized > Policies must be dynamic and calculated from as many sources of data as possible

© 2018 Tigera, Inc. | Proprietary and Confidential 26 It’s my job to define the network security policy! No, it’s mine! No, it’s mine! No, it’s mine!

© 2018 Tigera, Inc. | Proprietary and Confidential DevSecOps 27 “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops

© 2018 Tigera, Inc. | Proprietary and Confidential MICROPOLICIES FOR MICROSERVICES 28 role: productpage geo: us role: details geo: us role: reviews geo: us role: ratings geo: us role: productpage geo: eu role: details geo: eu role: reviews geo: eu role: ratings geo: eu productpage → reviews reviews → ratings productpage → details eu ↔ eu us ↔ us

© 2018 Tigera, Inc. | Proprietary and Confidential SEPARATING SECURITY POLICY CONCERNS 29 Platform Tier App Tier InfoSec Tier allow cluster ingress to FE workloads deny cluster ingress & egress for known bad actors deny cluster ingress & egress for embargoed countries deny cluster ingress & egress for PCI workloads allow compliance audit log collector to all workloads pass all other connections to platform tier pass prod workloads connecting to prod workloads pass cluster ingress to FE prod workloads pass dev workloads connecting to dev workloads pass test workloads connecting to test workloads deny all other connections allow front end workloads to app logic workloads allow app logic workloads to database workloads allow DB workloads to connect to DB workloads deny all other connections Tier evaluation order Policy evaluation order Security Ops Devs

© 2018 Tigera, Inc. | Proprietary and Confidential CONTINUOUS MONITORING AND LOGGING 30 “DevSecOps always requires logging. Every resource is logged, no exceptions. Because without logs, it is like flying blind.” - Fabian Lim, DevSecOps is the Krav Maga of Security (devsecops.org)

© 2018 Tigera, Inc. | Proprietary and Confidential 31 Zero trust Visualize, correlate, rem ediate Cloud native and legacy CNX Zero Trust Network Security and Continuous Compliance for Modern Applications Enterprise control and com pliance

© 2018 Tigera, Inc. | Proprietary and Confidential 32

© 2018 Tigera, Inc. | Proprietary and Confidential 33

DANKE! Andy Randall @andrew_randall andy@tigera.io

© 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4 POLICY / K8S NETWORK POLICY 35 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Label-based expressions support fully flexible granularity and grouping requirements

© 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4 POLICY / K8S NETWORK POLICY 36 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Apply this policy to any endpoint (workload or host) labelled role=database

© 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4 POLICY / K8S NETWORK POLICY 37 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Allow incoming connections to port 6379 from any endpoint (workload or host) labelled role=fronted

© 2017 Tigera, Inc. | Proprietary and Confidential ISTIO BOOKINFO SAMPLE APPLICATION 38 Istio service mesh mTLS support: ● global on/off setting ● certificate per serviceAccount

© 2017 Tigera, Inc. | Proprietary and Confidential TLS POLICY USING SERVICE ACCOUNT NAMES 39 apiVersion: v1 kind: policy metadata: name: details spec: selector: app == "details" ingress: - action: allow source: serviceAccounts: names: ["productpage"] egress: - action: allow Allow incoming connections based on serviceAccount names

© 2017 Tigera, Inc. | Proprietary and Confidential TLS POLICY USING SERVICE ACCOUNT LABELS 40 apiVersion: v1 kind: policy metadata: name: ratings spec: selector: app == "ratings" ingress: - action: allow source: serviceAccounts: selector: ratings == "reader" egress: - action: allow Allow incoming connections from any serviceAccount labelled ratings=reader

© 2017 Tigera, Inc. | Proprietary and Confidential COMBINING L3-L7 POLICY 41 apiVersion: v1 kind: policy metadata: name: reviews spec: selector: app == "reviews" ingress: - action: allow source: podSelector: app == "productpage" serviceAccounts: selector: reviews == "reader" egress: - action: allow Allow incoming connections from: ● any pod labelled app=productpage ● with a serviceAccount labelled reviews=reader

© 2017 Tigera, Inc. | Proprietary and Confidential ADDING ADDITIONAL L5-7 MATCH CRITERIA 42 apiVersion: v1 kind: policy metadata: name: ratings spec: selector: app == "ratings" ingress: - action: allow source: podSelector: app == "productpage" serviceAccounts: selector: ratings == "reader" http: methods: ["GET"] paths: ["/ratings/*"] egress: - action: allow Policy rules can include other L5-7 match criteria