Understanding Zero Trust Security with Service Mesh

Understanding Zero Trust Security with Service Mesh DEVOXX, KRAKOW, POLAND, 2022 @gamussa | @DevoxxPl | @thekonginc

TRUST @gamussa | @DevoxxPl | @thekonginc

THE CLOUD CONNECTIVITY COMPANY @gamussa | @DevoxxPl | @thekonginc

THE CLOUD CONNECTIVITY COMPANY @gamussa | @DevoxxPl | @thekonginc

TRUST IS EXPLOITABLE We must eliminate trust to achieve security @gamussa | @DevoxxPl | @thekonginc

THE CLOUD CONNECTIVITY COMPANY @gamussa | @DevoxxPl | @thekonginc

TRUST @gamussa | @DevoxxPl | @thekonginc

Viktor GAMOV Principal Developer Advocate @gamussa | @DevoxxPl | @thekonginc

THE PILLARS OF ZERO TRUST IDENTITY AUTOMATION DENIED BY DEFAULT OBSERVABILITY @gamussa | @DevoxxPl | @thekonginc

IDENTITY Introducing a form of identity, we can remove trust @gamussa | @DevoxxPl | @thekonginc

ZERO TRUST SECURITY We need a virtual «Multipass» for our Services. @gamussa | @DevoxxPl | @thekonginc

MARKETPLACE APP USER SERVICE ITEM SERVICE INVOICES SERVICE USER SERVICE USER SERVICE USER SERVICE @gamussa | @DevoxxPl | @thekonginc

MARKETPLACE APP @gamussa | @DevoxxPl | @thekonginc

MARKETPLACE APP USER SERVICE ITEM SERVICE INVOICES SERVICE NETWORK CALL USER SERVICE USER SERVICE @gamussa | @DevoxxPl | @thekonginc USER SERVICE

USER SERVICE INVOICES SERVICE ITEM SERVICE @gamussa | @DevoxxPl | @thekonginc

IDENTITY: USERS OPERATION: POST /invoices INVOICES SERVICE USER SERVICE @gamussa | @DevoxxPl | @thekonginc

THE CLOUD CONNECTIVITY COMPANY @gamussa | @DevoxxPl | @thekonginc

@gamussa | @DevoxxPl | @thekonginc

@gamussa | @DevoxxPl | @thekonginc

Multi-Mesh And Easy To Use & Scale Intelligently route traffic across any platform and any cloud to meet expectations and SLAs Universal (K8s + VMs), Attribute-Based Policies & More Restrict access and encrypt all traffic by default to only complete transactions when identity is verified @gamussa | @DevoxxPl | @thekonginc Built-in Multi Zone Connectivity Out of the box connectivity across multi-cluster, multi-cloud and multi-platform deployments across the world.

Database @gamussa | @DevoxxPl | @thekonginc

@gamussa | @DevoxxPl | @thekonginc

@gamussa | @DevoxxPl | @thekonginc

apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: default spec: mtls: enabledBackend: ca-1 backends: - name: ca-1 type: builtin dpCert: rotation: expiration: 1d conf: caCert: RSAbits: 2048 expiration: 10y @gamussa | @DevoxxPl | @thekonginc

apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: name: allow-all-traffic spec: sources: match: kuma.io/service: ‘’ destinations: match: kuma.io/service: ‘’ @gamussa | @DevoxxPl | @thekonginc

type: OPAPolicy mesh: default name: opa-1 selectors: - match: kuma.io/service: backend conf: policy: inlineString: | package envoy.authz import input.attributes.request.http as http_request default allow = false token = {“valid”: valid, “payload”: payload} { [_, encoded] = split(http_request.headers.authorization, ” “) [valid, _, payload] = io.jwt.decode_verify(encoded, {“secret”: “secret” }) } allow { is_token_valid action_allowed } : : @gamussa | @DevoxxPl | @thekonginc

Achieve Zero-Trust Security Achieve zero-trust by design Automatically provide mTLS encryption and identity across every single API, microservice and database @gamussa | @DevoxxPl | @thekonginc 17

Achieve Zero-Trust Security Inject compliance Fine-grained traf ic policies ensure appropriate connectivity and data privacy for every single API, microservice and database f @gamussa | @DevoxxPl | @thekonginc 17

Achieve Zero-Trust Security Streamline security responses Provide the Central IT team with control to rapidly deploy critical security patches across all networks @gamussa | @DevoxxPl | @thekonginc 17

THE PILLARS OF ZERO TRUST IDENTITY AUTOMATION DENIED BY DEFAULT OBSERVABILITY @gamussa | @DevoxxPl | @thekonginc

DEMO! @gamussa | @DevoxxPl | @thekonginc

Join Kong Nation! Links - https://konghq.com/kongbuilders/ - https://youtube.com/konginc - https://konghq.com/ community/ @gamussa | @DevoxxPl | @thekonginc