Understanding Zero Trust Security with Service Mesh
A presentation at Devoxx Poland in in Kraków, Poland by Viktor Gamov
Understanding Zero Trust Security with Service Mesh DEVOXX, KRAKOW, POLAND, 2022 @gamussa | @DevoxxPl | @thekonginc
TRUST @gamussa | @DevoxxPl | @thekonginc
THE CLOUD CONNECTIVITY COMPANY @gamussa | @DevoxxPl | @thekonginc
THE CLOUD CONNECTIVITY COMPANY @gamussa | @DevoxxPl | @thekonginc
TRUST IS EXPLOITABLE We must eliminate trust to achieve security @gamussa | @DevoxxPl | @thekonginc
THE CLOUD CONNECTIVITY COMPANY @gamussa | @DevoxxPl | @thekonginc
TRUST @gamussa | @DevoxxPl | @thekonginc
Viktor GAMOV Principal Developer Advocate @gamussa | @DevoxxPl | @thekonginc
THE PILLARS OF ZERO TRUST IDENTITY AUTOMATION DENIED BY DEFAULT OBSERVABILITY @gamussa | @DevoxxPl | @thekonginc
IDENTITY Introducing a form of identity, we can remove trust @gamussa | @DevoxxPl | @thekonginc
ZERO TRUST SECURITY We need a virtual «Multipass» for our Services. @gamussa | @DevoxxPl | @thekonginc
MARKETPLACE APP USER SERVICE ITEM SERVICE INVOICES SERVICE USER SERVICE USER SERVICE USER SERVICE @gamussa | @DevoxxPl | @thekonginc
MARKETPLACE APP @gamussa | @DevoxxPl | @thekonginc
MARKETPLACE APP USER SERVICE ITEM SERVICE INVOICES SERVICE NETWORK CALL USER SERVICE USER SERVICE @gamussa | @DevoxxPl | @thekonginc USER SERVICE
USER SERVICE INVOICES SERVICE ITEM SERVICE @gamussa | @DevoxxPl | @thekonginc
IDENTITY: USERS OPERATION: POST /invoices INVOICES SERVICE USER SERVICE @gamussa | @DevoxxPl | @thekonginc
THE CLOUD CONNECTIVITY COMPANY @gamussa | @DevoxxPl | @thekonginc
@gamussa | @DevoxxPl | @thekonginc
@gamussa | @DevoxxPl | @thekonginc
Multi-Mesh And Easy To Use & Scale Intelligently route traffic across any platform and any cloud to meet expectations and SLAs Universal (K8s + VMs), Attribute-Based Policies & More Restrict access and encrypt all traffic by default to only complete transactions when identity is verified @gamussa | @DevoxxPl | @thekonginc Built-in Multi Zone Connectivity Out of the box connectivity across multi-cluster, multi-cloud and multi-platform deployments across the world.
Database @gamussa | @DevoxxPl | @thekonginc
@gamussa | @DevoxxPl | @thekonginc
@gamussa | @DevoxxPl | @thekonginc
apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: default spec: mtls: enabledBackend: ca-1 backends: - name: ca-1 type: builtin dpCert: rotation: expiration: 1d conf: caCert: RSAbits: 2048 expiration: 10y @gamussa | @DevoxxPl | @thekonginc
apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: name: allow-all-traffic spec: sources: match: kuma.io/service: ‘’ destinations: match: kuma.io/service: ‘’ @gamussa | @DevoxxPl | @thekonginc
type: OPAPolicy mesh: default name: opa-1 selectors: - match: kuma.io/service: backend conf: policy: inlineString: | package envoy.authz import input.attributes.request.http as http_request default allow = false token = {“valid”: valid, “payload”: payload} { [_, encoded] = split(http_request.headers.authorization, ” “) [valid, _, payload] = io.jwt.decode_verify(encoded, {“secret”: “secret” }) } allow { is_token_valid action_allowed } : : @gamussa | @DevoxxPl | @thekonginc
Achieve Zero-Trust Security Achieve zero-trust by design Automatically provide mTLS encryption and identity across every single API, microservice and database @gamussa | @DevoxxPl | @thekonginc 17
Achieve Zero-Trust Security Inject compliance Fine-grained traf ic policies ensure appropriate connectivity and data privacy for every single API, microservice and database f @gamussa | @DevoxxPl | @thekonginc 17
Achieve Zero-Trust Security Streamline security responses Provide the Central IT team with control to rapidly deploy critical security patches across all networks @gamussa | @DevoxxPl | @thekonginc 17
THE PILLARS OF ZERO TRUST IDENTITY AUTOMATION DENIED BY DEFAULT OBSERVABILITY @gamussa | @DevoxxPl | @thekonginc
DEMO! @gamussa | @DevoxxPl | @thekonginc
Join Kong Nation! Links - https://konghq.com/kongbuilders/ - https://youtube.com/konginc - https://konghq.com/ community/ @gamussa | @DevoxxPl | @thekonginc
As the number of microservices deployed across private and public networks increases, security is critical. Leveraging a Service Mesh guarantees the security of applications and services without burdening developers to build security, freeing them to focus on business logic and allowing organizations to meet and prove their compliance and security requirements.
In this demonstration, you will learn how Kong Mesh enables Zero Trust security for your application and services by:
Enforcing mutual TLS communication
Applying traffic permissions to control which services can communicate to other services
Natively integrating with the Open Policy Agent (OPA) to enforce fine-grained authorization
Buzz and feedback
Here’s what was said about this presentation on social media.
