Status meeting #1 September 29 2022 Doc with issues shared with the Istio team. Subsequent issues added ad-hoc to the same doc. October 3 2022 Status meeting #2 October 10 2022 Status meeting #3 October 974aff7 00aef907312/security/pkg/server/c a/authenticate/fuzz_test.go#L21 The fuzzers were merged ad-hoc so they could run throughout the audit. At the time of the end of the audit, the these are the support A/B testing, canary deployments, rate limiting, access control, encryption and end-to-end authentication. Istio itself is implemented in Go which shields the project from memory-unsafe implementation

Natesan Andy Olsen Feedback on this project? https://my.nccgroup.com/feedback/67b627f7-a0a2-43b7-ad68-af515a9ed2e0 Executive Summary Synopsis In the summer of 2020, Google enlisted NCC Group to perform hosted on 15014/TCP by default. This service exposes a web interface that is accessible without authentication to anything that is able to access it’s network interface. This means that all workloads from "rules": [{ "apiGroups": [ "", "extensions", "apps", "networking.k8s.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "config.istio.io" ], "resources": [ "*" ], "verbs": ["*"] } ] }

Mesh include VMs Before using service mesh: 100+ Kubernetes cluster ● VM integration ● On-prem, AWS, Azure, GCP, OpenShift ● 10000+ core business apps ● Plan to move to public cloud in 18 months ● Using

cluster.local", • "kubernetes://istio-pilot-8696f764dd-fqxtg.istio-system", • "3a7a649f-4eeb-4d70-972c-ad2d43a680af", • "172.00.00.000","Thu, 05 Jul 2018 08:12:19 GMT","780", • "bc1f172f-b8e3-4ec0-a070-f2f6de38a24f"

configuration result ● Result: cert generated automatically with Istio identity 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress reviews-v3 can reach v2 as peer-authentication only defines behavior of server side and auto-mTLS is on by default Access productpage 1) Apply peer-authentication to enable server side mTLS mTLS curl command ： 1) Invalid token can not pass the gateway, only valid token does 2) Delete JWT authentication request, invalid token can pass the gateway Access productpage #IstioCon Authorize ingress

certificate and passes it to Kafka Kafka client authentication with Istio 10 Kafka client authentication with Istio 11 Kafka client authentication with Istio 12 • Istio provides a security layer

balancing ● Improve performance and resilience ● Stricter zonal routing ● Capability for service authentication and authorisation ● Improved Observability ● Extendable to multi-region setup #IstioCon Approach gateway services via Istio Gateway ● Towards RESTRICTED network policy ● On-board services to Authentication and Authorization as applicable #IstioCon Thank you! Rajath Ramesh rajathramesh@carousell

JWT Verify Using request authentication policy to Verify end-user JWT easily #IstioCon Secure Platform – mutual TLS Using mutual TLS for service-to-service authentication. • When a service receives

environments #IstioCon Step 4: Evolving Security ● Origin or Request Authentication ○ Internal OpenID implementation for origin authentication ○ Plan to integrate with Istio #IstioCon How does it all scale

Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication ● Traffic Splitting ● Canary Deployment ● Traffic Mirroring ● Rate Limiting ● TLS Termination