Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration User Guide Table of models Authentication Salesforce Mysql two-factor authentication Cloud Explorer overview AWS Cloud Explorer Azure Cloud Explorer System operations and security Databases authentication models Cloud Database driver IBM Db2 Greenplum InfluxDB Microsoft SQL Server MongoDB MongoDB authentication MySQL Mysql two-factor authentication Netezza Oracle Oracle authentication models PostgreSQL Arrays

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration Authentication Salesforce Mysql two-factor authentication Cloud Explorer overview AWS Cloud Explorer Azure Cloud Explorer Google Cloud Explorer System operations and security Databases authentication Guide 24.2.ea. Page 5 of 1171. InfluxDB Microsoft SQL Server MongoDB MongoDB authentication MySQL Mysql two-factor authentication Netezza Oracle Oracle authentication models PostgreSQL Arrays

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration authentication models Authentication Salesforce Mysql two-factor authentication Managing AWS permissions Working with AWS SSO AWS credentials System operations and security Databases authentication models Cloud Database driver IBM Db2 Greenplum InfluxDB Microsoft SQL Server MongoDB MongoDB authentication MySQL Mysql two-factor authentication Netezza Driver settings Databases support Classic DBeaver Lite

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) Legacy Scenarios ● Stateful applications ○ Data store ● Legacy software ○ Financial services ○ Enterprise/Workshop applications ○ Hard to lift and shift ● Packaged software ○ Non-Linux ○ unikernels

Steps 32 Initializing a Cassandra Cluster on Amazon EC2 Using the DataStax AMI 32 Creating an EC2 Security Group for DataStax Community Edition 33 Launching the DataStax Community AMI 34 Connecting to phi_convict_threshold 76 Automatic Backup Properties 76 incremental_backups 76 snapshot_before_compaction 76 Security Properties 76 authenticator 76 authority 77 internode_encryption 77 keystore 77 keystore_password recognize data center or rack information. DseSimpleSnitch DseSimpleSnitch is used in DataStax Enterprise (DSE) deployments only. It logically configures Hadoop analytics nodes in a separate data center

anywhere” data analytics portability DATA ENG DATA WH AI/ML OP DB DATA FLOW Unified security & governance with open cloud-native storage formats Open data fabrics, lakehouses and data control policy, lineage and governance Support HDFS and S3 API based applications Application Security Encryption Is the data protected at rest and in-transit? / 51 7 Confidential—Restricted Apache store structured, unstructured binary data at scale with the capability to read, write and run enterprise applications and workloads at scale as often as possible. 8 © 2022 Cloudera, Inc. All rights

Ubuntu. 1.3.1. The Ubuntu Promise • Ubuntu will always be free of charge, including enterprise releases and security updates. • Ubuntu comes with full commercial support from Canonical and hundreds of • Separate Professional and Home editions • Less frequent and less visible re- lease schedule Security • Locked administrative user root • Rarely targeted by malware and viruses • Enables easy access Microsoft Windows are not the same. For example, Microsoft Windows Professional editions have more security features than Home editions. Ubuntu's 6 monthly release cycle also makes it very easy for users

Microservices ranging from ○ API services, Search Engine, etc. ○ Databases, Key-Value stores - Oracle, MySQL, etc. ○ Big data systems & Pipelines - Hadoop, Apache Spark, Apache Flink, etc. ○ Machine Learning Load-Balancer Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement

com/en/4.2/ref/databases/]. We recommend using PostgreSQL [http://www.postgresql.org/], MySQL [http://www.mysql.com] or MariaDB [http://www.mariadb.com]. Installing and maintaining database systems is ] LANGUAGE_CODE = "en" pip install psycopg2 # for Postgres pip install mysqlclient # for MySQL or MariaDB This is to ensure that you do not accidentally run migrations on a django CMS version potential security risk, so it is recommended to avoid it where possible. Since version 4.2 django CMS itself has removed any inline JavaScript from its code base to allow for meaningful Content Security Policy