Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration authentication Managing AWS permissions Working with AWS SSO AWS credentials System operations and security Databases authentication models Cloud databases configuration Cloud settings in DBeaver DBeaver Hive Cassandra ClickHouse Couchbase Database driver IBM Db2 Greenplum InfluxDB Microsoft SQL Server MongoDB MongoDB authentication MySQL Mysql two-factor authentication Netezza Driver settings

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration User Guide Table of authentication Cloud Explorer overview AWS Cloud Explorer Azure Cloud Explorer System operations and security Databases authentication models Cloud databases configuration Cloud Explorer tools DBeaver User User Guide 24.2.ea. Page 5 of 1171. Database driver IBM Db2 Greenplum InfluxDB Microsoft SQL Server MongoDB MongoDB authentication MySQL Mysql two-factor authentication Netezza Oracle Oracle

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration overview AWS Cloud Explorer Azure Cloud Explorer Google Cloud Explorer System operations and security Databases authentication models Cloud databases configuration Cloud Explorer tools DBeaver Ultimate Databases support Classic DBeaver Ultimate User Guide 24.2.ea. Page 5 of 1171. InfluxDB Microsoft SQL Server MongoDB MongoDB authentication MySQL Mysql two-factor authentication Netezza Oracle Oracle

Cassandra 1 Java Prerequisites 1 Download the Software 1 Install the Software 1 Start the Cassandra Server 1 Login to Cassandra 1 Create a Keyspace (database) 1 Create a Column Family 2 Insert, Update Steps 32 Initializing a Cassandra Cluster on Amazon EC2 Using the DataStax AMI 32 Creating an EC2 Security Group for DataStax Community Edition 33 Launching the DataStax Community AMI 34 Connecting to rpc_min_threads 75 rpc_recv_buff_size_in_bytes 75 rpc_send_buff_size_in_bytes 75 rpc_timeout_in_ms 75 rpc_server_type 75 thrift_framed_transport_size_in_mb 75 thrift_max_message_length_in_mb 75 Internode Communication

exists to support the development of django CMS and its community. Discord Join our friendly Discord server [https://discord-support-channel.django-cms.org] for support and to share ideas and discuss technical find support and help from the numerous friendly members of the django CMS community on our Discord server [https://discord-support- channel.django-cms.org]. Installing django CMS The setup is incredibly Django development server (Step 3) Now you are ready to spin up Django’s development server by first changing directory into the project folder and then spinning up the development server: You can visit your

1. The Ubuntu Promise • Ubuntu will always be free of charge, including enterprise releases and security updates. • Ubuntu comes with full commercial support from Canonical and hundreds of companies around months; Long Term Support releases (LTS) are supported for 3 years on the desktop and 5 years on the server. Figure 1.4. Ubuntu Versions A brief history of releases: • Ubuntu 4.10 (Warty Warthog). Ubuntu support version refers to guaranteed three years of support on the desktop and five years on the server. All other releases are provided with 18 month support for desktops and servers. The extended support

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) Istio control plane services (Pilot, Mixer, CA) accessible from the VMs ○ (optional) Kubernetes DNS server accessible from the VMs ● Onboard steps ○ Setup Internal Load Balancers (ILBs) for Kube DNS,

Load-Balancer Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions:

image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS