Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio Github: lei-tang Session agenda 1. Service mesh security implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack vectors. ● Service mesh security architecture and Man-In-The-Middle Denial of Service Privilege Escalation Application Compromise Control Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF

is building a massive Multitenant Service Mesh using Istio Sudheendra Murthy #IstioCon Agenda ● Introduction ● Applications Deployment ● Service Mesh Journey ● Scale Testing ● Future Direction Transport Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Achieving micro-segmentation at scale ○ Enabling TLS for all applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery

5G Platform David Lenrow Open Source Service Mesh Evangelist Neeraj Poddar Co-founder & Chief Architect, Aspen Mesh February 22, 2021 2 ©2021 Aspen Mesh. All rights reserved. What Is 5G and Why Does industries. -Qualcomm 3 ©2021 Aspen Mesh. All rights reserved. https://medium.com/5g-nr/5g-service-based-architecture-sba-47900b0ded0a 5G Architecture 4 ©2021 Aspen Mesh. All rights reserved. Key Platform 5 ©2021 Aspen Mesh. All rights reserved. 5G Network Function Decomposition Microservice Network Function Implementation 5G Architecture Looks a Lot Like a Mesh? 6 ©2021 Aspen Mesh. All rights reserved

provisioning ○ Unleash maximum scalability by fully leveraging Istio features in Knative with service mesh enabled ● Reference Agenda #IstioCon Knative and Istio Istio is the default networking layer Knative based platform - Istio as an Ingress Gateway • By default, Knative does not enable service mesh, it uses Istio as an Ingress Gateway. • Enable Secret Discovery Service (SDS) to monitor and mount 51ch62kjrnd.svc.cluster.local weight: 90 Knative Service Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production •

VM works on Istio! [1] Istio Service Mesh for VM Native, Chris Crall, Jianfei Hu, Google Cloud Next ‘19 #IstioCon Why Add VMs to the Mesh? ● = Why Service Mesh? ○ More services = more complexity applications ■ Deterministic workloads with strong requirements ● For Istio ○ What is Istio? A service mesh. But more: an open service platform! ○ More use cases! ○ (Consul, Kuma…) #IstioCon Emerging Use Virtual Machine Integration Odyssey, Jimmy Song #IstioCon V0.2 Mesh Expansion ● Prerequisites ○ IP connectivity to the endpoints in the mesh ○ Istio control plane services (Pilot, Mixer, CA) accessible

heartwarming work of staggering predictability Neeraj Poddar (Co-founder & Chief Architect, Aspen Mesh) Louis Ryan (Principal Engineer, Google) #IstioCon Highlights of 2020 ● Better life cycle management ● API and feature promotion ○ Networking/Security APIs ○ Virtual Machine expansion/Multi cluster mesh https://istio.io/latest/blog/2020/tradewinds-2020/ #IstioCon Impact on users https://thenewstack Enhancement workflow ○ CNI ○ IPv6 ○ Dual-stack (IPv6/IPv6) ○ Virtual Machine Expansion ○ Multi cluster mesh ○ Helm v3 life-cycle management ● Evaluate current feature status and fix gaps https://istio.i

Inbound/Outbound/Envoy to Envoy #IstioCon Istio-CNI ● The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod life-cycle’s network setup phase, ● Removing the the requirement for the NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. ● The Istio CNI plugin replaces the functionality provided by the istio-init container. #IstioCon

EKS -> Square DC Internal Presentation Square DC -> Cash App EKS Internal Presentation New in-mesh s2s Internal Presentation New cross-region s2s Internal Presentation

lakehouses and data meshes with data anywhere at scale Data Lakehouse Data Fabric Data Mesh SDX Multi-cloud & on-premises data management and analytics Ozone / 51 5 Confidential—Restricted

overview Basic operations Guide to creating database connections Disconnecting from database Editing database connection Invalidating and reconnecting to database Local client configuration Connection SSM configuration Shell commands Changing current user password Authentication models overview Database native DBeaver profile Kerberos authentication Microsoft Entra ID Authentication MongoDB PostgreSQL SSO Working with Google Cloud Explorer SSO AWS credentials Google Cloud Explorer credentials Database drivers How to add additional artifacts to the driver ODBC JDBC driver Deprecated legacy ODBC