Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration authentication Managing AWS permissions Working with AWS SSO AWS credentials System operations and security Databases authentication models Cloud databases configuration Cloud settings in DBeaver DBeaver Filter Database objects Bookmarks Projects overview Projects View Project Explorer Project security Editors overview Database Navigator panel Projects workspace Editors in DBeaver DBeaver Lite

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration User Guide Table of authentication Cloud Explorer overview AWS Cloud Explorer Azure Cloud Explorer System operations and security Databases authentication models Cloud databases configuration Cloud Explorer tools DBeaver User Filter Database objects Bookmarks Projects overview Projects View Project Explorer Project security Editors overview Data Editor overview Data View and Format Data Filters Data viewing and editing

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration overview AWS Cloud Explorer Azure Cloud Explorer Google Cloud Explorer System operations and security Databases authentication models Cloud databases configuration Cloud Explorer tools DBeaver Ultimate User Guide 24.2.ea. Page 7 of 1171. Projects overview Projects View Project Explorer Project security Editors overview Data Editor overview Data View and Format Data Filters Data viewing and editing

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity (certificate) ■ based

potential security risk, so it is recommended to avoid it where possible. Since version 4.2 django CMS itself has removed any inline JavaScript from its code base to allow for meaningful Content Security Policy this module do sanity checks on arguments. Warning None of the functions in this module does any security or permission checks. They verify their input values to be sane wherever possible, however permission template tag escapes the content of the rendered model attribute. This helps prevent a range of security vulnerabilities stemming from HTML, JavaScript, and CSS Code Injection. To change this behaviour

Steps 32 Initializing a Cassandra Cluster on Amazon EC2 Using the DataStax AMI 32 Creating an EC2 Security Group for DataStax Community Edition 33 Launching the DataStax Community AMI 34 Connecting to phi_convict_threshold 76 Automatic Backup Properties 76 incremental_backups 76 snapshot_before_compaction 76 Security Properties 76 authenticator 76 authority 77 internode_encryption 77 keystore 77 keystore_password /usr/sbin • /etc/cassandra (configuration files) • /etc/init.d (service startup script) • /etc/security/limits.d (cassandra user limits) • /etc/default Next Steps For next steps see Configuring and

image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS

image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS

Load-Balancer Web-Tier Load-Balancer Pods Pods Pods AZ 1 AZ 2 AZ n Client #IstioCon What about Security? ● L4 Micro-segmentation Solution ○ Central Policy store capturing Application-to-Application Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include - ○ Manageability of Hardware Devices ■ Traffic Management & Security Enforcement applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Security, Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: