cloud conf keynote - orchestrating least privilege

Report

Post on 22-Mar-2017

191 Views

Category:

Internet

6 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Orchestrating Least Privilege

~2000 Today

What is an Orchestrator?

What is an Orchestra?

SWARM

Job of a Conductor

- Casting - Assign sheet music - Unify performers - Set the tempo

Job of an Orchestrator

- Node management - Task assignment - Cluster state reconciliation - Resource Management

What is a Least Privilege Orchestrator?

What is Least Privilege?

A process must be able to access only the information and resources that are necessary for its legitimate purpose.

Principle of Least Privilege

An Orchestrator that follows the principle of least privilege in the

strictest manner possible.Least Privilege Orchestrator

Why Least Privilege?

Cluster

Internet

Cluster

Internet

A

M

M M

AA A

M

M M

WW W

M

M M

WW W

How far away are we right now?

How do we achieve Least Privilege Orchestration?

Mitigating External Attacker

web: image: web-app expose: 443 links: - redis redis: image: redis

Mitigating Internal Network Attacker

[ { "permission": { "method": "GET", "resource": "/user" }, "allow": ["web", "fulfillment", "payments"] },

{ "permission": { "method": "POST", "resource": "/user" }, "allow": ["signup", "web"] },

{ "permission": { "method": "DELETE", "resource": "/user/.*" }, "allow": ["web"] }]

Mitigating MiTM Attacker

rails-app: image: rails-app links: - mysql mysql: image: mysql

MTLS

Mitigating Malicious Worker

Push

Worker

Manager

WorkerWorker

Mitigating Malicious Manager

Worker

Manager

WorkerWorker

web: image: web-app expose: 443 links: - redis tls-auth: - OU: api-client redis: image: redis

web: image: web-app expose: 443 links: web:

image: web-app expose: 443 links:

web: image: web-app expose: 443 links:

SWARM

Mutual TLS by default

• First node generates a new self-signed CA.

Mutual TLS by default

• New nodes can get a certificate issued w/ a token.

Mutual TLS by default

• Workers and managers identified by their certificate.

Mutual TLS by default

• Communications secured with Mutual TLS.

Secrets

Secrets

Secrets

External APP

Thank you

top related

insight2014 orchestrating...
Business
orchestrating and automating trend micro tippingpoint...
Documents
orchestrating buy in
Documents
orchestrating the edge
Documents
privilege and privilege premier current accounts · pdf...
Documents
orchestrating physician preference
Documents
orchestrating collective intelligence
Technology
orchestrating the stack
Documents
orchestrating game generation
Documents
orchestrating resource allocation for interactive vs...
Documents
orchestrating distributed apps with docker
Technology
orchestrating academic excellence
Documents
orchestrating touchpoints - chris risdon
Design
orchestrating energy
Documents
orchestrating adaptation, mitigation and transformation
Environment
orchestrating cloud applications with tosca
Technology
orchestrating least privilege by diogo monica
Technology
orchestrating our transformation
Documents
orchestrating - kansas state university
Documents
orchestrating the tso experience
Marketing