#IstioCon Secure Platform • JWT Verify • Mutual TLS • Authorization Policy • Envoy External Authorization #IstioCon Secure Platform #IstioCon Secure Platform – JWT Verify Using request authentication authentication policy to Verify end-user JWT easily #IstioCon Secure Platform – mutual TLS Using mutual TLS for service-to-service authentication. • When a service receives or sends network traffic, the traffic • When mTLS is enabled between two services, the client side and server side’s “envoy proxies” verify each other’s identities before sending requests. • If the verification is successful, then the

Exchange external credential to internal token to defend against token replay attacks. Internal JWT mTLS Edge security Cluster security best practices: access control Service 2 Service 1 1. Ensure security best practices: enforce boundaries Workload security best practices Scan vulnerabilities Verify images Gatekeeper Binary authorization Restrict privileges Gatekeeper Istio CNI Cluster security Enforce Verify Security Lifecycle Concepts Secure Monitor Enforce Verify Deploy comprehensive multi-layer security mechanisms. Enforce that the security mechanisms are not tampered. Verify that

Istio Identity Istiod Istio Agent Envoy 1. Start Envoy 2. Request Cert (SDS)) 3. CSR Auth: JWT 4. Cert signed with SPIFFE format Istio-proxy CA server #IstioCon Istio identity – how to get to ingress gateway Authorize ingress traffic via JWT 1) Apply RequestAuthentication to ingress gateway Authorize ingress traffic via JWT https + JWT http http http mTLS mTLS Send request via curl only valid token does 2) Delete JWT authentication request, invalid token can pass the gateway Access productpage #IstioCon Authorize ingress traffic with JWT token apiVersion: "security.istio

Mesh? Common Features Common Features ● Load Balancing ● Request Routing ● Service Discovery ● JWT Authentication ● Traffic Splitting ● Canary Deployment ● Traffic Mirroring ● Rate Limiting ● TLS

metrics ○ HTTP status code ○ Thrift request latency ○ ... ● Application layer security ○ HTTP JWT Auth ○ Redis Auth ○ ... IP Data IP Header TCP Data TCP Header Layer-7 Header Data

used for service-to-service authentication to verify the client making the connection. 2. Request authentication: Used for end-user authentication to verify the credential attached to the request. Authorization

collision). Hashes which don’t have this property are considered to be insecure. Hashes are often used to verify the integrity of the input; for example, to ensure that a downloaded file has the correct content validation_context.14, 15 As a result, Envoy proxies using such a configuration will not attempt to verify the validity of the upstream server’s TLS certificate. Note: This issue and GitHub issue were originally

istioctl... ● analyze ● experimental ● proxy-config ● proxy-status ● upgrade (--dry-run) ● verify-install ● bug-report #IstioCon Maintaining Istio ● Deployments ○ IstioOperator ● Monitoring

(service owner) Platform owner Mesh operator (could be your cloud provider) 3 Key Personas install verify-install upgrade Istio simplify install helm3 #IstioCon Pilot Mixer Citadel Node Agent Injector

forget to update/create a test if the page changed is tested! #IstioCon Run make lint locally to verify changes and check for problems Click on the Netlify preview to view updates as if they were