microservice security ● R&D on Next Generation Access Control (NGAC) ● Exclusively co-host annual zero trust multi-cloud conference Best in Class Team ● Creators of the service mesh Istio, gRPC, Apache configurations to be added to the group will directly use Istio APIs. Tetrate OSS Projects ● Wazero: the zero dependency WebAssembly runtime for Go developers ● Istio Security Scanner ● Envoy Gateway: Manages safe enterprise-grade Istio distro ● Func-e: Make running Envoy easy Wazero ● wazero is the only zero dependency WebAssembly runtime written in Go. ● Contribute to Go/TinyGo/Rust ● Using WasmPlugin API

(N – 3) FIPS, ARM Tech Advisory Developer portal API Gateway Security (EW) Observability Zero-trust Approval Processes Rollback Delegation WASM Multi Cluster Global Service Failover Multi

true accessPolicy: inbound: - name: consumer-a NetworkPolicy ServiceRoleBinding Zero trust app app app app app app app app app app app app app Kubernetes Network

Debugging Uniform metrics and tracing for all CNF traffic Enforcement Primitives to Build Zero Trust Strong identity for users, workloads, devices, etc. Encrypting inter-CNF traffic via mutual

production. #IstioCon Most popular sessions in English Session Opening keynote (State of Istio & Zero Trust) Running Istio at Scale for a Secure and Compliant Cloud External CA integration with Istio

Discovery Service) ● A stricter security model ○ Protections for inline components & workflows ○ Trust model augmentation ■ Impersonating ■ Secret clear in memory ■ Secret persistence ● Key protection send/receive ○ Kernel bypass / direct user space access ○ Transport fully offloaded to the NIC HW ○ Zero-copy operation ○ Secure, channel based IO ● Application advantage ○ Low latency ○ High bandwidth

demonstrates the Istio architecture: 11 Istio Security Audit, 2023 Trust boundaries We identify the following trust boundaries: From Into Trust flow Description Outside of cluster Ingress Sidecar or Ingress to high Ingress traffic can have the lowest level of privilege. As it enters the mesh it crosses a trust boundary. Ingress Sidecar or Ingress Gateway Proxy Low to high Traffic flowing from Ingress Sidecar is validated against the specified policies before it reaches the service. The traffic crosses a trust boundary as it passes the proxy. Controlplane Dataplane High to low Policies are created by users

Replace Hardware LBs & Firewalls ● Evolve into AZ based architecture ● Dial-tone security with Trust Domain ● L7 policy enforcement Step 1 Step 2 Step 3 Step 4 Declarative Intent Replace Hardware ○ Leverage SPIFFE Trust Domain ■ Trust Domain: Trust root of the system having separate root CA ■ Each workload gets unique identity based on K8s Service account - spiffe://<trust domain>/ns//sa/Trust Domain mapped to workload environments ■ Prod, Pre-prod, PCI, Staging, etc. ○ To support multiple trust domains in a single K8s cluster ■ Deploy multiple

Sensitive Capabilities 021 Low Execution of System Commands without Validation 008 Informational Weak Trust Boundary Between Workload Container and Proxy Sidecar 022 Informational 4 | Google Istio Security raise an error. 35 | Google Istio Security Assessment Google / NCC Group Confidential Finding Weak Trust Boundary Between Workload Container and Proxy Sidecar Risk Informational Impact: Low, Exploitability: Istio client certifi- cates, or bypass networking restrictions. Description Istio places an implicit trust boundary on the separation of workload containers and the Envoy proxy sidecar container running in

• Client certificate includes the K8s service account of the Kafka client application • SPIFE://<trust domain>/ns//sa/ • Configurable certificate expiration • On the