Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

Scanner Compatibil- ity ................................................... 249 7.5.2. Scanning an Image ................. 249 7.6. Lesson Summary ............................... 251 7.7. Review Exercise 1. The Ubuntu Promise • Ubuntu will always be free of charge, including enterprise releases and security updates. • Ubuntu comes with full commercial support from Canonical and hundreds of companies around • Separate Professional and Home editions • Less frequent and less visible re- lease schedule Security • Locked administrative user root • Rarely targeted by malware and viruses • Enables easy access

Registry UT Build Commit Environment image image image image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments ������ Helm Chart�� Helm Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components

Registry UT Build Commit Environment image image image image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments ������ Helm Chart�� Helm Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration authentication Managing AWS permissions Working with AWS SSO AWS credentials System operations and security Databases authentication models Cloud databases configuration Cloud settings in DBeaver DBeaver Filter Database objects Bookmarks Projects overview Projects View Project Explorer Project security Editors overview Database Navigator panel Projects workspace Editors in DBeaver DBeaver Lite

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration User Guide Table of authentication Cloud Explorer overview AWS Cloud Explorer Azure Cloud Explorer System operations and security Databases authentication models Cloud databases configuration Cloud Explorer tools DBeaver User Filter Database objects Bookmarks Projects overview Projects View Project Explorer Project security Editors overview Data Editor overview Data View and Format Data Filters Data viewing and editing

datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration overview AWS Cloud Explorer Azure Cloud Explorer Google Cloud Explorer System operations and security Databases authentication models Cloud databases configuration Cloud Explorer tools DBeaver Ultimate User Guide 24.2.ea. Page 7 of 1171. Projects overview Projects View Project Explorer Project security Editors overview Data Editor overview Data View and Format Data Filters Data viewing and editing

recommended. Django Filer Django Filer [https://github.com/django-cms/django-filer] provides file and image management. Many other applications also rely on Django Filer - it’s very unusual to have a django "djangocms_frontend.contrib.content", "djangocms_frontend.contrib.grid", "djangocms_frontend.contrib.image", "djangocms_frontend.contrib.jumbotron", "djangocms_frontend.contrib.link", "djangocms_frontend a defined block) render_model_icon (for editing a field represented by another value, such as an image) render_model_add (for adding an instance of the specified model) render_model_add_block (for adding

Steps 32 Initializing a Cassandra Cluster on Amazon EC2 Using the DataStax AMI 32 Creating an EC2 Security Group for DataStax Community Edition 33 Launching the DataStax Community AMI 34 Connecting to phi_convict_threshold 76 Automatic Backup Properties 76 incremental_backups 76 snapshot_before_compaction 76 Security Properties 76 authenticator 76 authority 77 internode_encryption 77 keystore 77 keystore_password requests for all of the data it is responsible for managing. DataStax provides an Amazon Machine Image (AMI) to allow you to quickly deploy a multi-node Cassandra cluster on Amazon EC2. The DataStax AMI

anywhere” data analytics portability DATA ENG DATA WH AI/ML OP DB DATA FLOW Unified security & governance with open cloud-native storage formats Open data fabrics, lakehouses and data control policy, lineage and governance Support HDFS and S3 API based applications Application Security Encryption Is the data protected at rest and in-transit? / 51 7 Confidential—Restricted Apache uses RocksDB to store the namespace) • HDDS – a distributed container management layer • Hadoop security model and Hadoop RPC OZONE BUCKET TYPES Ethan Rose Ozone PMC, committer 20 © 2022 Cloudera, Inc