Anthony Roman, Lei Tang Google April 26, 2022 Service mesh security best practices: from implementation to verification Who are we? Anthony Roman Istio Github: anthony-roman Lei Tang Istio agenda 1. Service mesh security architecture and implementation. 2. Service mesh security best practices. 3. Lifecycle of service mesh security and demo. Service mesh security architecture ● Attack Attack vectors. ● Service mesh security architecture and implementation. 1 Attack Vectors and Surfaces Istio is both a collection of security controls and an attack target. Workload Cluster Edge Operations

overview Basic operations Guide to creating database connections Disconnecting from database Editing database connection Invalidating and reconnecting to database Local client configuration Connection datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration SSM configuration Shell commands Changing current user password Authentication models overview Database native DBeaver profile Kerberos authentication Microsoft Entra ID Authentication MongoDB PostgreSQL

overview Basic operations Guide to creating database connections Disconnecting from database Editing database connection Invalidating and reconnecting to database Local client configuration Connection datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration User Guide Table of SSM configuration Shell commands Changing current user password Authentication models overview Database native DBeaver profile Kerberos authentication Microsoft Entra ID Authentication MongoDB PostgreSQL

overview Basic operations Guide to creating database connections Disconnecting from database Editing database connection Invalidating and reconnecting to database Local client configuration Connection datasource connections Configure connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration SSM configuration Shell commands Changing current user password Authentication models overview Database native DBeaver profile Kerberos authentication Microsoft Entra ID Authentication MongoDB PostgreSQL

com:django-cms/django-cms-quickstart.git cd django-cms-quickstart docker compose build web docker compose up -d database_default docker compose run web python manage.py migrate docker compose run web python manage.py Django admin. 3. It changes into the project directory and runs the migrate command to create the database: 4. It prompts for creating a superuser by invoking: pip install django-cms djangocms myproject LANGUAGE_CODE setting to en.) Database django CMS like most Django projects requires a relational database backend. Each django CMS installation should have its own database. You can use SQLite, which is

Install the Software 1 Start the Cassandra Server 1 Login to Cassandra 1 Create a Keyspace (database) 1 Create a Column Family 2 Insert, Update, Delete, Read Data 2 Getting Started with Cassandra Steps 32 Initializing a Cassandra Cluster on Amazon EC2 Using the DataStax AMI 32 Creating an EC2 Security Group for DataStax Community Edition 33 Launching the DataStax Community AMI 34 Connecting to Cassandra Data Model 45 The Cassandra Data Model 45 Comparing the Cassandra Data Model to a Relational Database 45 About Keyspaces 47 Defining Keyspaces 47 About Column Families 48 About Columns 49 About

image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value Storage Persistence components Local or Remote Storage (block, file, object) Users

image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value Storage Persistence components Local or Remote Storage (block, file, object) Users

1. The Ubuntu Promise • Ubuntu will always be free of charge, including enterprise releases and security updates. • Ubuntu comes with full commercial support from Canonical and hundreds of companies around • Separate Professional and Home editions • Less frequent and less visible re- lease schedule Security • Locked administrative user root • Rarely targeted by malware and viruses • Enables easy access Microsoft Windows are not the same. For example, Microsoft Windows Professional editions have more security features than Home editions. Ubuntu's 6 monthly release cycle also makes it very easy for users

management ○ Load balancing for VMs, failover, A/B testing, modern rollouts for VM services ● Security ○ Enforce the same policies in the same way, across compute environments ● Observability ○ See Extensibility #IstioCon Why Should Istio Support VMs ● ≈ Why VMs? ○ Technical reasons ■ Better known security controls ■ Better isolation (of resources, fault domains etc.) ■ Compatibility (non-Linux, unikernels) injection ○ automate VM registration ○ health/readiness check #IstioCon V1.7 VM Support with Added Security ● Secure bootstrapping process ○ Automate provisioning a VM's mesh identity (certificate) ■ based