cloud conf keynote - orchestrating least privilege
TRANSCRIPT
![Page 1: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/1.jpg)
Orchestrating Least Privilege
![Page 2: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/2.jpg)
~2000 Today
![Page 3: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/3.jpg)
What is an Orchestrator?
![Page 4: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/4.jpg)
What is an Orchestra?
![Page 5: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/5.jpg)
![Page 6: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/6.jpg)
![Page 7: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/7.jpg)
![Page 8: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/8.jpg)
![Page 9: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/9.jpg)
![Page 10: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/10.jpg)
SWARM
![Page 11: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/11.jpg)
Job of a Conductor
- Casting - Assign sheet music - Unify performers - Set the tempo
![Page 12: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/12.jpg)
Job of an Orchestrator
- Node management - Task assignment - Cluster state reconciliation - Resource Management
![Page 13: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/13.jpg)
What is a Least Privilege Orchestrator?
![Page 14: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/14.jpg)
What is Least Privilege?
![Page 15: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/15.jpg)
![Page 16: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/16.jpg)
A process must be able to access only the information and resources that are necessary for its legitimate purpose.
Principle of Least Privilege
![Page 17: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/17.jpg)
An Orchestrator that follows the principle of least privilege in the
strictest manner possible.Least Privilege Orchestrator
![Page 18: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/18.jpg)
Why Least Privilege?
![Page 19: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/19.jpg)
![Page 20: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/20.jpg)
Cluster
Internet
![Page 21: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/21.jpg)
![Page 22: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/22.jpg)
Cluster
Internet
A
![Page 23: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/23.jpg)
![Page 24: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/24.jpg)
M
M M
AA A
![Page 25: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/25.jpg)
![Page 26: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/26.jpg)
M
M M
WW W
![Page 27: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/27.jpg)
![Page 28: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/28.jpg)
M
M M
WW W
![Page 29: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/29.jpg)
How far away are we right now?
![Page 30: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/30.jpg)
![Page 31: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/31.jpg)
How do we achieve Least Privilege Orchestration?
![Page 32: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/32.jpg)
Mitigating External Attacker
web: image: web-app expose: 443 links: - redis redis: image: redis
![Page 33: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/33.jpg)
Mitigating Internal Network Attacker
[ { "permission": { "method": "GET", "resource": "/user" }, "allow": ["web", "fulfillment", "payments"] },
{ "permission": { "method": "POST", "resource": "/user" }, "allow": ["signup", "web"] },
{ "permission": { "method": "DELETE", "resource": "/user/.*" }, "allow": ["web"] }]
![Page 34: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/34.jpg)
Mitigating MiTM Attacker
rails-app: image: rails-app links: - mysql mysql: image: mysql
MTLS
![Page 35: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/35.jpg)
Mitigating Malicious Worker
Push
Worker
Manager
WorkerWorker
![Page 36: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/36.jpg)
Mitigating Malicious Manager
Worker
Manager
WorkerWorker
web: image: web-app expose: 443 links: - redis tls-auth: - OU: api-client redis: image: redis
web: image: web-app expose: 443 links: web:
image: web-app expose: 443 links:
web: image: web-app expose: 443 links:
![Page 37: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/37.jpg)
SWARM
![Page 38: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/38.jpg)
![Page 39: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/39.jpg)
Mutual TLS by default
• First node generates a new self-signed CA.
![Page 40: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/40.jpg)
Mutual TLS by default
• New nodes can get a certificate issued w/ a token.
![Page 41: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/41.jpg)
Mutual TLS by default
• Workers and managers identified by their certificate.
![Page 42: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/42.jpg)
Mutual TLS by default
• Communications secured with Mutual TLS.
![Page 43: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/43.jpg)
![Page 44: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/44.jpg)
Secrets
![Page 45: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/45.jpg)
Secrets
![Page 46: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/46.jpg)
Secrets
External APP
![Page 47: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/47.jpg)
![Page 48: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/48.jpg)
![Page 49: Cloud conf keynote - Orchestrating Least Privilege](https://reader031.vdocument.in/reader031/viewer/2022022205/58d1b7a51a28ab98278b57a3/html5/thumbnails/49.jpg)
Thank you