1 / 20

Extending the Zero Trust Security Model for Containerized Applications to Public Clouds

This presentation explores the challenges and solutions for implementing a Zero Trust Security Model in public cloud environments for containerized applications. It discusses the journey towards unified networking and IT, the dream of simplified service provisioning and management, and the solution of orchestration and SDN policies. A demo showcases the successful implementation.

dperales
Download Presentation

Extending the Zero Trust Security Model for Containerized Applications to Public Clouds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extending the Zero Trust Security Model for Containerized Applications to Public Clouds Jason Sones VNO North America – Nuage Networks from Nokia Sherif Awad SDN Solution Architect Lead - Nuage Networks from Nokia April 30th, 2019 VNO

  2. Agenda Extending the Zero Trust Security Model for Containerized Applications to Public Clouds or Blah Blah Blah![title is too long !!!] • Overview • The Journey • The Dream • Challenges • The Solution • Demo • Questions

  3. Overview What is this presentation about?

  4. Overview What is the Zero Trust Security Model? • Never implicitly trust any public infrastructure. • Start with the assumption that every potential shared resource can be compromised. • Implement policies to enable services based on minimal required access privileges. • Always use micro-segmentation, authentication, authorization and encryption • Between application and/or user endpoints. • Constantly monitor access requests (analytics) and intrusion attempts and adjust policy to maintain the ZTM • Prevent/Detect and Respond  Automate this if you can!

  5. Overview The move towards unified networking and IT • Unifying Islands of connectivity though central policy and control. • Impact of the move to public cloud • The emergence of hosting sensitive enterprise IT applications as containers work-loads in public clouds. • Challenge is applying enterprise grade security policy to public cloud applications. • Simplifying service provisioning and management across branch, private and public clouds. • How to ease the end-user provisioning, consumption and management of these new unified services.

  6. The Journey How did we get to this point?

  7. The journey Kubernetes 1 Data Center (Private Cloud) Connecting & Serving Disparate Locations (SD-WAN) 2 Site A VPN Site B vm vm Site C Public Transport  VxLAN over IPSEC Trusted Infrastrucutre = VxLAN only

  8. The journey (continued) SDN Policy Engine Kubernetes MPLS Branch 4 3 App 1 WAN SDN Controller DC SDN Controller Branch 3 MPLS PE Internet Any DC underlay Branch 1 VNF 2 SDN GW Data Center WAN End-to-End Service Overlay Public Transport  VxLAN over IPSEC Trusted Infrastrucutre = VxLAN only

  9. The Unified Secure Multi-Cloud

  10. The Dream Why Orchestration

  11. Why Orchestration? m Branch types q versions r configurations p VNF types VxLAN SD-WAN overlay Firewall Mail-scanner Anti-DDoS SDN / Nuage ThickCPE Access Control WAN optimization Load-balancing 3rd party Cloud Internet Underlay Telco Cloud NAT Other VAS SlimCPE n Enterprises Local Cloud GRE ThinCPE c VPC environments NSG-BR b datacenter stacks Legacy IP/MPLS VPN a underlays OpenStack AWS Azure GCP IP/MPLS Underlay Nuage VNS Nuage VCS Legacy NSP SR/vSR

  12. Why Orchestration? Service Updates Single-click deployment Maintainable Service Public Cloud Hypervisor Hypervisor Hypervisor Hypervisor Hypervisor Hypervisor

  13. Challenges Identifying the obstacles that are standing in our way.

  14. Challenges What is missing to be able to realize the dream … • How to ensure only authorized hosts can run containers workloads? • How to secure traffic between containers on different hosts? • How to provide end-to-end service provisioning, security, monitoring and visibility from branch to private DC to public cloud? • Can I rely on public cloud for data that I am responsible to keep secure?

  15. The Solution Putting it all together

  16. The Solution Orchestration SDN Policy Engine Kubernetes WAN SDN Controller Bootstrap Proxy MPLS Branch 4 3 App 1 DC SDN Controller Branch 3 MPLS PE Internet Public Cloud Network Branch 1 App-22 Public Cloud GW Public Cloud Network WAN End-to-End Service Overlay ZTM  VxLAN over IPSEC

  17. Demo We actually got it to work!!! … mostly …

  18. Lab Topology Branch User MGMT Kubernetes DNS-NTP Master Node01 Node02 Cloud VSD OpenShift Cluster WAN Branch Nuage SDN Cluster SSL Proxy VNO DATA/CP

  19. Demo And so it begins

  20. Questions Don’t be shy! Contact Info sherif.awad@nokia.com jason.sones@nokia.com

More Related