PostHole
Compose
Login
SE Radio 635: Stevie Caldwell on Zero-Trust Architecture
Stevie Caldwell, Senior Engineering Technical Lead at Fairwinds, joins host Priyanka Raghavan to discuss zero-trust network reference architecture. The episode begins with high-level definitions of zero-trust architecture, zero-trust reference architecture, and the pillars of Zero Trust. Stevie describes four open-source implementations of the Zero Trust Reference Architecture: Emissary Ingress, Cert Manager, LinkerD, and the Policy Engine Polaris. Each component is explored to help clarify their roles in the Zero Trust journey. The episode concludes with a look at the future direction of Zero Trust Network Architecture. This episode is sponsored by QA Wolf.
Stevie Caldwell, Senior Engineering Technical Lead at Fairwinds, joins host Priyanka Raghavan to discuss zero-trust network reference architecture. The episode begins with high-level definitions of zero-trust architecture, zero-trust reference architecture, and the pillars of Zero Trust. Stevie describes four open-source implementations of the Zero Trust Reference Architecture: Emissary Ingress, Cert Manager, LinkerD, and the Policy Engine Polaris. Each component is explored to help clarify their roles in the Zero Trust journey. The episode concludes with a look at the future direction of Zero Trust Network Architecture.
This episode is sponsored by QA Wolf.
Show Notes
- LinkedIn: @steviecaldwell
- Fairwinds blog: Three Steps to Streamlining Kubernetes Multi-cluster Management
SE Radio Episodes
Transcript
Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.
Priyanka Raghavan 00:00:51 Hi everyone, I’m Priyanka Raghavan for Software Engineering Radio, and today I’m chatting with Stevie Caldwell, a senior engineering tech lead at Fairwinds. She has a lot of experience in research development, architecture, design audits, as well as client support and incident analysis. To top this, Stevie has a wealth of knowledge in areas of DevOps, Kubernetes, and Cloud infrastructure. Today we’re going to be talking about zero-trust network architecture, specifically diving deep into a reference architecture for Kubernetes. Welcome to the show, Stevie.
Stevie Caldwell 00:01:26 Thank you. Thank you for having me. It’s great to be here, and I’m psyched to talk to you today.
Priyanka Raghavan 00:01:30 So the first question I wanted to ask you is trust and security at the core of computing. And so in this regard, would you be able to explain to us or define the term zero-trust network architecture?
Stevie Caldwell 00:01:43 Yeah, it’s often useful to define it in terms of what was, or what might be even still standard now, which is a more perimeter-based approach to security also has been called castle approach. People have talked about castle-and-moat, and essentially it’s that you’re trusting anything, you’re setting up a perimeter of security that says anything outside my cluster or outside my network is to be looked upon with skepticism is not to be trusted and anything, but once you’re inside the network, you’re cool. Sort of defining, using the network itself as the identity versus with zero-trust. The challenge is that trust, no ones like the x Files. So you want to treat even things that are inside your perimeter, inside your network with skepticism, with care. You want to remove that implicit trust and make it explicit so that you’re being meaningful and deliberate about what things you allow to communicate with each other inside your network.
Stevie Caldwell 00:02:51 I like to use an analogy. One that I think I like a lot is like an apartment building where you have an apartment building, you have a front door that faces the public, that people are given a key to if they live in that building. So they get a key so that they’re allowed to enter that building once they’re inside the building. You don’t just leave all the apartment doors open still, right? You don’t just allow people and as well, you’re in the building now, so you can go wherever you want. You still have like network; you still have security at each of like the apartments because those are locked. So I like to think about the zero-trust sort of working that same way.
Priyanka Raghavan 00:03:26 That’s great. So one of the books I was reading before preparing for the show was the zero-trust networks book. We had the authors of that book on the show about four years back, and they talked about some fundamental principles of zero-trust, I think pretty much similar to what you’re talking about, like the concept of trusting no one depending a lot on segmentation, following principles of least privileges, and then of course monitoring. Is that something that you can elaborate a little bit about?
Stevie Caldwell 00:04:00 Yeah, so there is this framework around zero-trust, where there are these pillars that sort of group the domains that you would commonly want to secure in a zero-trust implementation. So, it’s identity which deals with like your users, so who’s accessing your system, what are they allowed to access, even down to like physical access from a user. Like can you swipe into a data center? There’s application and workloads, which deals with making sure that your applications and workloads are also vigilant about who they talk to. An example of this is like workload security inside a Kubernetes cluster, right? So making sure that only the applications that need access to a resource have that access, not letting everything right to an S3 bucket for example. There’s network security, which is where a lot of people focus honestly, when they start thinking about zero-trust, that’s micro segmentation, that’s isolating.
[...]
📄 656a557934bf7c34888c7902_A_zero_trust_reference_architecture.pdf