powering flexible payments in the cloud with kubernetes
play

Powering Flexible Payments in the Cloud with Kubernetes whoami Ana - PowerPoint PPT Presentation

Dec 10, 2022 •580 likes •970 views

Powering Flexible Payments in the Cloud with Kubernetes whoami Ana Calin Systems Engineer @Paybase Twitter: @AnaMariaCalin 3 01 whoami 02 About Paybase 03 Things weve achieved so far 04 Our tech stack Table of Contents 05

  1. Powering Flexible Payments in the Cloud with Kubernetes

  3. whoami Ana Calin Systems Engineer @Paybase Twitter: @AnaMariaCalin 3

  4. 01 whoami 02 About Paybase 03 Things we’ve achieved so far 04 Our tech stack Table of Contents 05 Anatomy of a compromise 06 A few notes on security and resilience 07 Challenges we’ve encountered 08 Challenges we’ve circumvented 09 Summary 4

  5. > API driven Payments Provider Platform > B2B - marketplace, gig/sharing economies, cryptocurrency > We make regulation easier for our customers

  6. Things we’ve achieved so far ✓ We are ~ 2 years old ✓ Built our own processing platform from scratch ✓ We are currently onboarding our first 7 clients ✓ FCA authorised ✓ We have an EMI license ✓ Innovate UK grant worth £700k ✓ PCI DSS (The Payment Card Industry Data Security Standard) Level 1 compliant 6

  7. Some of our tech stack 7

  8. Anatomy of a compromise 8

  9. Details about the compromise ✓ in the scope of an internal infrastructure penetration test ✓ in our production cluster ✓ pen tester had access to a privileged container 9

  10. The weak link : GKE ● Compute engine scope Compute engine ● default service account ● Legacy metadata endpoints 10

  11. Metadata endpoints 11

  12. Mitigations OR 12

  13. Result 13

  14. The weak link : Tiller ● comes with mTLS disabled is able to create any ● K8S API resource in a cluster performs no ● authentication by default 14

  15. Tiller 15

  16. Mitigations RESULTS IN 16

  17. Security and resilience 17

  18. A secure K8S cluster should ● use a dedicated SA with minimal permissions ● use minimal scopes - least privilege principle use Network Policies or Istio with authorization rules set up ● use Pod Security Policies ● ● use scanned images ● have RBAC enabled 18

  19. A resilient Kubernetes cluster should ● be architected with failure and elasticity in mind by default ● have a stable observability stack be tested with a tool such as Chaos Engineering ● 19

  20. Challenges we’ve encountered on our road to compliance 20

  21. Challenge 1: The What As a PCI compliant PSP with many types of dbs , I am want to be able to query data-sets in a secure and db agnostic manner so that engineers and customers can use it easily and we are not prone to injections . (req. 6.5.1) 21

  22. Challenge 1: The How Meet PQL 01 Inspired by SQL 02 Injection resistant 03 Used for querying data-sets 04 Database agnostic 05 Adheres to logical operator precedence 22

  23. Challenge 1: The How 01 Lexical analysis (tokenize input) 02 Syntactical analysis (parse tokenized input to AST) 03 Abstract Syntax Tree to specific database query 23

  24. Challenge 2: The What As a PCI compliant PSP , I am required to implement only one primary function per server to prevent functions that require different security levels from coexisting on the same server . (req. 2.2.1) 24

  25. Challenge 2: The How 01 Server = Deployable Unit 02 Network Policies 03 Pod Security Policies 04 Only using trusted and approved images 25

  26. Challenges we’ve circumvented on our road to compliance 26

  27. Challenge 3: The What As a PCI compliant PSP , I am required to remove all test data and accounts from system components before the system becomes active/goes into production (req.6.4.4) 27

  28. Common way of splitting environments PAYBASE GCP ORGANIZATION PAYBASE PJT PROD STAGING QA NS NS NS GKE GCR - IMAGE GCS - TF GCS - REPO STATE BACKUPS VPC A CDE 28

  29. Paybase’s way of splitting environments PAYBASE GCP ORGANIZATION PROD PJT QA PJT STAGING PJT GKE GKE GKE CDE VPC A VPC B VPC C GCR GCS GCS TF STATE PJT BACKUPS PJT IMAGE REPO PJT VPC D VPC E VPC F 29

  30. Challenge 3: Benefit 01 Security 02 Separation of concerns 03 Reduction of PCI DSS scope 04 Easier to organize RBAC 30

  31. Challenge 3: The What As a PCI compliant PSP , I am required to remove all test data and accounts from system components before the system becomes active/goes into production (req.6.4.4) 31

  32. Challenge 4: The What As a PCI compliant PSP , I am required to perform quarterly internal vulnerability scans,address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.(req.11.2.1) 32

  33. Challenge 4: The How Image scanning 33

  34. Here’s a diagram 34

  35. Summary ● security is not a point in time but an ongoing journey ● you can use OSS and achieve a good level of security ● we need to challenge the PCI DSS status quo 35

  36. Resources ✓ https://www.4armed.com/blog/hacking-kubelet-on-gke/ ✓ https://www.4armed.com/blog/kubeletmein-kubelet-hacking-too l/ ✓ https://itnext.io/how-a-naughty-docker-image-on-aks-could-giv e-an-attacker-access-to-your-azure-subscription-6d05b92bf811 36

  37. Thank you <call to action here>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4

Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4

Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4 Kubernetes cloud for a few Euros! few Euros! Jean-Frederic Clere Jean-Frederic Clere @jfclere @jfclere Fosdem 2020 Feb. 1-2, 2020 TM Who am I?

529 views • 26 slides
Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer: Blah blah blah Kubernetes! Kubernetes is the Greek god of spending money on cloud services - @QuinniPig About me: Java/Cloud

1.03k views • 67 slides
@snehainguva prometheus everything, observing kubernetes in the cloud digitalocean.com about me

@snehainguva prometheus everything, observing kubernetes in the cloud digitalocean.com about me

@snehainguva prometheus everything, observing kubernetes in the cloud digitalocean.com about me software engineer @DigitalOcean former delivery, currently observability kubernetes, prometheus digitalocean.com Some stats digitalocean.com 15

750 views • 50 slides
From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang Developer Advocate Google Cloud Platform @saturnism | +RayTsang @saturnism @googlecloud #kubernetes Ray Tsang Developer Architect Traveler

1.29k views • 65 slides
Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes &amp; Cloud Native Meetups in Jakarta and Bandung https://www.meetup.com/jakarta-kubernetes/ https://www.meetup.com/Microservice-JKT/ You can find

709 views • 47 slides
Flexible Perovskites on CNT as integrated batteries for powering optoelectronics R. Perez-Gonzalez

Flexible Perovskites on CNT as integrated batteries for powering optoelectronics R. Perez-Gonzalez

Flexible Perovskites on CNT as integrated batteries for powering optoelectronics R. Perez-Gonzalez 1 , S. Cherepanov 2,3 , V. Rodriguez-Gonzalez 1 , A.I. Mtz-Enriquez 1 , K.P. Padmasree 1 , A. Zakhidov 2,3 , J. Oliva 1 1 CONACYT 2 NanoTech

149 views • 12 slides
Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes Ceph Storage Operation NVRAMOS 2019 10/28/2019 Cloud Service Model On Premises IaaS CaaS PaaS SaaS Applications Applications

660 views • 36 slides
AND COLLECTIONS ABOUT US TALKINGTECH has been delivering flexible, self-service digital

AND COLLECTIONS ABOUT US TALKINGTECH has been delivering flexible, self-service digital

ENGAGING CUSTOMERS IN PAYMENTS AND COLLECTIONS ABOUT US TALKINGTECH has been delivering flexible, self-service digital communications and payments solutions to some of the world's largest financial services, telecoms, government and utility

742 views • 14 slides
Scaling model training From flexible training APIs to resource management with Kubernetes Kelley

Scaling model training From flexible training APIs to resource management with Kubernetes Kelley

Scaling model training From flexible training APIs to resource management with Kubernetes Kelley Rivoire, Stripe Real World Machine Learning (@ Stripe) Stripe provides a toolkit to start and run an internet business We need to make

713 views • 44 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Choosing Kubernetes: managing risk in Cloud infrastructure Ben Butler-Cole Neo4j DBaaS

Choosing Kubernetes: managing risk in Cloud infrastructure Ben Butler-Cole Neo4j DBaaS

Choosing Kubernetes: managing risk in Cloud infrastructure Ben Butler-Cole Neo4j DBaaS engineering lead Cloud Business provider 2 Cloud Hardware Business provider provider 3 Cloud Hardware Quantum Business provider provider

681 views • 45 slides
Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native: Microservices running inside Containers on top of Platforms on any infrastructure Microservice A software component of a system that is

1.05k views • 60 slides
Wiera : Towards Flexible Multi-Tiered Geo-Distributed Cloud Storage Instances Kwangsung Oh ,

Wiera : Towards Flexible Multi-Tiered Geo-Distributed Cloud Storage Instances Kwangsung Oh ,

Wiera : Towards Flexible Multi-Tiered Geo-Distributed Cloud Storage Instances Kwangsung Oh , Abhishek Chandra, and Jon Weissman Department of Computer Science and Engineering University of Minnesota Twin Cities HPDC 2016 Cloud Providers

419 views • 41 slides
Green Cloud Sustainable Open Source Cloud Architecture on ARM64 @KurtStam, PhD Red Hat

Green Cloud Sustainable Open Source Cloud Architecture on ARM64 @KurtStam, PhD Red Hat

Green Cloud Sustainable Open Source Cloud Architecture on ARM64 @KurtStam, PhD Red Hat Middleware Engineering Saturn 2018 Kubernetes on RaspberryPi Low Power ARM64 Cloud 1. Run your cloud infrastructure on ARM64: Docker and

212 views • 17 slides
Microservices in the Cloud using Kubernetes, Docker and Jenkins SATURN May 3rd, 2017 @KurtStam,

Microservices in the Cloud using Kubernetes, Docker and Jenkins SATURN May 3rd, 2017 @KurtStam,

Microservices in the Cloud using Kubernetes, Docker and Jenkins SATURN May 3rd, 2017 @KurtStam, PhD, Principal Engineer on the #Fabric8/Fuse team Content MicroAdventures &amp; MicroServices Introduction to Docker Introduction to

617 views • 43 slides
Xen Hypervisor security in VM isolation Yanick de Jong 4 February 2009 Research Question?

Xen Hypervisor security in VM isolation Yanick de Jong 4 February 2009 Research Question?

Xen Hypervisor security in VM isolation Yanick de Jong 4 February 2009 Research Question? What are the risks involved with merging Xen servers in different segments of the network and put all virtual machines together on one machine?

457 views • 14 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Corporation $405,180,000* Subordinated Excise Tax Revenue &amp; Revenue Refunding Bonds, Series

Corporation $405,180,000* Subordinated Excise Tax Revenue &amp; Revenue Refunding Bonds, Series

City of Phoenix Civic Improvement Corporation $405,180,000* Subordinated Excise Tax Revenue &amp; Revenue Refunding Bonds, Series 2020 Subordinated Excise Tax Subordinated Excise Tax Subordinated Excise Tax Revenue Bonds Revenue Bonds

447 views • 26 slides
Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the

Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the

Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation..!Whitehouse.gov Dr. Emma Garrison-Alexander Vice Dean, Cybersecurity

355 views • 8 slides
Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re ho lde r Dic kinso n, Ma c

Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re ho lde r Dic kinso n, Ma c

11/11/2019 Da ta Bre a c h! No w Wha t? Jo hn E . L a nde , CIPP/ US Sha re ho lde r Dic kinso n, Ma c ka ma n, T yle r &amp; Ha g e n, P.C. E thic s Compe te nc e A la wye r sha ll pr ovide c ompe te nt r e pr e se ntation to a c

153 views • 11 slides
ATTORNEYS &amp; PRIVILEGED COMMUNICATIONS Wes Bearden, CEO Attorney &amp; Licensed Investigator

ATTORNEYS &amp; PRIVILEGED COMMUNICATIONS Wes Bearden, CEO Attorney &amp; Licensed Investigator

INVESTIGATIONS, ATTORNEYS &amp; PRIVILEGED COMMUNICATIONS Wes Bearden, CEO Attorney &amp; Licensed Investigator Bearden Investigative Agency, Inc. www.beardeninvestigations.com PRIVILEGE KEY POINTS WE ALL KNOWRIGHT? Purpose is to

540 views • 19 slides
Raising Self-Awareness &amp; Self-Examination to Deepen Cultural Humility Enedelia Sauceda, PhD,

Raising Self-Awareness &amp; Self-Examination to Deepen Cultural Humility Enedelia Sauceda, PhD,

Raising Self-Awareness &amp; Self-Examination to Deepen Cultural Humility Enedelia Sauceda, PhD, Licensed Psychologist Pronouns: she/her(s) Arlene Rivero-Carr, PhD, Licensed Psychologist Pronouns: she/her(s) Assumptions We all benefit from

473 views • 13 slides
YOUR CYBER SECURITY Ben Goodall PSC Griffiths Goodall, Managing Principal Nathaniel Barrs

YOUR CYBER SECURITY Ben Goodall PSC Griffiths Goodall, Managing Principal Nathaniel Barrs

YOUR CYBER SECURITY Ben Goodall PSC Griffiths Goodall, Managing Principal Nathaniel Barrs PSC Insurance Group, Director of Operations 19 May 2020 1 Agenda for Today Todays Environment Covid-19 Influences Types of Cyber

666 views • 21 slides

More recommend