powering flexible payments in the cloud with kubernetes
play

Powering Flexible Payments in the Cloud with Kubernetes whoami Ana - PowerPoint PPT Presentation

Dec 10, 2022 •580 likes •970 views

Powering Flexible Payments in the Cloud with Kubernetes whoami Ana Calin Systems Engineer @Paybase Twitter: @AnaMariaCalin 3 01 whoami 02 About Paybase 03 Things weve achieved so far 04 Our tech stack Table of Contents 05

  1. Powering Flexible Payments in the Cloud with Kubernetes

  3. whoami Ana Calin Systems Engineer @Paybase Twitter: @AnaMariaCalin 3

  4. 01 whoami 02 About Paybase 03 Things we’ve achieved so far 04 Our tech stack Table of Contents 05 Anatomy of a compromise 06 A few notes on security and resilience 07 Challenges we’ve encountered 08 Challenges we’ve circumvented 09 Summary 4

  5. > API driven Payments Provider Platform > B2B - marketplace, gig/sharing economies, cryptocurrency > We make regulation easier for our customers

  6. Things we’ve achieved so far ✓ We are ~ 2 years old ✓ Built our own processing platform from scratch ✓ We are currently onboarding our first 7 clients ✓ FCA authorised ✓ We have an EMI license ✓ Innovate UK grant worth £700k ✓ PCI DSS (The Payment Card Industry Data Security Standard) Level 1 compliant 6

  7. Some of our tech stack 7

  8. Anatomy of a compromise 8

  9. Details about the compromise ✓ in the scope of an internal infrastructure penetration test ✓ in our production cluster ✓ pen tester had access to a privileged container 9

  10. The weak link : GKE ● Compute engine scope Compute engine ● default service account ● Legacy metadata endpoints 10

  11. Metadata endpoints 11

  12. Mitigations OR 12

  13. Result 13

  14. The weak link : Tiller ● comes with mTLS disabled is able to create any ● K8S API resource in a cluster performs no ● authentication by default 14

  15. Tiller 15

  16. Mitigations RESULTS IN 16

  17. Security and resilience 17

  18. A secure K8S cluster should ● use a dedicated SA with minimal permissions ● use minimal scopes - least privilege principle use Network Policies or Istio with authorization rules set up ● use Pod Security Policies ● ● use scanned images ● have RBAC enabled 18

  19. A resilient Kubernetes cluster should ● be architected with failure and elasticity in mind by default ● have a stable observability stack be tested with a tool such as Chaos Engineering ● 19

  20. Challenges we’ve encountered on our road to compliance 20

  21. Challenge 1: The What As a PCI compliant PSP with many types of dbs , I am want to be able to query data-sets in a secure and db agnostic manner so that engineers and customers can use it easily and we are not prone to injections . (req. 6.5.1) 21

  22. Challenge 1: The How Meet PQL 01 Inspired by SQL 02 Injection resistant 03 Used for querying data-sets 04 Database agnostic 05 Adheres to logical operator precedence 22

  23. Challenge 1: The How 01 Lexical analysis (tokenize input) 02 Syntactical analysis (parse tokenized input to AST) 03 Abstract Syntax Tree to specific database query 23

  24. Challenge 2: The What As a PCI compliant PSP , I am required to implement only one primary function per server to prevent functions that require different security levels from coexisting on the same server . (req. 2.2.1) 24

  25. Challenge 2: The How 01 Server = Deployable Unit 02 Network Policies 03 Pod Security Policies 04 Only using trusted and approved images 25

  26. Challenges we’ve circumvented on our road to compliance 26

  27. Challenge 3: The What As a PCI compliant PSP , I am required to remove all test data and accounts from system components before the system becomes active/goes into production (req.6.4.4) 27

  28. Common way of splitting environments PAYBASE GCP ORGANIZATION PAYBASE PJT PROD STAGING QA NS NS NS GKE GCR - IMAGE GCS - TF GCS - REPO STATE BACKUPS VPC A CDE 28

  29. Paybase’s way of splitting environments PAYBASE GCP ORGANIZATION PROD PJT QA PJT STAGING PJT GKE GKE GKE CDE VPC A VPC B VPC C GCR GCS GCS TF STATE PJT BACKUPS PJT IMAGE REPO PJT VPC D VPC E VPC F 29

  30. Challenge 3: Benefit 01 Security 02 Separation of concerns 03 Reduction of PCI DSS scope 04 Easier to organize RBAC 30

  31. Challenge 3: The What As a PCI compliant PSP , I am required to remove all test data and accounts from system components before the system becomes active/goes into production (req.6.4.4) 31

  32. Challenge 4: The What As a PCI compliant PSP , I am required to perform quarterly internal vulnerability scans,address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.(req.11.2.1) 32

  33. Challenge 4: The How Image scanning 33

  34. Here’s a diagram 34

  35. Summary ● security is not a point in time but an ongoing journey ● you can use OSS and achieve a good level of security ● we need to challenge the PCI DSS status quo 35

  36. Resources ✓ https://www.4armed.com/blog/hacking-kubelet-on-gke/ ✓ https://www.4armed.com/blog/kubeletmein-kubelet-hacking-too l/ ✓ https://itnext.io/how-a-naughty-docker-image-on-aks-could-giv e-an-attacker-access-to-your-azure-subscription-6d05b92bf811 36

  37. Thank you <call to action here>

Recommend

Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4

Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4

Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4 Kubernetes cloud for a few Euros! few Euros! Jean-Frederic Clere Jean-Frederic Clere @jfclere @jfclere Fosdem 2020 Feb. 1-2, 2020 TM Who am I?

529 views • 26 slides
Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer: Blah blah blah Kubernetes! Kubernetes is the Greek god of spending money on cloud services - @QuinniPig About me: Java/Cloud

1.03k views • 67 slides
@snehainguva prometheus everything, observing kubernetes in the cloud digitalocean.com about me

@snehainguva prometheus everything, observing kubernetes in the cloud digitalocean.com about me

@snehainguva prometheus everything, observing kubernetes in the cloud digitalocean.com about me software engineer @DigitalOcean former delivery, currently observability kubernetes, prometheus digitalocean.com Some stats digitalocean.com 15

750 views • 50 slides
From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang Developer Advocate Google Cloud Platform @saturnism | +RayTsang @saturnism @googlecloud #kubernetes Ray Tsang Developer Architect Traveler

1.29k views • 65 slides
Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes &amp; Cloud Native Meetups in Jakarta and Bandung https://www.meetup.com/jakarta-kubernetes/ https://www.meetup.com/Microservice-JKT/ You can find

709 views • 47 slides
Flexible Perovskites on CNT as integrated batteries for powering optoelectronics R. Perez-Gonzalez

Flexible Perovskites on CNT as integrated batteries for powering optoelectronics R. Perez-Gonzalez

Flexible Perovskites on CNT as integrated batteries for powering optoelectronics R. Perez-Gonzalez 1 , S. Cherepanov 2,3 , V. Rodriguez-Gonzalez 1 , A.I. Mtz-Enriquez 1 , K.P. Padmasree 1 , A. Zakhidov 2,3 , J. Oliva 1 1 CONACYT 2 NanoTech

149 views • 12 slides
Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes Ceph Storage Operation NVRAMOS 2019 10/28/2019 Cloud Service Model On Premises IaaS CaaS PaaS SaaS Applications Applications

660 views • 36 slides
AND COLLECTIONS ABOUT US TALKINGTECH has been delivering flexible, self-service digital

AND COLLECTIONS ABOUT US TALKINGTECH has been delivering flexible, self-service digital

ENGAGING CUSTOMERS IN PAYMENTS AND COLLECTIONS ABOUT US TALKINGTECH has been delivering flexible, self-service digital communications and payments solutions to some of the world's largest financial services, telecoms, government and utility

742 views • 14 slides
Scaling model training From flexible training APIs to resource management with Kubernetes Kelley

Scaling model training From flexible training APIs to resource management with Kubernetes Kelley

Scaling model training From flexible training APIs to resource management with Kubernetes Kelley Rivoire, Stripe Real World Machine Learning (@ Stripe) Stripe provides a toolkit to start and run an internet business We need to make

713 views • 44 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Choosing Kubernetes: managing risk in Cloud infrastructure Ben Butler-Cole Neo4j DBaaS

Choosing Kubernetes: managing risk in Cloud infrastructure Ben Butler-Cole Neo4j DBaaS

Choosing Kubernetes: managing risk in Cloud infrastructure Ben Butler-Cole Neo4j DBaaS engineering lead Cloud Business provider 2 Cloud Hardware Business provider provider 3 Cloud Hardware Quantum Business provider provider

681 views • 45 slides
Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native: Microservices running inside Containers on top of Platforms on any infrastructure Microservice A software component of a system that is

1.05k views • 60 slides
Wiera : Towards Flexible Multi-Tiered Geo-Distributed Cloud Storage Instances Kwangsung Oh ,

Wiera : Towards Flexible Multi-Tiered Geo-Distributed Cloud Storage Instances Kwangsung Oh ,

Wiera : Towards Flexible Multi-Tiered Geo-Distributed Cloud Storage Instances Kwangsung Oh , Abhishek Chandra, and Jon Weissman Department of Computer Science and Engineering University of Minnesota Twin Cities HPDC 2016 Cloud Providers

419 views • 41 slides
Green Cloud Sustainable Open Source Cloud Architecture on ARM64 @KurtStam, PhD Red Hat

Green Cloud Sustainable Open Source Cloud Architecture on ARM64 @KurtStam, PhD Red Hat

Green Cloud Sustainable Open Source Cloud Architecture on ARM64 @KurtStam, PhD Red Hat Middleware Engineering Saturn 2018 Kubernetes on RaspberryPi Low Power ARM64 Cloud 1. Run your cloud infrastructure on ARM64: Docker and

212 views • 17 slides
Microservices in the Cloud using Kubernetes, Docker and Jenkins SATURN May 3rd, 2017 @KurtStam,

Microservices in the Cloud using Kubernetes, Docker and Jenkins SATURN May 3rd, 2017 @KurtStam,

Microservices in the Cloud using Kubernetes, Docker and Jenkins SATURN May 3rd, 2017 @KurtStam, PhD, Principal Engineer on the #Fabric8/Fuse team Content MicroAdventures &amp; MicroServices Introduction to Docker Introduction to

617 views • 43 slides
DevOps with Kubernetes and Helm Jessica Deen Cloud Developer Advocate HELLO! I am Jessica

DevOps with Kubernetes and Helm Jessica Deen Cloud Developer Advocate HELLO! I am Jessica

DevOps with Kubernetes and Helm Jessica Deen Cloud Developer Advocate HELLO! I am Jessica Deen I am here because I love technology and community. I focus heavily on Linux, OSS, DevOps and Containers. I love Disney and CrossFit/Fitness.

702 views • 40 slides
Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

22.05.2018 Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software Engineer on Arm. OpenStack Zun Core Reviewer kevin.zhao@arm.com Agenda What is Serverless Container Cloud Demo Zun and Container

750 views • 35 slides
Multi-Cloud Federated Kubernetes at CERN Clenimar Filemon @clenimar clenimar@lsd.ufcg.edu.br

Multi-Cloud Federated Kubernetes at CERN Clenimar Filemon @clenimar clenimar@lsd.ufcg.edu.br

Multi-Cloud Federated Kubernetes at CERN Clenimar Filemon @clenimar clenimar@lsd.ufcg.edu.br Ricardo Rocha @ahcorporto ricardo.rocha@cern.ch Fundamental Science Founded in 1954 What is 96% of the universe made of? What was the state of matter

665 views • 25 slides
LUIGI &amp; KUBERNETES EuroPython 2019, Basel Nar Kumar Chhantyal v Data Lake @ Breuninger.com v

LUIGI &amp; KUBERNETES EuroPython 2019, Basel Nar Kumar Chhantyal v Data Lake @ Breuninger.com v

with LUIGI &amp; KUBERNETES EuroPython 2019, Basel Nar Kumar Chhantyal v Data Lake @ Breuninger.com v Python/Luigi with Kubernetes on Google Cloud v Web Dev in past life (Flask/Django/NodeJS) v Twitter/Github: @chhantyal v Web:

361 views • 14 slides
Financial results for FY 2016 28 February 2017 Powering Digital Payments Forward-looking

Financial results for FY 2016 28 February 2017 Powering Digital Payments Forward-looking

Financial results for FY 2016 28 February 2017 Powering Digital Payments Forward-looking statements Disclaimer This presentation contains forward-looking statements. Forward-looking statements are statements (other than statements of

711 views • 36 slides
Powering Financial Service Innovation Head in the sand? Join

Powering Financial Service Innovation Head in the sand? Join

Powering Financial Service Innovation Head in the sand? Join the disruptors The future of digital Financial Services, FinTech and Payments provision belongs

547 views • 11 slides
CI/CD WITH KUBERNETES THE GOOD, THE BAD AND THE UGLY HAGAI BAREL ABOUT ME Father of two

CI/CD WITH KUBERNETES THE GOOD, THE BAD AND THE UGLY HAGAI BAREL ABOUT ME Father of two

CI/CD WITH KUBERNETES THE GOOD, THE BAD AND THE UGLY HAGAI BAREL ABOUT ME Father of two and husband of one Expert in Distributed, Containerized, Scalable Cloud Engineering team lead at Nuvo Group Applications and CI/CD

298 views • 11 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides

More recommend