 present this topic today. We'll look at the agenda. We'll start with application level security, what application layer is, what layer seven is. A little bit of information about Istio and service mesh, like Raj pointed out, what's the deal with service mesh and side cars and all that with containers. And do you really need a service mesh to help with, security and observability for containers? There is a demo in the end, but it's not gonna be the full-fledged demo with everything that is spoken about because it might take a very long time and I'm probably not the right person to do it. I'm currently not hands on with technical stuff, but I'll try to do my best with showing how Calico can be installed, what's the nuts and bolts of the solution. So we'll start with application level security and get to the basics of what application layer is, OSI or the OSI model and so on. But before that, since we are dealing with containers and cubilities for today, I just want to give a very brief introduction to containers. I'm not sure how many people are familiar with it, but let's just look at on a very high level what containers are. I'm sure that most of you are familiar with VMs and virtual machines, R&M, ESXi and so on, but what's the deal about containers? People talk about talkers, containers, cubilities, so what do these things mean? So when you look at the simple architecture of a virtual machine, you see that it has the infrastructure, all the physical components of the hypervisor, the ESXi servers and so on. It has a post-operating system and on top of that runs the hypervisor to enable virtualization. And you have different VMs, so if you look at the red pillars, app one, app two and app three, imagine app one with the binaries and the libraries and the guest OS, that forms the typical virtual machine. So you have three VMs shown here. It's a very high-level logical diagram, but that's what VMs are. It shares the post-operating system and the hypervisor piece, but it has a guest OS in every machine. So it actually requires a lot of resources when you look at it, when you look at the virtual machine itself and how each VM has to run a guest OS on that. And quickly look at the right side of the diagram where you look at containers and you'll notice there is a small difference that the containers don't have any guest operating system on it. So it makes it much more efficient in terms of resources. It doesn't take up that many resources. So, I mean, to put it in a very simple definition, containers imagine containers to be lightweight forms of virtual machines where it just shares the OS kernel with other containers, but doesn't have any type of guest operating system on its own. Of course, it does come with all the binaries and libraries that's needed for running a container. And that's basically it. And it's also running as isolated processes in the user space on the host operating system. And there's also another logo right in front of the container logical diagram here. If you're familiar with that, then you'll probably be interested in the future slides that are gonna come up. So that's basically Kubernetes. And so Docker started the whole process of orchestrating containers using Docker form. And before that, it was up to the user and user to use any type of inbuilt or in-house solution for orchestrating containers because the way containers are built, it's a very complex system. There has to be hundreds and thousands of containers running for an application. And it was very hard to manage these containers. So Docker came up with a solution to, initially they came up with a solution to prepare containers for runtime and so on. But just with the orchestration part, it was kind of difficult. And then back in around 2014, sometime Google already had their own version of Kubernetes running in the data center. It wasn't out in the open yet. They were just using it as a in-house project. And then looking at how useful it was, they launched it in the open and became an open source project. And they donated it to CNCF, which is the Cloud Native Company Foundation. And people started using Kubernetes and right now it's probably the most adopted container orchestration tool there is. So I mean, even though Kubernetes is open source, what people did was companies like Red Hat, AWS and Azure, these folks took Kubernetes and put some kind of the wrapper around it. Even if you've not heard of Rancher, they're another managed Kubernetes service. I'm sorry, self-managed Kubernetes service, which is more like private cloud. And what they did was made it easier for people to use Kubernetes. Kubernetes made it easy to maintain containers and secure and control the container behavior. But then all these services like Rancher and Red Hat OpenShift, they made it easy for people to use Kubernetes. All right, so let's look at application to your security and observability. So by default, Kubernetes doesn't offer any type of security for the application. I mean, there is definitely some kind of security that is part of the Kubernetes platform itself with respect to all the control plane components of Kubernetes. But when you are building an application, it doesn't know anything about the workloads or the containers running within your application. Sorry, I'm seeing some kind of a message. Okay. Let me say Q&A, you go ahead, I agree. No issue. Yeah, go ahead. So for this talk, we'll just focus on our application layers, security and observability matters for Kubernetes and containers. There's a lot of stuff to talk about, but why we focus on application layer is because any type of service that's running in microservices, it's actually handled on this layer. And there is no default method or component of Kubernetes that can handle this. So if people are not familiar, some of you might not be familiar with the OSI model. This is like basics of networking, going back to what OSI model is. You could do a, if you're interested, you could do a Google search and read more about this, but the OSI model basically talks about the different seven layers of networking. If you're curious what happens when you type in a domain address on your browser, you could actually go through each and every layer on this model and explain to someone how internet works basically. So that's the concept of the OSI model and what you see on the top most layer is the application layer. And this is the layer where, I'm sure everyone here knows about HTTP and that's the protocol that's part of the layer seven. And that's what we edit this in. When we say application layer or application level, we're talking about layer seven and HTTP in this case, because in microservices, that's the most common type of communication that happens within one of the services. And I mean, there could also be a situation where these services use HTTPS, which is secure HTTP, but most likely it's still HTTP. And these services, they actually, what they do is they invoke a web API request and it's based on the HTTP protocol. And like I said, the problem is, when you look at the service level communication, it's all about monitoring and understanding what's going on between these different services within your application. And I mean, folks, if you're interested in knowing more about microservices and containers and all these, it's not an abstract concept anymore. People are already using it in production. Most websites, most apps these days, I mean, think about a banking app, a financial app, think about your insurance application. All these are probably running containers and probably managed by Kubernetes. I don't want to give a very specific example because you might not know these businesses, but just think about Visa, the credit card service. So they're probably running Kubernetes and they've been using microservices for a long time. So these technologies are matured enough, but the problem with security and observability are not up to that level of adoption because people just want to get the application out running, but are still learning things about security in the market. So what kind of observability challenges does Kubernetes pose? So one is data collection and correlation. The problem with microservices is you have a huge amount of data compared to a monolith application. If you look at a continuous application, just the amount of log data is just among us and the other problem with large amount of data is also correlation. So how do you understand which flow log belongs to which workload, which HTTP response code corresponds to which container because these containers are running in the hundreds and thousands and they also restart. I'll get to that later, but the whole thing about Kubernetes is that it's designed in a way that if something goes wrong with your container or let's say pod. So pod is actually, I'm bringing in too many terminologies, but stay with me. And if you have any questions, please post it on Q&A. I'll pause my recording and look at it. Sorry, pause my presentation and look at the questions. So pod is actually a Kubernetes component, which is the smallest unit of, I would say smallest unit within a Kubernetes environment. And typically a pod will have one or two containers or a couple of containers running within a pod. And I'll use pods or workloads interchangeably, so it all means the same. And correlation between all these data is just really difficult. And also aggregation of these data. I mean, you cannot just randomly present the user with a ton of alerts and then ask them to go figure it out. So that is a challenge. And also, when I said Kubernetes context, it adds, Kubernetes adds a layer of abstraction on top of the host or the VMs. So while collecting and aggregating data from individual containers, the data needs to be coordinated and aggregated at different levels of abstractions. There's one more challenge. How do you map Kubernetes policies to traffic flow in real time? Because when you look at security, I mean, it has gone to a point where the operations, the operations team are looking at a ton of alerts, like probably a big enterprise, like Visa is probably looking at almost 10,000 alerts per day or even per hour. So you need a mechanism to map these policies, they put policies to traffic flow. And by default, you don't get that with Kubernetes. So this is also a huge challenge. I mean, just when you look at the teams involved with handling Kubernetes and containers, the challenge really is actually looking at service-to-service visibility. So one is it's a distributed architecture and it runs, Kubernetes can run applications across multiple nodes and it's very difficult to monitor and track them. You also need a granular level of visibility and you cannot just say that packet is going from this node to that node without any context of the timestamp or the other details of the particular flow. You need much more granular level of context within the Kubernetes workflows itself. And of course, I said it's a dynamic environment. When I say dynamic, imagine POD is involved in the application, it's sending out traffic, something goes wrong and then the POD is restarting. You need to have the historical data log data from a POD that is being restarted and also the new POD. So all this combined with the other things that I've been talking about makes it really difficult for a user to understand what's going on. And also, I mean, when I said Kubernetes by default does not have any features. So just using the native form of Kubernetes, the granular Kubernetes will not give you any built-in tools for monitoring or troubleshooting. You won't have packet capture. You will not have any dashboards. You're just presented with a blank screen with a couple of Qubectl commands at your disposal and it's up to the user to find their own method of troubleshooting all these problems. There are some built-in metrics and logs, but I mean, for a real-world scenario, I don't think those are useful. Let me pause here. If you have any questions so far, please feel free. I'm not an expert in this field, so if I'm not able to answer any of the questions, I'll definitely take it to my team and come back with answers if it's really something that you're interested in, but feel free to ask questions. So you looked at the challenges. You will look at the solution, but then what prompted these people to come up with solutions? What do you actually mean for solving these problems with security and observability? So one, you would need flow logs. Basic, you have to have information of layer seven traffic, which could be any type of layer seven flow data in the start time and end time of the packet flow. It could be a number of bytes in and bytes out. And within, when we talk about communities and containers, it's also important to know the source and destination namespace of a particular flow. And I've just introduced another term for you, which is namespace. So namespace is a community specific term that they use and think of namespace as a logical group of resources that perform some kind of work within an application. So just imagine an online retail store, like Amazon or something, and they have a checkout service, they have a product catalog service. So these imagine the product catalog and checkout as namespaces. Also, what the typical suggestion with communities is if you're starting out with just a few couple of users, don't use more than one namespace, start with the default and based on the complexity and scale of your application, you can start creating users. I mean, namespaces typically are used when you have multiple users managing the application, developing the application. So that's the fundamental reason for the concept of namespaces. So the second thing that you need for security and observatories policies. So without policies, you cannot, some kind of security policy, you cannot block or allow or deny or drop packets at layer seven. So you need some kind of policies and communities policies, the network policies that communities has is super basic and you cannot do much with that. It doesn't offer a fine grained access at all. And when you look at security itself, you have to have protection against the application layer threats, which I introduced the concept of HTTP and all that, but if you've heard of things like SQL injection or cross-site scripting and cookie poisoning, all these happen at the application layer and someone who has even just no other tools in the, you know, at the disposal but just has access to your internet-facing application with just your webpage, they can probably create things and kind of infiltrate your applications with all these things that I spoke about, the SQL injection and cross-site scripting and so on. Just a couple of form fills or some kind of a page where you have, let's say, a username password field. If your application developer has not been careful enough to, you know, develop, look at all the security and threat modeling while creating the applications, you're, for sure, you're going to get breached. So you need something at the application. So these happen at layer seven and you need some kind of protection against these attacks. And OASP top 10 is actually, so OASP is a nonprofit community which actually has a list of, you know, top 10 threats when looking at application layer and I would encourage you to go to that website and understand what these attack means. So they keep refreshing their top 10 every year. I think I have a couple of questions. Let me look at the, I don't want to bore everyone with just talking nonstop. So I think I'll just take a break and look at the questions. So one person is asking, to what extent is AI implemented to provide solution for proactive issues? I'm sure this is, you know, coming from all the news about chat GBD and all the machine learning and AI that's happening. So a lot of security solutions are actually doing machine learning. I don't know if AI can be relevant here. It's probably a long way to go in that aspect. So there are a lot of solutions which use machine learning. It's not something that hasn't started yet but AI, I'm not sure about that. I don't think we are at a stage where there is any concept of AI with security and observability or even anything to do with containers, any type of enterprise applications. One more question or comment is application or application communication is mostly API, HTML based and can't these be monitored? I mean, when you just talk about, I mentioned this thing about monolith. So monolith is, again, I'm just assuming that some folks in the meeting are not familiar with it. So monolith is the traditional way of building applications. It's the exact opposite of containerization. And in a monolith application, I think doing monitoring for HTTP communication is probably easy or I can say it has been figured out. You have solutions to do that but my point was specifically about containers and communities. The problem is not because you can't build a solution or people don't know how HTTP works within containers and communities. It's just getting all the information, putting it in a system where it's going to give you a clean output and context-based output of what you exactly have to look at. And that's the reason why it's not easy. If my application is protected behind Vav do I need to take any additional measures? So that's an excellent question. I'm glad you asked about Vav. I was just talking about application layer threats and who has topped in. So web application for Vav is web application firewall and you can actually protect your application with a Vav but again, it's a whole landscape of containers and communities is so different and people are still understanding the service to service communication that I'll just provide some answers with respect to Vav. So typically when you deploy a Vav for a web application firewall you put it at the perimeter. So imagine you're developing a cloud native application and you're putting this Vav at the perimeter. And when I say perimeter, I have to give you some context about what perimeter is with respect to humidity. So I'm just gonna quickly, maybe I think I can show you a visual representation of what a communities cluster means. So if you go to the communities webpage, it has something called communities components. This is a very good starting point to understand what communities is all about. So you see this whole gray box, that's a communities cluster. So the things that I spoke about pods and nodes all these reside within the cluster. And to set context for a cluster, let's say, building a new application, let's say you're building the next Instagram. I would say for a company like that you would probably need just one cluster to start with and based on scale, you might want to add one more cluster. So cluster is actually very high level concept in humidity. So everything within a cluster is all part of the microservice architecture. So where was I? I was talking about web application firewall and perimeter. So when you think of a Vav, a traditional Vav, let's say imperma or any other Vav, you're putting it at the perimeter where it has information about traffic leaving the cluster and entering the cluster. But what happens within the cluster that is communication between microservices, it is oblivious to it, it has no idea what is going on. And if you're familiar with how threats propagate within an application, if you've heard of lateral movement, your Vav is not going to catch that. So let's say a malicious actor has entered your application and they're doing some kind of activity where there is a part of it where it's at the application layer and they're sending a packet with the HTTP header that is not meant to, which is not meant to be part of the application. So that is when web application firewall that is built just for containers and communities will help. And that is why you cannot use a regular Vav. Of course, it's a good question. You can use a Vav for, it's better to use a Vav on the perimeter, but you need some kind of a solution that can understand traffic within, which sits within the cluster and understands or inspects services service communication. How do you manage customer data protection while implementing flow loads in a multi-tenant flow? So another good question. There is, I'll probably cover that in the next few slides. So with Calico's implementation, so Calico is the solution that I'm going to talk about today. That's the solution that we offer from Igara. It's an open source solution which started as a networking and security solution and we built multiple things on top of that. But with Calico, when you're talking about application layer, one way what we've done is we've used a efficient model of implementing Envoy as a demon set. I know I'm getting ahead of my topic, but you can actually encrypt flow of traffic at layer seven using Envoy. So that's what I was going to talk about. So there is an open source project called WireGuard and we've integrated with WireGuard in Calico and you can actually just, it's actually much easier than other types of encryption where you don't need to deal with certificates and key chains and all that. It's just a simple way of enabling and disabling encryption at layer seven. So I don't know if I've answered your question correctly, but if you're talking about data encryption, that's one way to do it. What policies are required at application layer? So that's what we're going to cover. I know you're super excited to look at policies, but we'll cover that in the next couple of slides. I'll get to... All right. Yeah, that's about it. Thanks for the questions. It was actually, it's very useful for me to understand the different types of questions that you guys came up with. So I appreciate it and please feel free to post more. So we spoke about application layer threats and was talked in. So the other type of threat that is common with any type of application is DDoS, which is distributed denial of service. So put it in again, if you're not familiar with the DDoS attack, I don't know how many of you grew up in the 2000s when email was hot and people spoke about email bombs where you could send someone, if you hated someone, you could just send them an email bomb which has about 10,000 or 20,000 emails in there. The server will crash and they'll probably not get an email. So I know it's a bad example, but something that's very similar to DDoS attacks, someone who does not like your company organization is trying to bring it down. They can send a ton of HTTP requests to your application and bring the app down. So that's basically a very high level explanation for what a DDoS is. And this also happens at layer 7. When you say HTTP request, obviously it happens at layer 7 and you need some kind of protection to at least detect if a DDoS attack is going to happen. And interestingly, I'm just not sticking to the slide itself, but I was reading an article about how Google's security team actually prevented a DDoS attack last year, which was, it set a record for the amount of requests that came in. So they actually had a Google Cloud customer who looked at some weird things who looked at some weird communication within the network and Google immediately alerted them and they actually saw the spike of requests that went above about 40 million requests. So that's a very interesting topic in itself and it's interesting how these security solutions like some providers actually combine WAF with DDoS and it's pretty common to see both offered by the same company. So yeah, with Calico what happens is you can actually look at a particular layer 7 field. I guess it's called the HTTP request spike that we collect the data about and any time this graph goes high the request spike is above a particular level, you can actually get alerted and assume there is going to be a DDoS attack and take preventive measures. So that's another security challenge or things that you need. And finally, just visibility into service communication when I say visibility it could mean a couple of things for different things for different people, but one great aspect is actually looking at how your nodes and clusters and namescases are, I mean all these are, I showed you the diagram and the Kubernetes website but then when you actually start building applications with containers, there is no UI, there is no visualization of how these things look. I mean you probably don't have an idea about the mapping between different services. So that is a problem when it comes to visibility and also looking at actual visibility itself in terms of traffic communication we saw all the challenges that are present in communities. Yeah, so that's about all the things things that are needed. And another byproduct of having a good visibility solution or observability solution is looking at performance. We spoke about security and observability but again you can use this for performance issues where you can look at latency, DNS latency and any type of HTTP errors or a lot of data that you can look at to see how your application is performing. This is I think very useful for DevOps and SRE teams where they are required to see or make sure that the application performs right. I think I might have another question. When you said within Kubernetes it's difficult to monitor threats, can SIMS or help in identifying or integrating those data? So a SIM or a SOAR cannot identify any, I mean sometimes I think it can but SIMS definitely even though they might not require context about the container itself what solutions typically what these solutions use and even Calico we actually export data from our solution over to a SIM. So I think a SIM can have its own style of identifying data or looking at threats or any type of issues. So it's a good question again and it is an additional level of threat identification that you can use. So you can use some and so on but it is not sufficient to just plug in a SIM solution within your Kubernetes environment. It will not be able to, so since it doesn't sit in the same level as the infrastructure it doesn't sit in the infrastructure level that doesn't understand Kubernetes concepts. So it's difficult to correlate data which a solution that Calico can do and then export logs to SIM. So we basically partner with a lot of SIM and SOAR companies to help with getting data. Can you please share any links which describe more about how GCP provided us? Let me find out to maybe towards the end of the presentation but if you just Google for DDoS that Google Cloud you will probably get that result. But yeah, I'll try to get that towards the end of the session. We've talked about operational aspects. Sorry, I need to repeat the question out loud because others cannot hear it. So the first question was about when you said within Kubernetes it's difficult to monitor threats can SIM or SOAR help in identifying or aggregating those data. So that was answered and then link about the GCP example that I gave about leaders attack. That is the second one. The third one is you have talked about the operational aspects of managing Kubernetes security. Can you touch upon how security postures in Kubernetes clusters can be audited particularly in light of its effeminate nature? That's a very good question. So if you're talking about compliance I'm assuming that's what the question is about. Compliance is actually very hard with these solutions because if you ever work with auditing and policies auditing and compliance what they would some of them would require is historical data and if you go tell them that hey, my part's been started so I cannot give you that information you're either going to cancel your compliance or you will not be allowed to run your business. So Calico by default doesn't offer that but if you look at our enterprise solution they do offer some kind of compliance solution. So it is actually very difficult to do it if you don't have the right tools and you're absolutely right. I mean to get the contextual data about which part has been started what data it was carrying and all that you can actually so there are a couple of things one is compliance like GDPR, HIPAA and ECI. So what you would need is a regular reporting facility that will give you detailed reports either by the hour of the day, week, month, so on and you need to have some kind of customization within the reports itself. You cannot just rely on basic reports and you need to probably meddle around with some of the customization like the time range or even the type of data that you want and the other type of security posture audit is about, we spoke about the Kubernetes control plane and if this control plan is not hardened security hardened you'll obviously have contractors attacking your infrastructure or your platform and so there is a concept called KSPM which is Kubernetes Security Posture Management very similar to a CSPM just Cloud Security Posture Management so KSPM as you can again get reports telling you how secure your Kubernetes infrastructure and one example would be something called a SysPinchMax I'm not sure if this person is familiar but SysPinchMax is actually a set of standards where it will tell you let's say in your Kubernetes platform there's something called HCD or API server how these different components are configured if someone setting up Kubernetes for the first time is not familiar about these things and if it is given privilege access you're given pseudo root access to everyone in the organization things can just go haywire and you need some kind of a method to make sure that these things are secure and yeah, I hope I answered that thanks for those questions and let me continue so moving on we were talking about the challenges so solution is how do you solve these challenges or problems we know that most of the service to service traffic is at the application level and what Calico does is I'm here to talk about Calico which is the open source solution that came out maybe around 2016 just when Kubernetes adoption was increasing this came out of Calico basically it started as a software defined networking solution for open trying to remember within it was open not open shift it was another STN solution that was in the market and these folks at MetaSwitch were trying to come up with a more elegant solution for that and that's how Calico started and what happened from there is they also designed a CNI which is container networking interface so CNI is basically a way to provide networking for containers so you know that Kubernetes is orchestrating these containers it has information on what the state of the application is but how do you make sure that these different pods and workloads communicate with each other you need some kind of a networking tool imagine a switch or a router you cannot obviously put some hardware switch in between or a router between so STN is the answer and you need the STN for containers is usually called CNI which is the networking interface and one of the there are two primary use cases for a CNI one is providing the networking providing layer 3 networking for containers and the other one is also handling the IP addresses which is the form of IPAM IP address management system so Calico started as a CNI and started building out things like policies where it became the default policies for a lot of Kubernetes deployment so Kubernetes by itself has policies by default which is actually based on Calico so when you install Kubernetes and if you look at Kubernetes network policies that is nothing but Calico that is running so that is the open source version and what we do for application level observability is I mentioned sidecar and service mesh and things like that so let's get into that piece now so we provide Microsoft's observability using Envoy so Envoy is it's like a proxy that sits between your workload and the other services so imagine that it's called a sidecar because it sits right next to the workload and any type of service level communication that needs to happen with other workloads it goes through the sidecar proxy and that's basically it brings in another control plane to the equation and it just gets more complex but that's the only way to do it so let's see what is happening here so Envoy can be integrated with Calico to provide service to level communication but when I say integrated it's actually used Envoy to be installed in a very easy manner and when I say it gets complicated I'm talking about using Envoy without Calico in the picture at all so if you don't have Calico and if you want to look at service to service communication the only way is to install Envoy or Istio on your own and some kind of service mesh and look at all these things but the complexity and the problem comes when managing Istio or Envoy itself so we have taken that challenge or problem out of the equation and made it very simple if you're using Calico it's just a couple of commands and you're good to go you'll get all these benefits that we're going to see so what it does is when you install Envoy as a sidecar what it provides is it will provide flow logs for application level traffic so all the HTTP metrics and things that you're interested in I don't know if this screenshot is large enough for people to see let me try we can see you can see so it has HTTP request duration request over time all the different types of metrics and also the best part about this is it will give you information with context that is where which namespace this is coming from so if you look at if you want you can focus if you want you can yeah if you look at L7 all services it talks about front end card service currency service so you can actually drill down and see which particular service is performing how it's performing and so on so yeah and the other thing is it also provides valuable metadata about these flows so metadata is you know the data that is enriched on top of the regular L7 data that you see so that will be things like which part is it coming from when which node the part is part of and so on and I think I mentioned this before it also allows people to when you use Calico it allows people to use wire guard as an encryption technique for data and transit encryption you can just enable wire guard without the need to do anything so it's automatically encrypted all L7 traffic is encrypted when you enable wire guard so that's another benefit and that's how Calico is you know providing a solution for all the challenges that we looked at so I think this slide is just talking about all the different types of flow log data that you see source and destination names I think I mentioned this the URLs, the response code so many fields that can be useful while troubleshooting yeah so when I spoke about service mesh it actually really brings in a lot of complexity because I mentioned it adds another new control plane to your equation so you need to know how service mesh works you need to understand how to maintain, install it upgrade it and so on and that is almost like having another solution on top of Kubernetes so with Calico what you get is the same benefits of a service mesh and an easier way to use some of the benefits so you know the most popular use cases for the service mesh will be observability and security you know things like encryption they spoke about you don't need to use a service mesh for encryption because you already have wire guard enabled you need to look at service communication you get that with onboard as a sidecar model you already installed that with Calico so you don't need to install a service mesh like this to your security so we've integrated everything within Calico again I think someone asked about security posture and it's that's also another benefit you need to organization or regulatory compliance so some of the compliance requirements will be specifically around application level application protection so someone asked about WAF and I shared some information on WAF there are some compliance standards which actually require you to specifically there is a line item where you have to say I have a web application firewall installed to be able to pass your compliance exam so that's another use case let me take a pause and look at some Q&A so the first question is how to analyze flow logs will it not be humongous it will be humongous yes it is true but again I think I'm not sure what role you play but folks who are familiar with the security you know business and if you've used solutions like an NDR or an EDR network detection and response solutions or even sims it is a lot of data but then the task for these solution providers like you know let's say Splunk or some solution provider or SOAR solution or even Calico for example the task is to make it easier for the user to analyze things quickly you know it's not if you use Calico or I'm just talking about all the other solutions available for different reasons instead of taking odds and you know not ours maybe days or weeks the idea is to bring it down to couple of minutes or even hours so you do have you know various features to analyze flow logs in a much more easier way and that's the whole concept of coming up with solutions which can do that and when I say it's the task of these solution providers what we do is with Calico you can actually look at flow logs you can actually drill down with something called service graph we have something called dynamic service and thread graph and what it will show is visually it will show you the namespaces start with the cluster it will show the namespaces and different workloads and you can actually drill down to each level up to a pod level and actually see the flow logs so it doesn't have to be you know flow logs at the cluster level where it will be maybe millions of entries so that's the whole concept of Calico or I'm sure there are other providers which do the same thing so yeah the second question is can a WAF parentheses CDN providers plus internal WAF plus and so process and security log analysis and open vulnerability analysis using Splunk and uptext maybe address this issue yeah it can definitely address the issue for application level security so that's what I've covered so far and when you say internal WAF I'm hoping you mean the WAF that I was talking about where there is something that is installed within the cluster so you know one of our products actually has a solution called Workload Centric WAF you can actually it's part of our offering and I think I've looked at a lot of solutions like Palo Alto and you know other big players and it's actually very hard to find something that is at the workload level and we've actually leveraged an open source WAF solution let me recollect what the name of that solution is I'll think about it if it crosses my mind I'll let you know but you're right I mean to address this issue you do you can use all the combinations and multiple solutions that you've spoken about but you know the idea is who can provide that who can provide that internal WAF that we've spoken about and this is just one aspect of security within containers and communities it's not just application layer or it's not you know an attacker can come into your container where there is no concept of any network he's just you know there is some vulnerability in your container image the attacker he or she is getting into the container runtime doing something within the kernel all this is not going to you know be detected through a WAF or a sim or a source so I understand the question but then there is just so many things to to container security that just one solution is not going to protect you and the idea is people are trying to build a single single solution which can actually do multiple things just like a UTM there is another question how does the onboarding onboarding process work to integrate Calico if you're asking about onboarding process to install Calico or integrate Istio with Calico so all this will be available with the documentation towards the end of the session I will share the link to the talks in fact for me actually just do that right now let me put it on and if one of you can tell me if you got that link that will be good move ahead sorry idea I'm hearing yeah I think it is there in the chat go ahead I'm also hearing some kind of beeping noise now it's okay yeah oops do you hear that too or is it just on my yeah sometimes it's beeping sometimes coming so let me disconnect audio and join once just give me a word sorry about that I think my keyboard was on top of the laptop okay it's okay now yeah okay yeah so yeah documentation link so the onboarding process if you're talking about how to install Calico or how to install Istio or onboard with Calico everything is in that page you could definitely go to that and look at how things are done can there's another question can Calico data be taken into tools like Prometheus or Grafana not with the open source but yeah we do have a way to we have our own Kibana dashboards but there is you know a facility to export it to Prometheus and Grafana and I think the documentation should probably cover that do cloud providers the last question actually one more question is do cloud providers like AWS or Krzior support Calico from their own Kubernetes management capabilities okay yeah they do and they do it in a very different way you know AWS EKS or Elastic Kubernetes Service for people who are not familiar so that's a Kubernetes managed service that is provided by AWS so they do offer Calico as a choice of CNI or even policy so when I say they do it differently EKS does it in a different way you can actually use just Calico for CNI or use Calico without the CNI and use it for security policies with Azure you can actually there's a new concept called bring your own CNI where previously Azure had no option of any other CNI except their own which is I think which was called Azure VPC CNI and Q-Net and I mean the interesting thing is Azure VPC CNI itself was actually Calico underneath but I don't know why we never promoted that but right now they have a concept of bring your own CNI where you can actually bring Calico as a CNI and on top of that either without the CNI or the CNI you can have Calico integrated with EKS on Azure for security policies so yeah we do support all major public cloud providers you're also available on Red Hat OpenShare, Franchir what else Google Cloud yeah one more question when you use the term workloads it refers to what elemental level of granularity few examples will help it's actually yeah I think I mentioned you can change if you use workload or pods I mean when you say workloads it's actually any unit of compute which is programmed to do a particular work so in this case typically when you talk about Kubernetes and containers a workload is actually a pod and when I say pod it's actually you know pod is running one or two containers within that so you could even remove that abstraction and say a container can be a workload so it's kind of a generic term but when I say workloads in this case so imagine your application is doing multiple things you have different services for different parts of your application and in particular let's say your retail application you have check out service I think again smaller chunks of software and each piece of software can be part of this workload and that will ultimately be a pod alright so let me go back to the slide so moving on I think we looked at some solutions how Calico solves for this problem I did mention you know STO side cards service mesh and so on let me provide a little more add a little more color on what these things mean so when you typically have an application you build an application and here I'm talking about containerized application you would need a way to interact with the application right to understand the security understand performance and observability and so on and you don't want to disrupt by sending in multiple requests when you know when it is in production so you need to use some kind of a debugger or you need to smooth traffic packets you need to sniff out packets to look at traffic and for this scenario what I did was come up with a sidecar model I think I mentioned this but yeah sidecar model is basically it puts a proxy in front of your worker mode again I'm bringing another term here worker mode is a community specific term where it's nothing but you know nodes that participate in the application so that's all a worker mode is so you have you know kind of you have a proxy in front of these nodes so that any communication that goes outside goes through this proxy and you know all these features and functionality around observability and security that you need is taken out of this proxy and used so it kind of becomes a gateway for the application and Calico like I said we integrate single C with Istio to enforce layer 7 network policy within the STS order smash so I think someone asked about policy implementation so and that's how that's where it goes so we provide Calico is known for its network policy implementation at a much more granular level than basic Kubernetes policies and what you can do is add so these policies usually work at layer 3 or 4 and with the Istio integration you can actually add application to your attributes like HTTP methods put or get those things or even you can include actual URL paths in your policies and that's basically how you do it and what it means by pod injection is these two annotations that are shown here you know Istio injection equal enable and sidecar Istio.io slash inject equal true we use these two annotations and you can let the Istio pod injector know which workloads require on work proxy you basically use this doing implementation of the application layer integrating Istio with Calico so to do this we need to install Istio and configure on void but once you do that it's simple couple of commands after this so any pod with these labels when you have any pod with the following labels it will be added to the service mesh and we also spoke about Istio if you're familiar with Istio it's basically the most common service mesh that is out there when I say service mesh anything that is used to describe the network of microservices that make up applications and any type of interaction that goes on within them so that is basically a service mesh so the service mesh like the open source, Istio is also open source think about service mesh as a way to control how different parts of an application share data with one another trying to come up with an example but anyway so it's a dedicated infrastructure layer built right into the application and like I said it's usually implemented as a sidecar proxy and traffic flows through this sidecar proxy and you can you know have all types of controls with traffic management and security and since it controls any ingress and egress traffic to the services you can extract information using the service mesh if there is a HTTP call you can figure it out and you can send it for monitoring you can find out who is using SSL who is sharing SSL certs to scenes or use SSL certificate to see inside the traffic picture okay so this is another you know representation of what the service mesh architecture typically looks like so I mentioned it introduces a new control plane and when you look at this diagram what you can see is the service mesh will let proxies to discover applications so you see service B and service D and there is a proxy sitting in right in front of it and this is where you apply the application to your policies to control ingress or egress traffic so for instance if you know let's say there is a website you have myside.com and you have a URL specifically within that same myside.com slash do not enter you don't want anyone to enter there is no way for you to deny access to this URL unless you change some server config or disabling the network but with service mesh what you can do is tap into layer 7 and write a policy for that particular URL so that you either block ingress or egress traffic to this URL it can understand layer 7 and understand the whole packet and can help to disable that particular URL you don't have to modify your code you don't have to go into the application you don't have to change anything on your network for this to happen yeah and as I mentioned we have a seamless integration with any service mesh and especially for Istio it lets you enforce application to your attributes like HTTP methods and path excuse me and some of the benefits of doing this integration with Istio is you can control traffic at the pod level it will restrict ingress traffic inside and outside pods and mitigate common threats to Istio enabled apps you can adopt a zero test network model for security including traffic encryption which is probably another requirement for compliance it will give you multiple enforcement points and also multiple identity criteria for authentication and the last benefit is it's a familiar policy language once you install calico and you're using calico for network policies you don't have to learn a new type of policy language to control application to your traffic or you don't even need to know how Istio works so with calico integration there are two levels so one is let me actually pause again and see if there are any questions when you look at calico integration there are two types one is calico network policy and the second is calico global network policy and the differences I remember I mentioned about namespaces so calico policies actually namespace level so you can enforce restrictions or exceptions within a namespace and what global network policy does is for the entire cluster you can enforce a policy or rule for the entire cluster as a whole so you can add so when you're writing your calico policies you can add these HTTP sections where you can either mention if it's a get or a put and also an option is to provide an actual path for adding these restrictions next slide is actually I don't know if I want to get into details but this you know the high level picture diagram of how calico is designed to understand I mean calico not just calico as a whole but calico with envoy as a sidecar model this is how it's designed so you see something called phoenix so phoenix is the brain of calico and it's the control plane portion that lets underline infrastructure know that you know this particular graphic is allowed or not allowed so let's say when you create a calico policy what happens is it goes to phoenix and depending on how many nodes phoenix will is inside the calico a node demon set so depending on the data plane if it's EVPF or you know standard Linux it will create either IP tables or EVPF programs to you know limit or permit but there is no mention of EVPF here on this slide but if you are interested if you want to know more about EVPF I would encourage you to again you know just maybe start to google and read about it so it's a very interesting way to get to the kernel level of any system any application and without disturbing the application itself you can actually get a lot of things done you can actually create a sandbox environment you can write your own programs to get kernel level details and the adoption and usage is just exploded people are going crazy about EVPF adoption in the container space so I would suggest doing a little more reading on your own about EVPF yeah so it's actually a data plane concept so you either have EVPF or standard Linux and what Felix will do is tell to inform the proxy so you see Envoy that is sitting right next to the workload it will inform the proxy on the decision to either let the traffic go through or block the traffic so yeah that's about the architecture of how a calico policy works with Envoy for application so this is how internally the policy flow happens I think I don't have anything else to share with respect to the topic but just briefly talk about what project calico is so I mentioned already it's an open source project and we had a huge adoption rate with a lot of companies using it it's a very active community so you could if you're on Slack you could join the channel if you're on Twitter or LinkedIn you can follow Project Calico I mean this community talks about cloud networking and security and if you're having any issues or problems with using Calico you can ask people on the community so we have about 8000 Slack members and about I think roughly so this one says 320 it's not updated I think right now currently we have about 500 active contributors to the project so I'm sure you all know how open source projects work I mean just the fact that Calico is actually currently running on 2 million nodes is testament to the fact that it's one of the most widely used security and networking solutions opportunities so it's a community behind a purely a 3 approach to virtual networking and security it's used in highly scalable data centers you can also use Calico for VMs and native host based workloads it's not just for containers like I said it's an SDN and it also supports multiple architectures and platforms I already mentioned the different public cloud vendors and private cloud vendors that can support Calico and it's also the best part about this is it's designed to be modular so we have a plugable data plane and I just mentioned about EBPF and Linux so we support any type of data plane it doesn't matter if you're running EBPF workloads or Linux or even windows there's something called HNS or host network service for windows environments so Calico will work on any type of data plane and in the future if there is a new data plane that's coming out which is faster better stronger with our architecture we can easily integrate to that I don't know if you're able to repeat it I think I mentioned about the EBPF data planes and host network service data planes and just looking at this slide Calico opens some of the benefits choice of data plane and also for performance there's been a lot of studies and articles written by some community members who have tested Calico with other solutions and found out that for different benchmark studies Calico has come out with flight colors with respect to CPU usage and cost and of course I mentioned about the different types of workloads and it's also exceptionally available did I mention we do layer 3 networking so basically the protocol behind it is BGP and you know BGP powers the entire internet so if BGP can handle internet Calico can handle the internet too so so when it comes to humanities itself it's a humanities native security policy model so it's declarative in nature you don't need to understand Calico as a totally different solution if you are familiar with how humanities you know declaration all these you know the different PMAs and deployments work it's a unified model yeah you want to run Q&A? sure yeah is there any security implement at service level so issues so yes really I think the service makes itself I'm sorry if you are going with background noise she just started to cry now so sorry about that so the whole concept of service mesh itself is to actually implement security controls and the problem also with that is how you configure and use a service mesh so there is implementation at the service level it's a but to understand how that works I think you need to understand how service mesh works you need to install STO and Calico on your own and do it so so the next question is how is this product different from a CNAP so CNAP is if people are not familiar with that term it's a Gartner term which stands for Cloud Native Application Protection Platform so I mean it's just another way of talking about one solution which can do multiple things so when you say CNAP when you say cloud native there are so most cloud native applications are built with containers and with container security as I mentioned before you cannot say that taking care of security with just installing Calico open source or just installing a scene so it's a whole range of problems that you can look at from a security standpoint all the way from build time to run time there are so many threats that can occur during build time and run time so let's say you're tasked with deploying a container I mean deploying an application with containers so you take this base image put different layers on top add extensions and libraries and use a container run time to make it a container so a CNAP task is to make sure that all these stages like build, deploy and run time you have some kind of solution security solution that takes care of the entire CIC life cycle so Calico open source itself cannot be a CNAP because it doesn't offer all the capabilities but commercial offerings do much more than what Calico open source can do so that is a CNAP so with Calico open source what you get is security policies and the CNAP is much more than just security policies can Calico log any changes to containers known if I make any changes in its production environment I'm not sure if I understand this question but so I think if you're talking about changes that you're making within Calico itself if you can track these yes you can but let me read the question again can Calico log any changes to containers nodes if I make any changes in its production environment so if you're changing any parameters within containers can Calico track this I don't think it can track everything and anything anything to do with you know if you're talking about the data plane if you're talking about traffic network and security policies yes it can track but depending on I mean if it's something to do with the application itself I don't think it can track everything I don't think any solution can track what's happening I'm sorry I'm not 100% sure on one type of question means but the answer is yes it's changes can be tracked not all but yeah some part including the networking yeah okay yeah I mean again to show how popular we are Calico is running on two million nodes and we have about 1 billion Docker tools running on about 50,000 inter-processed can you run that the poll and I can run okay yeah you can see I can see it probably you can explain this yeah so should I wait for people to answer yeah you can wait one minute the participants won't be able to see the answers right they will able to