Injecting Security at the Cloud Edge

Explore the implementation of a "Secure Edge" proxy layer for enhancing security in hybrid cloud deployments in this 34-minute conference talk from Strange Loop. Learn how Yahoo utilizes open-source solutions like Apache Traffic Server, Athenz, and Waflz to enforce privacy and authentication protocols between clouds. Discover various Secure Edge integration options, from basic routing to explicit delegation for policy enforcement. Gain insights into lessons learned and ongoing standardization efforts in the field. Understand the available options for securing applications across multiple cloud locations, enabling informed and secure deployment decisions. Delve into topics such as TLS authentication methods, SNI usage, renegotiation for client certificates, and Athenz authentication and authorization. Examine potential attacks on TLS delegation and explore concepts like TLS tunneling and bridging.

Intro
Goal of Talk
Apache Traffic Server (ATS)
The Good Old Days, Corporate Data Centers
Recent Past, Public Cloud
Downsides of the Hybrid/Multi-cloud Environment
Adding Secure Edge via TLS
Classic Client Server TLS Authentication
Mutual TLS Authentication
Fine grained client certificate selection
Retrofitting Server for TLS
Use SNI to control TLS requirements
Renegotiation for client certificates
Athenz Authentication and Authorization
TLS Delegation Athena Case
Attacking TLS Delegation
TLS Tunnel
TLS Bridge
Wrapping Up