Dont build Death Star security: Maintaining agility and security in distributed and microservice architectures
Death Star security describes a system that relies entirely on an outermost security layer and fails catastrophically when breached. David Strauss explores security methods strong enough to cross the public Internet, flexible enough to allow new services without altering existing systems, and robust enough to avoid single points of failure.
Talk Title | Dont build Death Star security: Maintaining agility and security in distributed and microservice architectures |
Speakers | David Strauss (Pantheon) |
Conference | O’Reilly Software Architecture Conference |
Conf Tag | Engineering the Future of Software |
Location | New York, New York |
Date | April 11-13, 2016 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
“Death Star” security describes a system that relies entirely on an outermost security layer and fails catastrophically when breached. As services multiply, they shouldn’t all run in a single, trusted virtual private cloud. Sharing secrets doesn’t scale either, as systems multiply and partners integrate with your product and users. David Strauss explores security methods strong enough to cross the public Internet, flexible enough to allow new services without altering existing systems, and robust enough to avoid single points of failure. David covers the basics of public key infrastructure (PKI), explaining how PKI uniquely supports security and high availability, and demonstrates how to deploy mutual authentication and encryption across a heterogeneous infrastructure, use capability-based security, and use federated identity to provide a uniform frontend experience while still avoiding monolithic backends. David also explores JSON Web Tokens as a solution to session woes, distributing user data and trust without sharing backend persistence.