October 24, 2022 | Detroit, Michigan
View More Details & Registration Information

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 - Detroit, MI + Virtual and add this Co-Located event to your registration to participate in these sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (EDT), UTC -4. To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

The schedule is subject to change.
Back To Schedule
Monday, October 24 • 9:25am - 9:55am
Leveraging Envoy to Implement Micro-Segmentation-Based Security Policies - Hermann Lueckhoff, JP Morgan Chase

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
JPMorgan Chase application security architecture follows least privilege network and micro-segmentation principles. For instance, incoming requests from external users need to be validated in a designated security zone before it can be forwarded to upstream endpoints in a different security zone. Communication between these segments is highly regulated and involves various identity providers and different levels of authentication and authorization checks including token validations and exchanges.

In this talk you will learn how we deal with these complexities leveraging standard Envoy routing capabilities as well as Envoy filters such as JWT Authentication and External Authorization. AWS X-Ray Tracer is leveraged for added observability. For our token exchange requirements we utilize the External Processor filter with a Golang gRPC implementation leveraging Unix Domain Sockets (UDS) for improved performance and robustness. After validating the authentication status for a given incoming request we mint new tokens and inject them into the upstream request. The External Processor filter also us a clean way to logically separate standard routing requirements from very specific token exchange needs.

Envoy has become a strategic tool for operating in an elevated security requirements and the resulting additional traffic management complexities. We have been able to replace expensive, inefficient, and hard to maintain custom proxy implementations with Envoy and the External Processor filter. As our teams investigate Istio adoption, Envoy provides us added long term viability since we should be able to port our custom extensions into a service mesh environment. We have realized substantial cost savings on top of improved performance, agility, resource efficiency, and maintainability. Based on initial interest from other teams we see our Envoy-centric traffic management approach as an evolving pattern in our broader organization.

avatar for Herman Lueckhoff

Herman Lueckhoff

Executive Director, JPMorgan Chase
Hermann is the lead architect of Commercial Real Estate Digital at JPMorgan Chase. His team created  story.jpmorgan.com—JPMorgan’s one stop portal for commercial real estate investors—and has been an early adopter of Kubernetes and Envoy-centric architecture at JPMorgan. Prior... Read More →

Monday October 24, 2022 9:25am - 9:55am EDT
Room 310 B Huntington Place: 1 Washington Blvd, Detroit, MI 48226