I am a researcher in cloud computing, virtualization and container technologies, and open source community
contributor.
My research interests revolve around distributed and highly concurrent systems, large cloud infrastructures, networking,
and security.
I am one of the founding engineers at Tetrate, currently building a Service Mesh platform for the hybrid and multi-cloud world.
Back in 2015, I was elected as a Member of the Apache Software Foundation, where I help with community outreach and the promotion of Open Source and The Apache Way, and committer and member of the Incubator, Community Development, and Apache jclouds project management committees.
I am one of the founding engineers at Tetrate, currently building a Service Mesh platform for the hybrid and multi-cloud world.
Back in 2015, I was elected as a Member of the Apache Software Foundation, where I help with community outreach and the promotion of Open Source and The Apache Way, and committer and member of the Incubator, Community Development, and Apache jclouds project management committees.
Talks
-
The Role of NGAC and Service Mesh for Enterprise-wide Authorization
Zero Trust and High Assurance for Cloud Native Applications, NIST 2023 [video] [demo] [slides] In this session at the 4th Annual Multi-Cloud Conference conference held at NIST co-presented with Zack Butcher, we introduced the role of Next Generation Access Control (NGAC) and Service mesh for enterprise-wide Authorization. We explained the fundamentals of NGAC and the main advantages it brings over traditional authorization systems like RBAC or ABAC, and did a practical demo showing how Policy as Code can be implemented for enterprise-wide authorization at scale.
-
Service Mesh as the Security Kernel for Zero Trust Platforms
Zero Trust Architecture and DevSecOps for Cloud-Native Applications, NIST 2022 [video] [code] In this talk given at the Zero Trust Architecture and DevSecOps for Cloud-Native Applications conference held at NIST, I am demonstrating how a Service Mesh can be used as a Security Kernel to implement Zero Trust platforms. We will see how we can leverage distributed enforcement points to apply policy on the user identity, how to enforce runtime identity as well, and how application targetted policies can be created to quickly mitigate vulnerabilities like theLog4Shellone.
The demo also shows the development of custom WASM-based policies that can leverage the entire feature set of the programming language of choice to build rich access policies that can be enforced by the mesh. -
Access Control for Microservices
Istio Weekly live stream, 2021 [video] [slides] In this episode of the Istio Weekly live stream I present what is Next Generation Access Control (NGAC) and why it is a revolutionary technology that is a perfect fit as an access control framework for micro-services. I explore the different components that build the NGAC architecture, deep dive into its decision making process, and discuss how a Service Mesh can help leverage access control at scale. -
Identity Provisioning in a Service Mesh
DevSecOps and Zero Trust Architecture (ZTA) for Multi-Cloud Environments, NIST 2021 [video] [slides] In this talk given at the DevSecOps and Zero Trust Architecture (ZTA) for Multi-Cloud Environments conference held at NIST, I am showing how the process of provisioning runtime identities to the workloads of a Service Mesh works. The demo covers in detail how the istio proxy works internally and how it uses the Envoy SDS API to continuously provision certificates to the workloads to be used in mTLS connections. -
Protecting your data with a Service Mesh
Identity Management & Access Control in Multi-cloud, NIST 2020 [video] [slides] In this talk given at the Identity Management & Access Control in Multi-cloud conference held at NIST, I am showing a demo on how a Service Mesh and NGAC can be used to provide fine-grained access control for data. The demo showcases common use cases such as GDPR compliance and self-revoking and time-bounded access permissions. -
Service Mesh and the future of networking
Software Crafters Barcelona, 2019 [video] [slides] In the world of microservices, we have seen this new technology, the Service Mesh emerge and grow very fast. Projects like Istio, Linkerd or Consul have become very popular and people are starting to adopt them and figuring out the new possibilities these projects bring. But beyond the individual features each of those projects provide, in this talk, we will present the core concepts of a Service Mesh, the novel things this technology brings, and the use cases it is meant to solve.
We will explore how Service Meshes will push networking to the next level, opening the door to a whole new set of possibilities especially designed for this new era of multi-cloud and hybrid architectures, and giving us a mental model with which to explore and evaluate after the talk. -
Next Generation Access Control for the Multi-Cloud World
Service Mesh Day San Francisco, 2019 [video] [slides] NGAC is a fundamental reworking of traditional access control into a form suited to the needs of the modern, distributed, interconnected enterprise. NGAC is based on a flexible infrastructure that can provide access control services for a number of different types of resources, accessed by a number of different types of applications and users.
In this joint talk with David Ferraiolo from NIST we introduced NGAC and did a live demo showing how it can be applied to augment traditional RBAC with high level concepts xsuch as time and location in an efficient and scalable way. -
Do you need a service mesh?
CodeMotion Madrid, 2018 (Spanish) [video] [slides] In this talk I explored what a service mesh is and what they can do for your microservice web backends. Are the claims of observability, resiliency, and WAF features real? Are they useful during development, production, or both? Using pictures and demos, we’ll find out! This session also briefly covered how a service mesh works, giving us a mental model with which to explore and evaluate after the talk. -
Standalone Neutron: How we integrated it with Abiquo
OpenStack BCN 7th birthday meetup, 2017 [slides] This is a talk I gave at the OpenStack BCN 7th birthday meetup.
In it I explain how we integrated a standalone Neutron with Abiquo to implement an SDN solution without a full OpenStack deployment. -
Rule the cloud with Apache jclouds
ApacheCon North America, 2016 [slides] Apache jclouds is an open source multi-cloud toolkit for the Java platform that gives you the freedom to create applications that are portable across clouds while giving you full control to use cloud-specific features.
In this talk I explored the core concepts around jclouds and did a demo showing how the same code can be used to manage your infrastructure in different cloud providers.
Podcasts
-
The New Stack - How ‘Secure’ Your Cloud Native Can Be
KubeCon + CloudNativeCon NA, 2018 On this livestream from KubeCon + CloudNativeCon NA with Liz Rice and Sarah Allen, we’re discussing the growing security focus at CNCF. In particular, how the CNCF approached security in the past, and how is it continuing to focus on it in the future. [audio] [video] -
Compilando Podcast - Fundación Apache con Ignasi Barrera y el cumpleaños de TUX
21st Tux anniversary, 2017 (Spanish) On this edition of Compilando Podcast I am introducing the Apache Software Foundation and the main principles behind the Apache Way, the framework used in the Foundation to create sustainable open source projects. [audio]
Publications
2006
- CIDEX: Intercambio distribuido de alertas para la gestión de ataques coordinados In Actas de la IX Reunión Española de Criptología y Seguridad de la Información. Joaquín García-Alfaro, Ignasi Barrera