Centralizing Egress Access Controls Across a Hybrid Environment
Ramesh Ramani
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
When applications running across Kubernetes clusters, multiple clouds, and on-premises data centers each manage their own egress rules, the result is a fragmented, unauditable mess. Ramesh Ramani, a security engineer at Block, presented a centralized egress access control system that unifies policy creation, enforces partner compliance, and deploys rules automatically to heterogeneous enforcement endpoints — all through a single UI backed by a structured group management repository and LLM-assisted validation. ---
AI review
Ramani built this, deployed it at Block across a genuinely heterogeneous stack, and the architecture is sound. SPIFFE IDs as the universal workload identity abstraction across Kubernetes, Lambda, EC2, and on-prem is the key technical insight — everything else follows from that design choice. The LLM-assisted domain validation against the Block Software List is a nice practical touch, not AI theater.