Skip to Main Content
Talk Intermediate

Edge-First Security at Scale: Lessons from orchestrating security across 35,000+ POS Devices

Approved
Session Description

How do you enforce real-time security on 30,000 unorchestrated POS devices that go offline for days? With no k8s, no fleet orchestration, and unreliable connectivity — we had to rethink cloud-native assumptions and build a resilient edge-first architecture.

Technical Highlights:

  • Devices required persistent runtime security, even while disconnected.

  • Cloud-based EDR models failed due to their reliance on constant connectivity and orchestration.

  • KubeArmor enabled local runtime policy enforcement directly on the devices.

  • gRPC wasn’t a failure, but scaling connection management across 30,000+ devices added unnecessary complexity.

  • RabbitMQ handled bidirectional, event-driven messaging with built-in reliability and no custom connection logic.

  • Streams and replayability were key for delayed policy delivery, audits, and recovery.

  • Policies and telemetry flowed asynchronously between the central control plane and devices.

  • Local cache persisted on disk to work within edge limits (0.5CPU, 500Mi RAM).

  • We reduced RabbitMQ from 20 to 4 nodes using clustering, tuning, and stream optimizations.

  • Open-source RabbitMQ plugins enabled customization without vendor lock-in.

Key Takeaways

  1. Cloud-based EDRs are insufficient for disconnected edge environments — devices need local, independent runtime enforcement.

  2. KubeArmor enables localized runtime security, enforcing policies without cloud or orchestration dependencies.

  3. gRPC adds high operational complexity at scale; maintaining 30,000+ persistent connections is not practical.

  4. RabbitMQ provides built-in connection management, reliable delivery, bidirectional communication, and supports event-driven design.

  5. Replayable streams and disk-based local caching are essential for handling policy sync, audit trails, and device restarts in low-resource edge environments.

References

https://excalidraw.com/#room=df20bd9143a2b799fcd4,GqaB6R-HJU1NLdNNoq-Lqg
https://accuknox.com/press-release/idt-telecom-partnership (Proof of we actually implemented it :) )

Session Categories

Technology architecture
Which track are you applying for?
Main track

Speakers

Barun Acharya
eBPF Engineer | Odigos

Barun likes hacking on low level stuff and fiddling around developer toolings. He currently is maintainer and leading the development efforts for KubeArmor, CNCF Sandbox project and works as a Software Engineer at Odigos. He loves to speak at conferences talking about Open Source, Cloud Native and Security. He is a proud CNCF Ambassador. He has been associated and am actively mentoring with programs like Google Summer of Code and LFX Mentorship.

 barun.cc
Barun Acharya
Swarit Pandey
Founding Software Engineer | Step Security

Software Engineer at StepSecurity, leading development of a static analysis platform to detect and prevent supply chain attacks. Previously served as Software Engineer at AccuKnox, where I handled the core distributed messaging infrastructure and event-driven systems backed by RabbitMQ and Apache Pulsar.At AccuKnox, I was part of the core team behind a major security partnership with IDT Telecom and led the CI/CD runtime security product powered by KubeArmor (eBPF+LSM). I designed event-driven systems for VM and multi-cloud workload protection, and owned the hardening policy generation module within AccuKnox's Discovery Engine.Experienced in distributed systems, cybersecurity, and infrastructure engineering with a focus on runtime security and supply chain protection.

 https://www.linkedin.com/in/swarit-pandey/
Swarit Pandey

Reviews

This seems like a highly technical talk, but it may be a little too specific and boring. This might need to include a demo of what the speaker is talking about in order for people to really grasp what's going on.

With a few changes to spice it up, I think it could be a very good talk.

Reviewer #1 Approved

Interesting to know how real-world challenges are solved around security especially remote and I agree with the other review, strong narration will be key. We can probably share pointers to the speaker on a dry run.

Reviewer #2 Approved

"How do you enforce real-time security on 30,000 unorchestrated POS devices that go offline for days?"... you can't! Any new security threats that emerge when the device is offline can't be addressed. The POS device could be connected to WiFi and not connected to the their cloud... providing a sufficient window for exploitation.

This talk seems is about leveraging KubeArmor in a local context - but who is this aimed at ? Is it aimed at cloud developers looking to build on device software, or to persuade device level software devs to use cloud derived tools ?

It's not clear why the proposers started with KubeArmor when something more suitable to that purpose such as microk8s is an option too.

Despite some lack of clarity this could well be a useful talk, provided the proposers set adequate context and make this talk an exploration of a set of choices they took, what drawbacks they found and how they addressed them.

Reviewer #3 Approved