Skip to Main Content
Talk Intermediate

Edge-First Security at Scale: Lessons from orchestrating security across 35,000+ POS Devices

Approved
Session Description

How do you enforce real-time security on 30,000 unorchestrated POS devices that go offline for days? With no k8s, no fleet orchestration, and unreliable connectivity — we had to rethink cloud-native assumptions and build a resilient edge-first architecture.

Technical Highlights:

  • Devices required persistent runtime security, even while disconnected.

  • Cloud-based EDR models failed due to their reliance on constant connectivity and orchestration.

  • KubeArmor enabled local runtime policy enforcement directly on the devices.

  • gRPC wasn’t a failure, but scaling connection management across 30,000+ devices added unnecessary complexity.

  • RabbitMQ handled bidirectional, event-driven messaging with built-in reliability and no custom connection logic.

  • Streams and replayability were key for delayed policy delivery, audits, and recovery.

  • Policies and telemetry flowed asynchronously between the central control plane and devices.

  • Local cache persisted on disk to work within edge limits (0.5CPU, 500Mi RAM).

  • We reduced RabbitMQ from 20 to 4 nodes using clustering, tuning, and stream optimizations.

  • Open-source RabbitMQ plugins enabled customization without vendor lock-in.

Key Takeaways

  1. Cloud-based EDRs are insufficient for disconnected edge environments — devices need local, independent runtime enforcement.

  2. KubeArmor enables localized runtime security, enforcing policies without cloud or orchestration dependencies.

  3. gRPC adds high operational complexity at scale; maintaining 30,000+ persistent connections is not practical.

  4. RabbitMQ provides built-in connection management, reliable delivery, bidirectional communication, and supports event-driven design.

  5. Replayable streams and disk-based local caching are essential for handling policy sync, audit trails, and device restarts in low-resource edge environments.

References

Session Categories

Technology architecture
Which track are you applying for?
Main track

Speakers

Barun Acharya eBPF Engineer | Odigos

Barun likes hacking on low level stuff and fiddling around developer toolings. He currently is maintainer and leading the development efforts for KubeArmor, CNCF Sandbox project and works as a Software Engineer at Odigos. He loves to speak at conferences talking about Open Source, Cloud Native and Security. He is a proud CNCF Ambassador. He has been associated and am actively mentoring with programs like Google Summer of Code and LFX Mentorship.

Barun Acharya
https://barun.cc
Swarit Pandey Founding Software Engineer | Step Security

Software Engineer at StepSecurity, leading development of a static analysis platform to detect and prevent supply chain attacks. Previously served as Software Engineer at AccuKnox, where I handled the core distributed messaging infrastructure and event-driven systems backed by RabbitMQ and Apache Pulsar.At AccuKnox, I was part of the core team behind a major security partnership with IDT Telecom and led the CI/CD runtime security product powered by KubeArmor (eBPF+LSM). I designed event-driven systems for VM and multi-cloud workload protection, and owned the hardening policy generation module within AccuKnox's Discovery Engine.Experienced in distributed systems, cybersecurity, and infrastructure engineering with a focus on runtime security and supply chain protection.

Swarit Pandey
https://www.linkedin.com/in/swarit-pandey/

Reviews

Reviews are hidden by the event organisers.