The role of service mesh in application security [Q&A]
As organizations embrace cloud-native development, they are building new types of applications and microservices that are easier to scale and add more business value.
But the growing adoption of microservices has introduced new security risks because microservices and modern applications contain more 'pieces' that increase the attack surface.
The open source Istio service mesh and Istio ambient service mesh technologies are already being used to manage and coordinate high volumes of microservices, by facilitating service-to-service communication over a network. Service mesh can also be used to secure the very same microservices.
In a world where traditional perimeters are disappearing and organizations are looking at new defensive strategies to deal with threats, we spoke to Idit Levine, CEO and founder of Solo.io, to find out why a service mesh could be the answer.
BN: How have enterprise digital transformation efforts impacted cybersecurity?
IL: The bottom line here is that every time large organizations digitize their operations and migrate applications to the cloud, they're increasing their exposure to threats. IT, DevOps and SecOps teams are constantly trying to stay one step ahead of potential hackers, attackers and threat actors. The traditional security perimeter has disappeared, the attack surface keeps growing, and new attack vectors continue to emerge.
The emergence of modern cloud-native technologies and microservices has eliminated the perimeter. Not so long ago, a perimeter separated a company's assets from the outside world. Nowadays, organizations are subject to both external and internal threats, with cybercriminals taking advantage of the growing number of exposed and potentially vulnerable resources across their infrastructure. Especially when you're dealing with large, dispersed remote workforces, all using cloud platforms to access company applications, systems and data.
The bottom line is, there is no 'silver bullet', no single protective shield that you can use to cover the entire organization. Threats have become more complex, with breaches happening months before the threat is even detected. As such, organizations are continuously adopting new types of solutions to reduce their attack surface, and improve their security posture to deal with Denial-of-service (DDOS) attacks, ransomware incursions and data breaches.
BN: What's the role of service mesh in bolstering security?
IL: Service mesh is an application networking framework that underpins microservices architectures, facilitating communication between each of the services, along with application traffic monitoring and management.
Through increasing traffic on the network, a microservices architecture carries very specific risks -- bear in mind that a distributed application may contain many pieces, compared to previous applications that only had one. There are also more changes being made to these applications on a frequent basis. Subsequently, organizations are required to secure each of these elements and authorize access to the teams of developers working on the various applications they support. Now, although this sounds like a tricky and complex process to manage, it can be easily addressed by service mesh technologies.
A service mesh technology delivers connectivity, security, observability, and reliability for the network; it does this at the platform layer, rather than in the application layer. As such, it also enables control over growing network traffic, powering organizations to manage and secure every element of a microservice.
BN: Can service mesh support zero trust initiatives?
IL: The short answer is: yes, it does! To recap, zero-trust enables organizations to validate every single device, every single transaction, every single time. That’s why it is perfect for fast-moving and complex cloud-native application environments. Zerotrust and service mesh actually go hand in hand. They're complementary technologies that are ideal for containerized environments allowing developers to deploy applications faster and more securely. For example, Istio service mesh is already becoming the de facto service mesh in Kubernetes environments. Of course, microservice architectures can be made up of hundreds, even thousands of components, constantly being updated by teams of developers and other users. When zero-trust is implemented in a service mesh environment it can actively monitor and facilitate restricted and ‘trusted’ access at scale.
It helps authenticate and cryptographically validate and authorize people, devices, and personas. It can be used to enforce policies and identify potential threats. It can outline approved traffic patterns, along with rules for who is allowed to engage with what. For instance, if a developer exceeds a certain traffic limit or has access to a private database, that connection can be shut down immediately. Zero-trust adds comprehensive security controls to service mesh and API gateways to secure microservices and containerized environments, dramatically improving your security posture.
BN: Is security compromised if you choose a 'sidecarless' architecture?
IL: This is in reference to Istio ambient mesh, which is a more recent innovation. Essentially, service mesh simplifies inter-service communication in container-based and microservices architectures. This makes it easier to diagnose any communication errors that may occur at the infrastructure layer. Overall, this process accelerates application development, testing, and deployment.
Istio service mesh is typically deployed alongside application code in a sidecar container, which directs traffic and monitors the interactions between components. It’s compatible with Kubernetes and helps to deliver smooth-running, microservices-based containerized environments.
Istio ambient mesh is a sidecarless data plane option for Istio service mesh. It offers a more transparent experience with much broader application support. It delivers cost savings, performance improvements and improved security by maintaining zero-trust security and policy enforcement. It allows you to implement a zero-trust architecture at the network layer to grant access to applicable DevOps, CloudOps and SRE teams, as and when required. This means that security isn't compromised at all; in fact, it can be enhanced. The advantage of Istio ambient mesh is that it can be deployed as a shared mesh infrastructure across both Istio standard and Istio ambient mesh architectures, providing greater scale and flexibility.
BN: What role do you see for Istio and open source in security networks?
IL: We're huge advocates of Istio and we'll continue to contribute to the development of Istio service mesh and Istio ambient mesh. This will include a focus on security and performance testing.
We're always interested in future collaborations and receiving feedback from the Istio community about how we can continue to make improvements. When you consider the many security features that service mesh currently offers, such as rules-based policy enforcement, flexible authentication of users and machines and zero-trust policies, you can't help but get excited about what the future has in store!
Image credit: Funtap/depositphotos.com