Extending firewalls to microservices with Istio

The microservices paradigm offers many advantages for developers. It allows them to build super scalable apps, deploy anywhere, and parallelize work on different services through decoupling. But most of all, this model provides an abstraction layer separate from IT enabling them to focus on innovating the next cool feature as fast as possible – Nirvana!  

For IT and security teams, however, this poses a challenge. They experience the shift to microservices as a loss of control and a risk that they are not equipped to handle—not with their existing tool set anyway. 

Maslow’s famous “law of the instrument” says that if the only tool you have is a hammer, you are tempted to treat everything as if it were a nail. 

For network security people, this instrument is the firewall. Firewalls can control many aspects of security, but they don’t work for microservices. Here’s why:

First, network firewalls are monoliths that don’t fit into the microservice paradigm. Second, IP-based segmentation doesn’t suit the dynamic nature of containers and overlay networks, and lastly, firewall change processes are way too slow for developers who operate the microservices platform Kubernetes with an agile DevOps culture. 

The same logic also applies to other traditional IT tools such as application performance monitoring and various monitoring tools, load-balancers, proxies and more.

So, how can organizations maintain control and ensure security in a microservice environment without disrupting agility? Moreover, how can cloud teams monitor and control the microservice applications?

Istio to the rescue!

Istio is an open platform to connect, manage, and secure microservices. It was announced just over a year ago as an open source project by Google, IBM, and Lyft. Today, after a lot of work by a thriving community, it was announced for general availability – you can read all about it here: https://istio.io

When we started building Tufin Orca we realized that Istio would be a great fit to extend network security into the microservice infrastructure. We’ve been working with Istio since version 0.2 and today, Tufin Orca is fully integrated with Istio providing micro-segmentation, behavioral analysis and isolation for microservice applications.

We’d like to thank the Istio community for the amazing work they have done so far and to wish them continued success in building the world’s leading service mesh.

 



*** This is a Security Bloggers Network syndicated blog from Tufin - Cybersecurity & Agility with Network Security Policy Orchestration authored by Reuven Harrison. Read the original post at: https://www.tufin.com/node/1798