Boosting AppSec and Network Security With a Service Mesh
Next-gen applications, architectures and networks require a next-gen approach to security.
Today’s organizations, as they continue executing their digital transformation initiatives, are in a constant battle to one-up potential hackers, attackers and bad actors—and for good reason. The security perimeter has disappeared, the attack surface keeps growing and new attack vectors continue to emerge. Add to that an ongoing pandemic, global conflict and a scattered, remote workforce and it’s no wonder that breaches, hacks and attacks fill our news feeds daily.
Next-gen technologies—such as modern cloud-native technologies and microservices—have eliminated the perimeter. Not so long ago, a perimeter separated a company’s assets from the outside world. Now, there is no “inside” versus “outside”; everything is considered “outside.” A larger attack surface—the number of exposed and potentially vulnerable resources within your enterprise—means more opportunities for cybercriminals. How can organizations reduce their attack surface, bolster their security posture and reduce their overall risk? Let’s dig in.
Security Matters
Why is security top-of-mind for most organizations? Recent research revealed that for 83% of companies, “It’s not if a data breach will happen, but when—and usually more than once.” The average cost of a data breach in the U.S.? A staggering $9.44 million. Forward-looking organizations have implemented defense-in-depth (DiD), a multi-layered cybersecurity approach with several defensive mechanisms set up to protect valuable data and information, or zero-trust, which basically means check, check again, then trust in order to verify. It’s been a year since president Joe Biden issued a cybersecurity executive order spelling out the importance of adopting a zero-trust cybersecurity approach, yet only 21% of critical infrastructure organizations have adopted a zero-trust model.
Meanwhile, governmental agencies, Fortune 500 companies, and everything in between are all struggling to secure their assets—while contending with multiple teams, multiple devices and multiple locations. One of a modern organization’s biggest challenges is assessing exactly how many entities they must secure. Keep in mind that microservices and modern applications have exponentially more pieces than previous generations of applications. One microservice may contain 10 pieces while a previous application had only one. Once you break down these multi-part applications and services, you must factor in how all these pieces communicate over the network—a network that should be inherently untrusted.
Enter Service Mesh
As organizations embrace cloud-native development, they are building new types of applications and microservices that are easier to scale and add more business value. Microservices refer to an architectural approach to software development in which software is made up of small, independent services that communicate over well-defined APIs. In the process, organizations discover that these modern applications contain more “pieces”—pieces that change more frequently.
This introduces new security risks (and a larger attack surface). Basically, there is more traffic going over the network which means more application elements to track. There are also more (and more frequent) changes to these applications. And as cloud-native initiatives scale, more developers and application development teams are added. This brings forth several questions: Is the network trusted? If more teams are contributing to these applications, how do we ensure that we can identify who everyone actually is? How do we manage the security of applications and services that are outside our domain? How can we continue to validate everything as things change? How do we validate contractors and the software they build? That’s where service mesh can help.
A service mesh can be described as a networking framework that provides observability, security and reliability to distributed applications. It does this at the platform layer rather than in the application layer. Since cloud-native applications typically consist of dozens or hundreds of microservices, communication between services is critical—but difficult to manage. A service mesh controls service-to-service communication over a network effectively (and securely)—and it provides application traffic monitoring and management. The more an organization depends on microservices to build software, the more it can benefit from a service mesh.
As more enterprises standardize on microservices (and since Kubernetes has “crossed the chasm”), more are also turning to service mesh to power this architecture. In fact, Solo.io’s 2022 Service Mesh Adoption Survey showed that 85% of companies are modernizing their applications to a microservices architecture. And an overwhelming 87% of companies reported using or evaluating a service mesh to manage an increasingly complex application environment. At the same time, Istio is becoming the Kubernetes of service meshes, with leading companies choosing an Istio-based service mesh by an almost three-to-one margin.
Service Mesh as (Secure) Traffic Control
Service mesh tackles the prime challenges of developing and securing microservices and modern applications (different teams using different languages and frameworks) by moving authentication and authorization to a common infrastructure layer. The service mesh helps authenticate between your services to ensure secure traffic flow, also enforcing service-to-service and end-user-to-service authorization. Service mesh enforces role-based access control (RBAC) and attribute-based access control (ABAC). A service mesh can validate the identity of a microservice as well as the resource (server) running the microservice.
A service mesh acts as traffic control within the network, freeing application teams to focus on building applications that benefit the business—without taking on the additional task of securing these applications. The service mesh delivers consistent security policies for inside and outside traffic and flexible authentication of users and machines. It also enables cryptographically trusted authentication for both users (humans) and machines or applications. Cryptographic security depends on keys to encrypt and decrypt data to verify and validate users. In addition to enabling encrypted paths between applications, service mesh allows for flexible failover (and improved uptime) and known points for security logging and monitoring.
Service Mesh and Zero-Trust
Earlier, I mentioned the concept of zero-trust—or validating every single device, every single transaction, every single time. The zero-trust approach is essential for fast-moving, cloud-native application environments. Many commercial organizations and government agencies are turning to service mesh to bolster their zero-trust initiatives. Government agencies, for example, always struggle to secure high-value assets (including critical infrastructure) from hackers, bad actors and attackers. And these attackers can be internal (disgruntled employees or contractor/vendor breaches) or external (foreign nation-state threat actors). As a result, there are no insiders or outsiders; everyone is outside and untrusted until proven otherwise.
A service mesh helps authenticate and cryptographically validate and authorize people, devices and personas. We can also use service mesh to enforce policies and identify potential threats: If a knowledge worker exceeds a certain traffic limit or is “talking” to a private database, we can quickly shut that down. We can outline what approved traffic patterns should look like along with rules for who is allowed to engage with what. The popular and industry-proven Istio service mesh can enable consistent security from Layer 4 (devices, connections) through Layer 7 (applications), cryptographic identity, as well as well-known security patterns for both inside traffic and outside traffic. Istio service mesh, which is governed by the CNCF (Cloud Native Computing Foundation), is now mainstream in Kubernetes environments.
Service mesh is a mainstream technology that is fairly easy to implement and applicable to organizations in every sector. It is an effective and efficient way to achieve zero-trust network security and, ideally, keep your organization one step ahead of tomorrow’s breaches, hacks and threats.