Zero Trust Cyber Exchange: Service mesh plays integral role in zero trust runtime security
June 24, 20225:31 pm
4 min read
One mistake a lot of agencies make on their path to zero trust is thinking it’s a product agencies can buy. Instead, it’s a mindset change that requires agencies to assume that their networks have already been compromised and that agencies should shift their focus to negating their ability to cause damage once they’re in.
It’s about protecting the individual devices, the data and the applications rather than the perimeter. That said, there are certain strategies, features and frameworks that agencies can adopt that will get them closer to zero trust. One of the most effective is the service mesh architecture.
According to the National Institute for Standards and Technology’s SP 800-204, service mesh “is a dedicated infrastructure layer that facilitates service-to-service communication through service discovery, routing and internal load balancing, traffic configuration, encryption, authentication and authorization, metrics, and monitoring.” Put more simply, it’s deployed alongside an application. It tracks network traffic in and out of that application. And, it reports that information.
Service mesh enables continuous monitoring
“The service mesh is incredibly effective for runtime security and for being able to monitor and assert the state of your system continuously,” said Zack Butcher, founding engineer and head of product for Tetrate, and co-author of NIST SP 800-204. “What it gives us is a policy enforcement point. Because we’re intercepting the traffic in and out of our applications at the application itself, and not some external point, we can apply policy, we can get telemetry, we can do traffic management, we can do things like encryption in transit.”
That means it can implement the majority of the runtime controls an agency needs to get to zero trust. One of the major pillars of zero trust is continuous assertion that the system is performing as expected. Service mesh provides the required signals to make that assertion.
The Air Force’s Platform One development, security and operations (DevSecOps) team uses service mesh specifically for runtime security and its ability to provide encryption in transit. That makes it easier for the team to get authority to operate for its applications because the encryption is built in, enforced and reported.
Platform One also uses it to perform authentication and authorization of users into and out of applications. And that’s another key pillar of zero trust: It manages and reports who is using what application, and when.
End-to-end authentication and authorization
“It’s more than just encryption in transit, although that is an important part,” Butcher said. “There’s four other things that need to happen, which are authentication and authorization of the workload to the services that are communicating, and authentication and authorization of the user who’s making that access. So we need to make sure that the front end can call the database, but also that there’s a valid end user credential that has permission to read that object from the database. We want both of those things to be true.”
Of course, none of this touches the pre-runtime requirements for zero trust: the people, the process, the testing, the review, the pipelines — every step that happens before going to production. But service mesh does accomplish most of the hard technical pieces of runtime security, Butcher said. It can be deployed incrementally into modern Kubernetes environments, as well as into traditional environments.
And that’s useful even for an agency just getting started on its zero trust journey because the first step on that journey is always inventory. Agencies can’t secure what they don’t know exists.
“We can start to understand what services exist and where they exist in our infrastructure, and start to get a global view of that. So even as early as trying to identify the resources at play, to start to build your security posture, the mesh can be a helpful tool there,” Butcher said. “One of the things that we do in our product with the service mesh is build a global inventory of services, both ones that are in the mesh themselves, as well as other, potentially even third-party, external services that are communicated with over the network. It can help inventory and identify not just what you have but how what you have is communicating and what it’s communicating with, whether you own it or it’s external.”
And that’s all consistent with the NIST Cybersecurity Framework, which sets the standards and requirements for what agencies and organizations need to implement based on their mission, the criticality of their workloads, where they sit in the supply chain and other similar factors.
“Part of the whole impetus behind zero trust and focusing on pre-runtime activities is that we want more developer agility at the end of the day. We want our developers to be able to deliver more software, more quickly, more safely and more securely,” Butcher said. “That’s the fundamental purpose for it. The service mesh is a good way to achieve it.”