How a ‘Zero Trust’ Platform Can Help Solve Service Mesh Challenges

KubeCon + CloudNativeCon sponsored this post, in anticipation of KubeCon + CloudNativeCon NA, Nov. 18-21 in San Diego.

The need for secure and rapid delivery of an enhanced user experience drives many of today’s enterprise software business decisions. As a means to that end, agile, secure and rapid systems adaptation is highly valued by enterprises hungry to satisfy customer demands. But as a subset of these processes, mesh application and service architecture (MASA) represents one of the most effective modern pathways to achieve these goals. When combined with today’s modern code languages and frameworks, MASA enables developers to deliver business services faster and more continuously than ever before.
However, MASA implementation doesn’t come without challenges. Service meshes, microservices, serverless and containers are key elements of MASA implementation. These architectures are also complex to run and manage at production scale, presenting service-to-service communication, discovery mechanism, security layer and observability challenges, just to name a few.
MASA advancement often surfaces a handful of common questions, such as:
- How do I enable secure hybrid methodologies across multiple cloud and platform as a service (PaaS) environments while still leveraging existing on-prem investments?
- How do I deploy and enforce common security models?
- How do I avoid core function duplication (i.e. discoverability, scalability, observability, security, service level management, multinetwork fabric and data protection policies)?
- How do I better understand how my new and existing IT investments are being used?
Each of these questions touches on a common theme: securely managing MASA complexity to ensure greatest platform ROI. So how does the enterprise answer these questions? One solution is zero-trust based hybrid mesh platforms.
The Zero Trust-Based Hybrid Mesh
Zero-trust based hybrid mesh platforms offer one possible solution to securely managing MASA complexity in a number of ways. Zero-trust based hybrid mesh platforms, for example, elevate communication, security and business insight into the service mesh and data layers, drastically reducing developer complexity burden. Working atop zero-trust models, solution architects, engineers, SREs and DevSecOps are able to work in unison to continuously deploy software on a common production platform supporting the rapid delivery of polyglot frameworks. DevOps teams can also maintain appropriate security and continuous observability across the enterprise.
What Is Zero Trust?
First coined by Forrester Research, zero-trust architecture “abolishes the idea of a trusted network inside a defined corporate perimeter.” Put simply, zero-trust means “never trust, always verify.” Zero trust assumes your systems are already compromised by cyber intrusion. With zero trust, the enterprise is able to create microsegmentation around sensitive data, backed by deep visibility into how the enterprise uses data across its ecosystem in pursuit of customer satisfaction. This combination of segmentation and awareness greatly enhances security across the enterprise.
How Zero Trust Works with the Hybrid Mesh
Industry has signaled increased interest in zero-trust functions such as mutual authentication with Transport Layer Security (mTLS), key rotation, service cryptographic identity, observability (i.e. continuous monitoring), service level management and policy management throughout the enterprise service fleet. Leveraging zero trust with a hybrid mesh platform, development teams can quickly and flexibly deploy new capabilities and functions. The hybrid mesh enables core security policy enforcement while zero trust transparency powers deep business operations observability for DevOps production-grade application performance management.
Other Benefits
Zero trust-based hybrid mesh platforms can also offer a number of other features designed to reduce the complexities introduced by multimesh, hybrid/multicloud and environment deployments. For instance, a hybrid mesh platform can enable enterprise cloud native application operations regardless of cloud provider, platform, data center or architecture, helping the enterprise avoid vendor lock-in. Enterprise businesses can also leverage the transparency of zero-trust based hybrid mesh platforms to provide valuable business insight on performance quality, service level management, A/B testing, canary deployments and other business-critical areas. Such platforms can also enable dynamic tracing, logging of upstream and downstream connections throughout the multimesh.
Zero trust hybrid mesh platforms also facilitate the seamless integration of new and legacy systems. By providing a unified mesh network capable of leveraging both east/west and north/south traffic patterns, a zero-trust based hybrid mesh can ensure business continuity concurrent with ongoing modernization.
Naturally, security remains of paramount concern with zero-trust hybrid mesh architectures. Some instances of the model incorporate claim-based entitlements responsible for determining the types of actions a service or end-user is able to perform based on rules-based access control (RBAC), attribute-based access control (ABAC) and next-generation access controls (NGAC). The zero trust hybrid mesh model can also be used to create a unified approach for managing both service-to-service and end-user security models. This can enable single-point-of-security control, operating independent of the network-layer for added threat management.
Some zero-trust hybrid mesh models also leverage mTLS cryptographic service identities and multimesh jump points to provide unified, seamless, transparent and secure communications across meshes and clouds. In such models, SPIFFE runtime environments and SPIRE secure production identity frameworks can be used to create mTLS cryptographic identities for services. Multi-mesh network fabric communication channels can then grant each mesh control over who, what, when and how information is sent. Uniform observability and continuous monitoring can also be enabled at different levels (full/partial payload, time-based monitoring, etc.) Further, under such a design, key-rotation patterns can help mitigate cyber intrusions or attacks impacts by quarantining malicious code.
To learn more about containerized infrastructure and cloud native technologies, consider coming to KubeCon + CloudNativeCon NA, November 18-21 in San Diego. To learn more about Grey Matter, click here.
Feature image by from Pixabay.