DevOps / Kubernetes / Service Mesh / Sponsored / Contributed

How Service Mesh Can Make Application Delivery More Secure

16 Jan 2020 10:35am, by

Aspen Mesh sponsored this post.

Shawn Wormke
Shawn’s passion for building small teams focused on bringing emerging technologies to market drove him to co-found and head Aspen Mesh as its incubation lead. With two decades of experience building application networking and security products in companies like Cisco, LineRate Systems and F5, he had seen enterprises transition from hardware to software as they demanded to be more agile.

A business’s agility is what allows them to rapidly grow its revenue streams, respond to customer needs and defend against disruption. It is the need for agility that drives digital transformations and pushes companies to define new ways of working, develop new application architectures and embrace cloud and container technologies.

But agility alone won’t get a business where they need to be; agility with stability is the critical competitive advantage. Companies that can move faster and rapidly meet evolving customer needs — while staying out of the news for downtime and security breaches — will be the winners of tomorrow.

Service meshes help organizations achieve agility with stability by increasing the visibility and observability of their microservices, allowing them to gain control over a complex solution and to enforce their applications’ security and compliance requirements. As companies continue to adopt cloud native technologies, they must not lose sight of ensuring that the applications they deliver are secure and compliant and a service mesh provides many components in its toolbox that allows them to do that.

Let the Experts Be Experts

In order to ensure that applications are secure, organizations need security and compliance experts. And, those experts need to be leveraged to create business-wide policies that protect customer and company data. However, all too often in the DevOps world, the implementation and application of those policies are left to application teams that are already implementing the individual microservices that make up the larger application. The individual teams do not have the expertise or context to understand the larger security needs of the business, or worse, they may see security requirements as an impediment to delivering their code to production on schedule.

Service mesh can let experts be experts by allowing them to create security and authorization policies that can be applied as a transparent layer under the application services regardless of the application developer’s decisions. By creating this security layer, the burden of implementation becomes aligned with the people who have the most interest in its success. The friction is also removed from the people who are least invested. This allows the business to be confident that their applications are as compliant — and their data is as secure — as their risk profile requires.

Encryption and Identity for Zero Trust

Data needs to be protected at all times, not just while it is at rest in a database somewhere. This includes ensuring that data is encrypted while moving between microservices, regardless of whether that data hits the wire on the network. Protecting that data means that you know:

  1. Who has access to the data.
  2. That you trust them.
  3. That they are sending and receiving the data securely.

Because a service mesh is a transparent infrastructure layer that sits between the network and the microservices, on that network is the perfect place to ensure data encryption, identity, trust and permission.

By deploying a service mesh, organizations can ensure a secure by default posture in a zero-trust environment without changing existing applications or burdening application developers with complex authentication schemes, certificate management or permission revocation and additions. By delegating those functionalities to the mesh, organizations can easily deploy a more secure and compliant application environment with greater efficiency, less overhead and more confidence in their security posture.

Find and Fix with a Service Mesh

Mistakes will happen and security policies will have holes in them. Organizations shouldn’t expect people and the policies they create to be perfect, but they must expect that they find and fix those mistakes before others do and exploit them. Some of this can be done with tools and libraries that run inside of the application’s code or container, or with firewalls and other products that run in the physical network. But these techniques miss one key element: what is going on as the service’s requests are coming in and out of the application while those requests are inside of the cluster and its hosts.

A service mesh, especially Istio-based sidecar meshes like Aspen Mesh, provides organizations with a unique view into every microservice’s request/response behavior. Along with this additional visibility, you can understand the behavior of a service’s traffic before and after it leaves the application’s code and container to form a request trace from source to destination and back. Not only does this allow you to find anomalous requests, unknown traffic sources and destinations, it allows you and stop them from accessing services that they should not have access to through security and policy changes. Even more importantly, these policy changes can happen without directly impacting or changing the application, thus reducing the amount of time it takes to close security holes while lessening the overall risk of exploits.

As organizations continue to embrace cloud and container technologies — and their use of those technologies matures and scales — a service mesh will become a vital part of their security and compliance strategy.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.