Istio has emerged as a popular and reliable service mesh management platform to make it easier to deploy, operate and scale microservices across cloud deployments. As a way to secure these service meshes, Twistlock has integrated with Istio to enrich the platform’s machine learning capabilities for connectivity. Twistlock does this by using Twistlock data to quarantine compromised services and to provide compliance policies to enforce secure configurations and the rest of the stack Istio runs on.
As cloud-native becomes the default way to build and run modern web-scale apps, organizations need increasingly sophisticated tools to abstract the underlying complexity away from normal operations. Kubernetes is the clear winner of the orchestration arms race and has abstracted the complexity of managing large fleets of compute nodes. However, as Kubernetes enables ever larger deployments, it can benefit from a companion technology that leverages its platform level primitives to make managing large portfolios of services simpler.
For example, Kubernetes makes it easy for you to deploy an app that scales across a 1,000 node cluster and deals with deployment and node failures. However, it can be complex to route traffic for that service, to monitor the overall health of the service (not just of individual nodes and pods) and to ensure fair resource allocation between this service and others within the cluster.
Istio is a project designed to complement Kubernetes (and microservices platforms) and to provide these capabilities mentioned above. More specifically, Istio was designed to provide traffic management, service identity, management policy enforcement and telemetry for microservices.
Istio is built around the open source Envoy proxy hosted by the Cloud Native Computing Foundation (CNCF). Istio builds on existing Kubernetes capabilities to make deployment familiar and integrated while providing a variety of value-added services beyond Kubernetes’ more infrastructure specific focus.
Over the past few months, our customers have increasingly asked about Twistlock’s plans for Istio and today we’re happy to share those details. Istio is a complex platform with diverse configuration options and security settings, and it’s easy to get lost when trying to process all the details.
While it’s simple to get started running Istio, having visibility into traffic flows, enforcing security best practices, and (maybe most importantly) leveraging Istio’s capabilities to improve the security of your apps are the areas we focus on enhancing.
To explore the new security features Twistlock provides, we’ll use the common Bookinfo example app. As described in the guide, this app is composed of multiple interconnected microservices:
- The product page microservice calls the details and reviews microservices to populate the page;
- The details microservice contains book information;
- The reviews microservice contains book reviews. It also calls the ratings microservice;
- The ratings microservice contains book ranking information that accompanies a book review.
The topology of the app is depicted below:
Visualizing and Controlling Istio on Radar
One of the first challenges we recognized with customers using Istio was in being able to visualize the topology of services. While Twistlock has long offered the Radar view to provide a real-time Visio of your entire containerized environment, Istio allows us to further augment this data with more application-specific knowledge and depth.
One of the main security benefits of Istio is tight control over network policies — that is, strict control over the communication protocols and connections between entities. To provide this, it’s recommended to enable service-level access control in Istio. When using this feature with Twistlock, you gain full visibility and control over network topology directly in Radar’s visual canvas.
For example, in the Bookinfo example, the “productpage” service receives a “product-viewer” role that is bound to the “productpage-viewer” and “details-reviews-viewer” service roles.
The first role indicates all users can access the product page, while the second role is explicitly set for the product page and enables only it to access the details and reviews services.
Twistlock automatically registers the entire configuration so it is dynamically updated and annotated to the Radar canvas for each service:
Further, when clicking on the service roles, you can drill down to see the details for each:
Using Twistlock, we can edit and manage all the security settings that are associated with a given entity, and see those changes reflected in Istio’s managed service mesh topology.
Leveraging Istio for Runtime Quarantine
We also integrate our runtime defense sensors with Istio, adding deep security intelligence over the overlying topology by analyzing the allowed connection and infrastructure metadata across entities. Using this data, we report and quarantine entities based on the network metadata and observed behavioral anomalies.
For example, in the Bookinfo app, what happens if an attacker successfully achieves remote code execution on the “productpage” service and from there tries to access the “ratings” service? Technically, if all mesh rules were configured correctly, Istio network policies could prevent the connections, but you still need detection and alerting of the compromise, which comes through CNNF’s (our layer 3 Cloud Native Network Firewall) integration with Istio:
Of course, these network violations are also reported and shown in Radar:
This flow enables Twistlock to apply our ML-driven behavioral modeling to automatically detect anomalies, but to then offload a response to Istio for isolating the compromised service.
For example, Twistlock can quarantine a public facing web service when an anomaly is detected by instructing Istio to disconnect that service from the backend payments database. Because this integration occurs at the service mesh layer, Istio can instantly and elegantly enforce it across the environment, without requiring changes to IP routing or manual port reconfiguration.
Finally, our Twistlock Labs research team has developed a set of new compliance checks for Istio. These compliance checks are aligned to existing best practices from the Istio project and community, such as ensuring mutual TLS is enabled in the production namespace and that strict role-based access control is enabled. These compliance policies fit into Twistlock’s existing compliance capabilities, including the ability to alert and block based on non-compliance and to see status globally in real time in the Compliance Explorer dashboard.
As customers deploy and run more complex cloud-native apps, platforms such as Istio complement existing capabilities in Docker and Kubernetes to provide every customer with planetary scale tools. Twistlock helps to expand that reach by adding a security layer for Istio as well as leveraging it to scale security across your entire service mesh.
Twistlock is a sponsor of The New Stack.
Feature image via Pixabay.