Zero Trust Security with Service Mesh

Aspen Mesh sponsored this post.

Last year was challenging for data security. In the first nine months alone, there were 5,183 breaches reported with 7.9 billion records exposed. Compared to mid-year 2018, the total number of breaches was up 33.3%, and the total number of records exposed more than doubled, up 112%. Data for the year 2020 so far agree with these trends, with the biggest cyber resilience pitfalls including gaps in protection, lowered detection rates, longer breach impacts, and increasing exposure of customer data.
This tells us that despite significant technology investments and advancements, software security still has significant gaps. A missed patch or misconfiguration can let the villains in to wreak havoc or steal data. For companies moving to the cloud and the cloud native architecture of microservices and containerized applications, it’s even harder. In addition to the perimeter and the network itself, there’s a new network infrastructure to protect: the myriad connections between microservice containers.
With microservices, the surface area available for attacks has increased exponentially, putting data at greater risk. In addition, network-related problems like access control, load balancing and monitoring, which had to be solved once for a monolith application, now must be handled separately for each service within a cluster. In short, there’s more room for breaches.
How Did We Get to Zero Trust?
Traditionally, network security has been based on having a strong perimeter to help thwart attackers — commonly known as the moat-and-castle approach. With a secure perimeter constructed of firewalls, you trust the internal network by default: and by extension, anyone who’s there already. Unfortunately, this was never a reliably effective strategy. But more importantly, this approach is becoming even less effective in a world where employees expect access to applications and data from anywhere in the world, on any device. In fact, other types of threats — such as insider threats — have generally been considered by most security professionals to be among the highest threats to data protected by companies, leading to more development around new ways to address these challenges.
In 2010, Forrester Research coined the term “Zero Trust” and overturned the perimeter-based security model with a new principle: “never trust, always verify.” That means no individual or machine is trusted by default from inside or outside the network. Another Zero-trust precept: “assume you’ve been compromised but may not yet be aware of it.” With the time to identify and contain a breach running at 279 days in 2019, that’s not an unsafe assumption.
Starting in 2013, Google began its transition to implementing Zero Trust into its networking infrastructure with much success and has made the results of their efforts open to the public with BeyondCorp. Fast forward to 2020, and the plans to adopt this new paradigm have spread across industries, largely in response to massive data breaches alongside stricter regulatory requirements.
In order to meet these demands and challenges head-on in 2020, 53% of cybersecurity decision-makers are planning to move to Zero-trust access capabilities. And who can blame them?
Zero-trust Security and Service Mesh
Security is the most critical part of an application to implement correctly. Fortunately for those using microservices, a service mesh allows you to handle security in a more efficient way, by combining security and operations capabilities into a transparent infrastructure layer that sits between the containerized application and the network. Emerging today to address security in this environment is the convergence of the Zero-trust approach to network security and service mesh technology.
Here are some examples of attacks that a service mesh can help to mitigate:
- Service impersonation: A bad actor gains access to the private network for your applications, pretends to be an authorized service, and starts making requests for sensitive data.
- Unauthorized access: A legitimate service makes requests for sensitive data that it is not authorized to obtain.
- Packet sniffing: A bad actor gains access to your applications private network and captures sensitive data from legitimate requests going over the network.
- Data exfiltration: A bad actor sends sensitive data out of the protected network to a destination of their choosing.
So how can the tenets of Zero-trust security and a service mesh enable Zero Trust in the microservices environment? And how can Zero-trust capabilities help organizations address and demonstrate compliance with increasingly stringent industry regulations?
Security within the Kubernetes Cluster
While there are plenty of Zero-trust networking solutions available for protecting the perimeter and the operation of corporate networks, there are a huge number of connections within a microservices environment that require protection. Fortunately, within Kubernetes clusters a service mesh can provide critical ways to implement and manage encryption, authentication, authorization, policy control and configuration.
Here are a few ways to approach enhancing your security with a service mesh:
- Simplify microservices security with incremental mTLS
- Manage identity, certificates and authorization
- Access control and enforcing the level of least privilege
- Monitoring, alerting and observability
A service mesh also adds controls over traffic ingress and egress at the perimeter. Allowed user behavior is addressed with role-based access control (RBAC). With these controls, the Zero-trust philosophy of “trust no one, authenticate everyone” stays in force by providing enforceable least privilege access to services in the mesh.
Service mesh providers can help organizations achieve a Zero-trust security posture by applying these concepts and features. Particularly, enterprise- and production-ready service meshes that extend capabilities to address enterprise security and compliance needs can also provide a user interface and dashboard that make it easier to deploy, monitor and configure these features.
If you’re interested in learning more about how these features, concepts, and service mesh can help you achieve Zero-trust security, check out this free white paper.
Feature image via Pixabay.
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.