There is a lot going on with Cloud computing, containers and micro services. Following is a summary of what information security professionals need to know about one very important idea: the Service Mesh.
- What is it? Service Mesh controls, monitors, and secures service-to-service communication (also for container-to-container communication)
- What does it achieve? It moves/offloads security of communication from “service/application” to platform.
- Where is it placed? It sits “next to” service as a set of proxies and usually part of Kubernetes cluster.
- How does it achieve its goals? Service Mesh implements a control plane and a data plane. The control plane enforces policies whereas data plane enable communication among services.
- Is Service Mesh useful in every case? It is only beneficial when your application uses micro services. Also, if your application uses a service bus like Kafka, Service Mesh will not buy you much.
- What a service mesh can do? It can provide necessary security, reliability and observability functions. For example, it can implement transparent mutual TLS (mTLS) to establish communication between two services. It can also help identify latency and measure errors in inter-service communications (and much more). From a reliability perspective, a Service Mesh can perform actions like load balancing and retries in case a communication fails.
Why Should InfoSec Professionals Care?
Confidentiality, observability, and reliability of container-to-container/service-toservice communication is of great interest to infosec teams in modern microservices architecture.
- Why use Service Mesh, especially in the Cloud? Since communication between two services hosted in the Cloud takes place over Cloud infrastructure controlled by Cloud service providers (CSP), it is essential to ensure end-to-end encryption to protect confidentiality of information flowing between two services. With mTLS, Service Mesh provides both authentication/authorization as well as confidentiality by encrypting all traffic.
- Can we enforcement policy and implement zero trust architecture? Yes, with service mesh, zero trust for containers and services can be realized.
Open Source Service Mesh Technologies
There are many technologies available, both in open source as well as from CSPs. Two commonly used open source technologies are listed below:
- Linkerd – https://linkerd.io/
- Istio – https://istio.io/