Security of-the-Mesh and In-the-Mesh

Istio: A Service Mesh Platform

Service mesh acts as a layer 7 overlay network that can span on-premise, datacenter and cloud deployments and provides routing, traffic shaping, load balancing, and telemetry combined with security capabilities such access control policies and encryption (mutual TLS). Istio is an open service mesh platform, that connects, manages, and secures microservices. Istio provides layer 7 path-based routing, traffic shaping, load balancing, and telemetry. Access control policies can be configured targeting both layer 7 and layer 4 properties to control access, routing, and more, based on service identity.

But when it comes to detecting and preventing advanced attacks techniques,  we need to deploy security controls that go beyond Kubernetes Network Policies or Istio service access policies. These policies should be able to define service-aware network policies for workloads that do not communicate inside the mesh; Apply machine learning based profiling, detection & mitigation of post-intrusion events such as data exfiltration, lateral movement, and command & control communications. Specifically, DNS, as Kubernetes service discovery; And enable to define policies for infrastructure and system services that operate outside the mesh operations – such as logging services and worker node monitoring.


Istio and Security

One of the goals and benefits of using Istio as a service-mesh infrastructure is improving the security of the cluster it is embedded in and the services it contains.

The security value of Istio has the following facets:

  • Istio authenticates workloads’ identities and issues and manages certificates for them used in creating the mesh connectivity.
  • The service mesh traffic can be automatically encrypted, with mutual endpoint authentication, using mTLS.
  • Configurable authentication policies and secure naming information ensure traffic authorization at the transport layer.
  • Fine-grained role-based access control at the application layer network protocol can be used for micro-segmentation, further enhancing users’ abilities to limit which services interact and in what ways.
  • The traffic observability that Istio offers, combined with external traffic profiling and analysis tools, enables security-related traffic auditing and monitoring for detection and investigation of network behavior anomalies.

To learn more register to the webinar: Using Istio to Securely Monitor your Services