Why a Service Mesh architecture is the ideal way to deliver Zero Trust and BeyondCorp security

In our previous post on Zero Trust and BeyondCorp security, we discussed their shared core principles and outlined 4 guidelines for successful deployments: (1) make no changes to the network, (2) incrementally roll out new security measures without changing apps, (3) architect solutions that go beyond the perimeter, and (4) leverage existing enterprise tools. In this article, we’ll describe what a Service Mesh architecture is, how it implements these guidelines, and how it can help deliver Zero Trust and BeyondCorp security initiatives for your cloud environments.

What is a Service Mesh?

A Service Mesh is a distributed infrastructure layer that is characterized by:

  • A lightweight application-layer control point for each service
  • Centralized policies to manage all these control points as a single “mesh”
  • Deployment that is transparent to application code
  • Management that is independent of the network-layer

The Service Mesh control point is typically a sidecar proxy (such as Istio/Envoy), but may also be an application library (Finagle), a host proxy (Linkerd) or even a cloud load-balancer (AWS ALB).

Service Mesh architecture

Simplified representation of a service mesh architecture

While a lot of cool new Service Mesh technologies have been developed to manage modern microservices traffic and the concept has become particularly popular in the Kubernetes ecosystem, the Service Mesh approach has broad applicability to all environments, especially for Zero Trust and BeyondCorp security.

Approaches to Zero Trust and BeyondCorp

To dive into why a Service Mesh is ideally suited for Zero Trust security, we need to examine it against some existing Zero Trust architectures.

  • Next Gen Firewall - The grand-daddy of Zero Trust is the Next-Gen Firewall (NGFW), a physical or virtual networking god box provided by vendors such as Palo Alto Networks and Fortinet. NGFWs provide tons of security functionality, including intrusion prevention and deep packet inspection.

  • SDN Microsegmentation - In 2012, VMware paid $1.3 billion to acquire a tiny startup called Nicira, which kick-started the Software-Defined Networking (SDN) market. Today, SDN solutions such as VMware NSX and Cisco ACI implement Zero Trust architectures via network microsegmentation.

  • Cloud DMZ - Companies such as ZScaler and Akamai deliver BeyondCorp and Zero Trust security by routing enterprise traffic through their managed De-Militarized Zone (DMZ) points of presence across the globe.

We’ll use this handy table to summarize the approaches:

Approaches to Zero Trust

Summary of approaches to Zero Trust and BeyondCorp

Application controls

A common characteristic of these Zero Trust and BeyondCorp approaches is that they all provide security without mandating any changes to the application. However, Microsegmentation solutions that operate solely at the network layer and Cloud DMZs that inspect traffic far from the origin lack the context to provide granular application-layer controls. NGFWs do provide some application-layer controls, but in a bulky, expensive and hard-to-configure manner. A key characteristic of a Service Mesh is its ability to deliver application-layer authentication, authorization and encryption in a lightweight form factor.

Network controls

Deploying NGFWs and SDN Microsegmentation for Zero Trust initiatives involves complicated network overhaul. While the investment might be worth it for organizations upgrading their traditional datacenters, it is wasteful for those migrating to the cloud where every platform (AWS, Azure, Openshift etc) provides its own network layer. In addition, network controls are not portable across clouds and don’t provide application context, making it the wrong layer for Zero Trust and BeyondCorp security. Service Mesh architectures are, by design, network agnostic, relying instead on the underlying platform to manage network isolation.

Unified security for users and services

NGFWs and Cloud DMZs are deployed and managed at the perimeter; they focus on delivering ZeroTrust security for user-to-service communications. SDN Microsegmentation solutions are deployed ubiquitously on hypervisors and hosts; they focus on delivering ZeroTrust security for service-to-service communications. Because a Service Mesh can be deployed ubiquitously across perimeters and hosts, and operate at the application-layer, it has the unique ability to provide a unified Zero Trust security layer for user-to-service and service-to-service communications.

Designed for cloud

While existing Zero Trust approaches do have their advantages, none of them is ideally suited to secure today’s workloads migrating to the public cloud, and for future cloud-native and microservice applications. NGFWs seem to have grown too complex and bloated. Cloud DMZs force organizations to invest in additional clouds instead of leveraging the native capabilities of their primary cloud platforms. SDN Microsegmentation comes baked into every modern cloud but is insufficient for borderless deployments. These are not novel observations; security experts, including folks at Thoughtworks and Red Hat, have started evangelizing the Service Mesh as a future proof way to deploy ZeroTrust and BeyondCorp security.

Towards a Secure Service Mesh

As you can see, the Service Mesh approach fulfils our 4 guidelines for successful Zero Trust and BeyondCorp deployments: (1) make no changes to the network, (2) incrementally roll out new security measures without changing apps, (3) architect solutions that go beyond the perimeter, and (4) leverage existing enterprise tools.

Now, before you pull out your credit card to buy one, note that Service Mesh is not all sunshine and roses (yet!). Previous generations of security products built atop next-generation technologies with catchy abbreviations such as XACML, RASP, IPTABLES and TCPXTN also promised Zero Trust nirvana but failed to expand beyond some niches.

At Banyan, we’ve been thinking and gathering customer feedback on the requirements for Service Mesh to cross the Zero Trust chasm to gain widespread adoption amongst security teams. We’ve identified three key requirements. First, a Secure Service Mesh must have the capability to be inserted seamlessly into existing environments. While a lot of emphasis in the ecosystem is focused on greenfield apps built with containers, microservices and Kubernetes, an enterprise-ready service mesh needs to transparently work in brownfield applications and traditional non-container environments as well. Second, a Secure Service Mesh solution must not be limited to a single data plane. Since the approach relies on on standard authentication protocols - Mutual Auth TLS and OpenID Connect - an ideal solution should be able to leverage open-source proxies as well as cloud-platform services that support these standards. Third, a Secure Service Mesh must be able to deliver (north-south) secure access from users and devices as well as (east-west) secure access from containers, processes and other services.

After ~20 months of intense development and iteration, we’re excited to unveil the Banyan Secure Service Mesh. Banyan is the industry’s first Service Mesh that delivers Zero Trust and BeyondCorp security for today’s borderless cloud environments. Banyan is unique in this landscape because it:

  1. Inserts service mesh capabilities transparently into existing environments
  2. Supports multiple data planes including Istio/Envoy and AWS ALB
  3. Delivers secure access for user-to-service communications, in addition to service-to-service communications

Banyan’s approach to the service mesh is geared towards making cloud access controls simple AND secure for organizations of any scale and sophistication. In subsequent posts, we’ll talk about specific Banyan features for AWS and Azure that enable organizations to roll out BeyondCorp with just a few clicks, advanced capabilities around Zero Trust security for Kafka and Kubernetes environments, as well as customer success stories. Stay tuned …