FIPS Certification, Istio, Tetrate, Zero Trust

How Tetrate Istio Distro Became the First FIPS-Compliant Istio Distribution

Federal information systems need FedRAMP approval for authority to operate.  To get that approval, they must comply with the Federal Information Processing Standards (FIPS). For cryptography, this means that if you’re a U.S. government agency or a vendor or contractor supplying the government, you must use FIPS 140-2 compliant modules wherever encryption is required. If you want to use Istio or Envoy in those systems, you can’t use the stock community builds of Istio and Envoy, since they don’t use FIPS-compliant cryptography modules and are thus not suitable for a FedRAMP environment.

Tetrate enables government organizations to meet this requirement by supplying Istio users with the first FIPS-verified open source distribution of Istio and Envoy as part of Tetrate’s hardened and performant Tetrate Istio Distro

In this article we will lay out the basics of FIPS compliance, what it means for Istio and Envoy, and the surest way to get to production with Istio in a FIPS-regulated environment.

TL;DR

  • Software used by federal information systems must be FIPS compliant.
  • Stock builds of Istio and Envoy are not FIPS compliant.
  • Tetrate offers the first FIPS-certified builds of Istio and Envoy with its open source Istio distribution, Tetrate Istio Distro, plus enterprise support with Tetrate Istio Subscription.

To find out more about FIPS and Istio, download our free Primer on Zero Trust and FIPS for Cloud Native Applications.

Read More
ABAC, Istio, Security, Service Mesh, Tetrate, Zero Trust

Top 5 Kubernetes Security Best Practices for Authentication and Authorization

Background

As we’ve written here before, there’s increasing urgency for organizations—especially those operating in a regulatory environment—to adopt a zero trust network architecture. Just what that means and how to do it may not be immediately clear. When it comes to microservices applications, the National Institute of Standards and Technology (NIST) offers guidance for microservices security in the SP 800-204 series, co-written by Tetrate co-founder Zack Butcher (which we’ve also covered on this blog).

NIST’s reference architecture for microservices security is Kubernetes and the Istio service mesh. In this article, we’ll look at NIST’s recommendations for using a service mesh for authentication and authorization in microservices applications.

At the heart of a zero trust posture is the assumption that an attacker is already in your network. All of these policy recommendations will help prevent potential attackers from pivoting to other resources should they breach your network perimeter. If you use a service mesh as described in the NIST reference platform, all of these capabilities are built into a dedicated infrastructure layer that acts as a security kernel for microservices applications. This means security policy can be applied consistently (and provably) across all your apps—and so your product development teams don’t have to be security experts for your apps to run safely.Service mesh allows fine-grained access control to be layered on top of traditional security measures as part of a defense-in-depth strategy. The mesh sits as a powerful middle layer in the infrastructure: above the physical network and L3/L4 controls you implement, but under the application. This allows more brittle and slower-to-change lower layers to be configured more loosely—allowing more agility up the stack—because controls are accounted for at higher layers.

Read More
Tetrate 2021 in review
Kubernetes, Tetrate

Tetrate’s Year in Review: 2021

As we shift into 2022, we’d like to share some of the highlights and milestones Tetrate has reached in 2021 with your support. Since its founding in March 2018, Tetrate has been growing its capacity to fulfill what it set out to do– to reimagine application networking. This, our fourth year, was bookended by our Series B fundraising round led by Sapphire Ventures and our recent designation as a Gartner Cool Vendor for Cloud Computing. Here’s a snapshot of top company milestones we accomplished together in 2021:

Read More
Announcements

Tetrate Announces Opening of Asia Pacific Office in Singapore

Today, Tetrate, the leader in application-aware networking and service mesh technologies, announced the opening of a Singapore office to expand the company’s presence in the APAC region. Tetrate appointed Karthik Viswanathan as the APAC sales leader and Adrian Cole as head of engineering to build out its team in Asia. Viswanathan has grown sales organizations for Cloudhealth (acquired by VMWare) and Fortinet, and Cole is a co-founder and major contributor to open source projects like JClouds, Spring Cloud Sleuth and OpenZipkin. Earlier this year in March, Tetrate raised $40 million in a Series B funding round led by Sapphire Ventures. Other investors include Scale Venture Partners, NTTVC, Dell Technologies CapitalIntel Capital, 8VC, and Samsung NEXT

Read More
istio-certification
Announcements, Istio, Open Source, Service Mesh, Tetrate

Tetrate launches Industry-first exam for Certified Istio Administrator

Enterprises are increasing their investments in digital transformation and in hiring the right talent to accelerate the journey. According to the 2020 open source jobs report from Linux Foundation, 52% of hiring managers are more likely to hire someone with a certification, up from 47% two years ago. Not so surprisingly, 93% of hiring managers report difficulty finding sufficient talent. Tetrate today announced the public availability of its exam for Certified Istio Administrator by Tetrate (CIAT) that evaluates skill, knowledge, and ability to perform Istio service mesh installation and configuration as well as configure traffic management, resilience and fault injection, and use security features of the Istio service mesh. This follows the February launch of the free training and certification course on Istio Fundamentals. Over 600 IT professionals have taken the training since then.  

Read More
GetEnvoy Istio
Envoy Proxy & GetEnvoy, Tetrate, Wasm

How to get started with Envoy extensions: Wasm and GetEnvoy

New tooling is now available to make it easier for developers to create custom extensions for the Envoy proxy.

In this interview (also available as a Make it Mesh podcast), Tetrate Engineer Yaroslav Skopets, an Envoy contributor and GetEnvoy maintainer, explains how WebAssembly (Wasm) makes Envoy extensibility more accessible, and how developers can quickly get started with Tetrate’s open source GetEnvoy extensibility toolkit. 

Read More
Service Mesh Istio
Envoy Proxy & GetEnvoy, Istio, Open Source, Security

Istio and Envoy Security Advisories

September 29, 2020 — The Envoy Product Security Team (PST) announced  the availability of a security fix and a series of patches for Envoy versions 1.12,1.13, 1.14 and 1.15 to address two high-risk vulnerabilities related to header values and HTTP URL paths. In response to CVE-2020-25017. Additionally the Istio community recommends users to upgrade to 1.6.11+ for 1.6.x deployments or 1.7.3 or later for 1.7.x deployments.

Read More