Istio recently announced “ambient mesh”—an experimental, “sidecar-less” deployment model for Istio. We’ve written about sidecar vs. sidecar-less recently in the context of getting the most performance and resiliency out of the service mesh. In this article, we’ll present our take on ambient mesh in particular.
Introduction to Service Mesh
Service mesh is an infrastructure layer between application components and the network via a proxy. These app components are often microservices, but any workload from serverless containers to traditional n-tier applications in VMs or on bare metal can participate in a mesh. Rather than each component communicating directly with other components over the network, the proxies mediate that communication. These proxies form the data plane, providing many capabilities for implementing security and traffic policy and producing telemetry about the services the proxies are deployed with. Read more about service mesh capabilities.
One of the core ideas that motivates the zero trust architecture is the idea that “the attacker is already in the network.” Many of the projects, tools, and techniques we see gaining widespread adoption today for enabling a zero trust architecture were born out of companies that know this first-hand. One seminal event was the Snowden leaks in 2011, which prompted Google to adopt encryption in transit for all communications, even over their own internal network.
Today, every major organization is going through a massive digital transformation, adopting cloud, mobile, microservices, and container technologies to deliver services efficiently, meet critical business demands, and catch up with market expectations. Organizations’ Platform and DevOps teams have to model distributed and multi-cloud applications and services accessible from anywhere and anytime to be agile. This has given rise to two significant trends within the organizations:
- As a growing number of organizations adopt multi-cloud, they deploy their applications into the public cloud (Google, Amazon, Azure, etc.), which means that the data is out of their perceived safety of on-prem data centers.
- Organizations use microservices and distributed architecture to achieve agility and scale.
A critical vulnerability (CVE-2021-44228, CVSS score 10) was identified in the Java logging library Apache Log4j 2. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can leverage this vulnerability to take full control of a vulnerable machine.
Apache Log4j is used in many Java-based applications, making this vulnerability potentially affecting lots of organizations. As we continue to gain a deeper understanding of the impact of this threat, we will publish technical information to help you detect, investigate, and mitigate attacks. We will provide updates with more information and protection details as they become available.
Update at 2021-12-14: New, related CVE-2021-45046 has been disclosed and mitigations are included in this post.
Created by Istio founders, Tetrate Service Bridge (TSB) is the edge-to-workload application connectivity platform that provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.
It comes up regularly when we talk to customers and users who want to get started with Istio. How can trust work for me? If Istio has its own Certificate Authority, and I have mine, how can I make sure that they trust each other?
In an upcoming National Institute of Standards and Technology (NIST) special publication I’ve co-authored with NIST’s Ramaswamy Chandramouli, we’ll be presenting recommendations around safely and securely offloading authentication and authorization from application code to a service mesh.
Tetrate’s Zack Butcher’s recent AMA with the United States Air Force Chief Software Officer, Nicolas Chaillan highlighted some significant achievements as a result of the Department of Defense’s move to Open source technology and DevSecOps. Platform One is a group of Air Force software developers that build and secure technology tools used across the DoD, as part of the Enterprise DevSecOps Initiative. Tetrate is a partner DoD is working with, on their journey to modernization.
Security remains one of the primary drivers behind service mesh adoption today. In this virtual webinar to be held Oct. 21 at 11 a.m. (PDT), U.S. Air Force CSO Nicolas M. Chaillan will join Tetrate’s Zack Butcher to discuss “DevSecOps and IT Innovation with the Department of Defense.”