FIPS Certification, Istio, Tetrate, Zero Trust

How Tetrate Istio Distro Became the First FIPS-Compliant Istio Distribution

Federal information systems need FedRAMP approval for authority to operate.  To get that approval, they must comply with the Federal Information Processing Standards (FIPS). For cryptography, this means that if you’re a U.S. government agency or a vendor or contractor supplying the government, you must use FIPS 140-2 compliant modules wherever encryption is required. If you want to use Istio or Envoy in those systems, you can’t use the stock community builds of Istio and Envoy, since they don’t use FIPS-compliant cryptography modules and are thus not suitable for a FedRAMP environment.

Tetrate enables government organizations to meet this requirement by supplying Istio users with the first FIPS-verified open source distribution of Istio and Envoy as part of Tetrate’s hardened and performant Tetrate Istio Distro

In this article we will lay out the basics of FIPS compliance, what it means for Istio and Envoy, and the surest way to get to production with Istio in a FIPS-regulated environment.

TL;DR

  • Software used by federal information systems must be FIPS compliant.
  • Stock builds of Istio and Envoy are not FIPS compliant.
  • Tetrate offers the first FIPS-certified builds of Istio and Envoy with its open source Istio distribution, Tetrate Istio Distro, plus enterprise support with Tetrate Istio Subscription.

To find out more about FIPS and Istio, download our free Primer on Zero Trust and FIPS for Cloud Native Applications.

Read More
ABAC, Istio, Security, Service Mesh, Tetrate, Zero Trust

Top 5 Kubernetes Security Best Practices for Authentication and Authorization

Background

As we’ve written here before, there’s increasing urgency for organizations—especially those operating in a regulatory environment—to adopt a zero trust network architecture. Just what that means and how to do it may not be immediately clear. When it comes to microservices applications, the National Institute of Standards and Technology (NIST) offers guidance for microservices security in the SP 800-204 series, co-written by Tetrate co-founder Zack Butcher (which we’ve also covered on this blog).

NIST’s reference architecture for microservices security is Kubernetes and the Istio service mesh. In this article, we’ll look at NIST’s recommendations for using a service mesh for authentication and authorization in microservices applications.

At the heart of a zero trust posture is the assumption that an attacker is already in your network. All of these policy recommendations will help prevent potential attackers from pivoting to other resources should they breach your network perimeter. If you use a service mesh as described in the NIST reference platform, all of these capabilities are built into a dedicated infrastructure layer that acts as a security kernel for microservices applications. This means security policy can be applied consistently (and provably) across all your apps—and so your product development teams don’t have to be security experts for your apps to run safely.Service mesh allows fine-grained access control to be layered on top of traditional security measures as part of a defense-in-depth strategy. The mesh sits as a powerful middle layer in the infrastructure: above the physical network and L3/L4 controls you implement, but under the application. This allows more brittle and slower-to-change lower layers to be configured more loosely—allowing more agility up the stack—because controls are accounted for at higher layers.

Read More
Security, Service Mesh, Zero Trust

How Service Mesh Layers Microservices Security with Traditional Security to Move Fast Safely

This is the first in a series of service mesh best practices articles excerpted from Tetrate’s forthcoming book, Istio in Production by Tetrate founding engineer Zack Butcher.

One of the biggest questions we get from enterprises implementing the mesh is “which controls do I still need, and which does the mesh provide?” In other words, they’re wondering how the mesh fits into an existing security model. We’ve seen that the mesh is most effective as the inner ring in a concentric set of security controls implemented at each layer from the physical network up to the application itself.

Read More
mTLS Traffic Encryption
Istio, mTLS, Service Mesh, Zero Trust

How Istio’s mTLS Traffic Encryption Works as Part of a Zero Trust Security Posture

The Istio service mesh offers cloud native deployments a standard way to implement automatic mutual transport layer security (mTLS). This reduces the attack surface of network communication by using strong identities to establish encrypted channels between workloads within the mesh that are both confidential and tamper-resistant. mTLS is a key component for building zero-trust application networks. To understand mTLS traffic encryption in Istio, this article will cover the following:

  • An overview of TLS, mTLS, and TLS termination
  • An introduction to howTLS encryption works in Istio
  • How to use Istio to implement mTLS in Kubernetes
  • A discussion of when you do and don’t need mTLS
Read More
Future of Istio
Istio, Zero Trust

The Future of Istio: the Path to Zero Trust Security

In September 2022, Istio became a CNCF incubation project and launched the new Ambient Mesh. With CNCF’s strong community and marketing resources, and Ambient Mesh further lowering the barrier to trying Istio, the five year old open source project has been revitalized.

If you don’t know about service mesh and Istio, or are curious about the future of Istio, this eBook—The Current State and Future of the Istio Service Mesh will give you the answers. The following is an excerpt from the book. In my view, the future of Istio lies in being the infrastructure for zero-trust network and hybrid cloud.

Read More
Kubernetes, Security, Zero Trust

Zero Trust for Kubernetes

Traditional network security relies on a strong defensive perimeter around a trusted internal network to keep bad actors out and sensitive data in. In an increasingly complex networking environment, maintaining a robust perimeter is increasingly difficult.

Read More
Zero Trust for Applications
Kubernetes, Tetrate Service Bridge, Zero Trust

Implementing Zero Trust for Applications with the Tanzu Application Platform and Tetrate Service Bridge (TSB)

More and more organizations today use microservices and distributed architectures to achieve agility and scale; the most recent CNCF survey, for example, finds that more than 50% of organizations are using Kubernetes in production. At the same time, we’re seeing a growing number (including most of our customers), adopting a multi-cloud strategy – due to changing business needs. Enterprises now require the ability to allow different parts of the organization to use best-in-class functionality for their use cases, or an acquisition driven business model. They deploy their applications into the public cloud (Google, Amazon, Azure, etc.) as well as on-premises, including both Kubernetes and virtual machine-based workloads.

Read More
microservices applications using a service mesh
ABAC, NGAC, Security, Tetrate, Zero Trust

NIST-Tetrate 2021 Conference Talk: ABAC for microservices applications using a service mesh

Access control is fundamental to application security. Modern applications, more than ever, need a flexible access control mechanism that can succinctly express access rules, take into account a large number of objects and dynamic runtime attributes, and be evaluated efficiently at runtime. These rules must also be both intelligible and auditable so the current state of access policy enforcement is knowable and can be easily understood. 

Read More