DevSecOps, Service Mesh, and Zero Trust Architecture

NIST-Tetrate DevSecOps and Zero Trust Architecture for Multi-Cloud Environments conference Jan. 27, 2020

Tetrate and NIST co-hosted our second annual conference last week focusing on foundational approaches to security in the era of microservices: DevSecOps and Zero Trust Architecture in Multi-Cloud Environments. The one-day event took place virtually on Jan. 27, 2021. Here are some highlights!

In attendance: by the numbers

With more than 1,000 people registered, we had a robust audience representing a diverse swath of both enterprise and governmental agencies. Groups of 40-80 attended each of the networking breakout rooms at lunch on zero trust, DevSecOps, service mesh, and multi-cloud. Thanks to the audience, thoughtful questions asked in the main session chat and in the lunch breakout rooms kept the conference rich and lively.

1063 people registered for the NIST conference; 650 attended live.

Speakers and sessions

The conference kicked off with a keynote from Tetrate CEO Varun Talwar, followed by sessions featuring NIST scientists and IT leaders from the U.S. Air Force, Departments of Commerce (DoC) and Homeland Security (DHS), and the Food & Drug Administration (FDA), as well as cybersecurity experts and engineers from RSA, Flexport, the University of Maryland and Tetrate.

The full recording is posted here and divided into four sessions:

Session 1

Varun Talwar opened the conversation framing service mesh, “zero trust” and DevSecOps as necessary, foundational approaches to security today, noting that API abuses will be the most frequent attack vector by 2022.
Dr. Ronald Ross, NIST Fellow, presented on the imperative to reduce and manage complexity in cybersecurity that is no longer served by the paradigm of the perimeter.
And Zack Butcher from Tetrate and Ramaswamy Chandramouli from NIST presented on the just-released draft of their NIST special publication on ABAC and Next Generation Access Control (NGAC) used in a service mesh– an internal implementation guideline for federal projects.

“Instead of providing piecemeal security solutions for each of the components, we have this wonderful concept called a service mesh.” –Ramaswamy Chandramouli

Zack Butcher "The service mesh itself can be a kernel, a tightly controlled element of our system that we can audit and inspect more closely to assert that it is safe."

Session 2:

Dr. Zulfikar Ramzan, CTO of RSA, spoke on the history and future of “zero trust,” describing it as a “mindset” whose foundational concepts are secure access, strict (“need-to-know basis”) access control, and traffic monitoring.

Tetrate tweet: Zulfikar Ramzan has talked about zero trust as a mindset, not a strategy, product, or framework. The underlying philosophy is decades old. He advises using a risk-driven view to reduce the trust surface, without losing sight of business requirements.

Nicolas Chaillan, Chief Software Officer for the Air Force and co-lead of the Department of Defense Enterprise DevSecOps initiative, described how Platform One has implemented DevSecOps standards and tools like Istio service mesh that bake in layers of preemptive security to thwart attacks and to “ensure mission-critical applications are deployed with secure, resilient miniservices and microservices operations.”
Tetrate’s Adam Zwickey described how the benefits of having a DevSecOps “assembly line” model accrue to potentially hundreds of developers and hundreds or thousands of services across an enterprise.

“If you’re not using a service mesh, you’re probably not going to be able to move at the pace of relevance.” –Nicolas Chaillan

Session 3:

Ignasi Barrera of Tetrate and Joshua Roberts from NIST opened the afternoon session with live demos: Barrera demonstrated identity provisioning in a service mesh, and Roberts demonstrated the use of next generation data access control for federated sharing of database resources

Andrew Weiss, Lead Architect and Technical Advisor, UMBC, led a session on “Blockchain-based Secure Software Assets Management (BloSS@M).

Kevin Paige of Flexport, who is preparing to use Istio in production, spoke on the “transition to service mesh,” outlining how teams in an organization map onto a traditional security infrastructure vs. a mesh architecture.

A typical organization’s security infrastructure has network, firewall, and load balacer teams overseeing the perimeter while the sercurity and perimeter teams’ domain includes the API gateway and identity providers and app teams maintain applications.

The same teams oversee a service mesh, but the teams are less siloed. The network and firewall teams maintain the management plane and the edge gateway with the load balancer team, which also controls the app ingress gateway. The security teams have purview over every part of the infra; the platform teams over the mesh control plane, ingress gateway and data plane; and the app teams over the services and proxies in the data plane.

Session 4:

The final session was a “fireside chat” panel session with thought leaders Chaillan, Butcher, André Mendes (DoC), Dr. Sorin Nastea (FDA), and James Younger (DHS), moderated by NIST’s Dr. Michaela Iorga.

What’s next:

To read more, Tetrate offers a complimentary white paper on zero trust.
Tetrate and NIST have collaborated to implement NIST’s Next Generation Access Control standard; contact Tetrate to learn more.
Share your takeaways on Twitter #NIST_Tetrate
Slide decks from the presenters will be shared once available.
Tetrate Service Bridge helps deliver zero trust architecture with authentication, dynamic authorization, encryption, service discovery, request routing, load balancing, self-healing recovery, and service instrumentation. It implements NIST’s Next Generation Access Control standard; contact Tetrate to learn more.

Blog

DevSecOps, Service Mesh, and Zero Trust Architecture: A Recap of the 2021 NIST-Tetrate Conference

Article content