Tetrate Contributes Expertise in Microservice and AI Security to FINOS Standards

Tetrate Joins FINOS

Tetrate has joined FINOS and we’ve begun to contribute in a big way: grounding FINOS’s guidance in the standards and regulatory regimes that guide our industry. Starting with the brand new FINOS AI Governance Framework, we’ve begun to map each risk, prevention, and mitigation to the relevant element in guidance documents such as the EU AI Act, ISO 42001, the FFIEC IT Handbook, NIST 800-53, and others. The result is guidance that is more actionable, can more easily be tied to attestation and risk assessment tools, and provides a translation from new AI concepts to existing and well-known security patterns and practices.

Enabling Secure, Compliant Application Traffic

Tetrate helps enable our customers to deliver their application traffic securely, reliably, and with speed. Many of those customers are banks and government agencies that operate in highly regulated environments: so a critical part of that is helping them satisfy a variety of regulatory regimes, for a bunch of different auditors. But we were held back by auditors using dated guidance. So we leveraged our existing relationship with NIST – a collaborative research agreement on cutting-edge access control – to begin to write up-to-date standards. This has resulted in six standards so far, with more in the queue, covering:

Recent Standards and Guidance Contributions

Securing microservice deployments in multi-site/multi-cloud environments (NIST SP 800-204A): A progressive series of detailed guides for securing complex, modern application architectures by leveraging service meshes and integrating security from the very beginning of the development process. Addressing crucial topics including offloading cross-cutting functionality like authentication and authorization (NIST SP 800-204B), securing the delivery of those applications (NIST SP 800-204C), and guidance on implementation details, like when to use which data plane implementation (NIST SP 800-233)

Identity-Based Segmentation (NIST SP 800-207A): A practical and actionable minimum definition of zero trust at runtime that sets the standard in establishing and continuously verifying trust for users, services, and devices in dynamic, distributed systems, moving beyond traditional network perimeter-based security.

The first guidance on API security from NIST (NIST SP 800-228): An industry-first, comprehensive framework for identifying and analyzing risks throughout the entire API lifecycle – from initial design and development (pre-runtime) to deployment and ongoing operation (runtime)

Bridging Standards and Real-World Security

This work has given us a wealth of experience in relating practical, realistic, and actionable security improvements to standards and regulations required by government and industry bodies. The FINOS AI Governance Framework was an obvious place to leverage that expertise: helping our customers understand and manage the newest type of application traffic on the block.

Governing Agent-Oriented and AI Traffic

And that’s largely how Tetrate sees it: traffic to and from agents is traffic between applications. We need to govern and secure it with similar tools and techniques we use to govern and secure our existing applications and APIs. But, agent-oriented traffic presents a new and novel set of challenges on top of traditional APIs: nondeterministic output, access to a wealth of sensitive data, and usage across every facet of the organization. As a result, we need new tools, techniques, and practices layered on top of our existing network and API security.

Implementing Controls with Tetrate and FINOS

FINOS’s AI Governance Framework helps guide what those tools, techniques, and practices need to accomplish. Tetrate’s contributions help ground that guidance in existing frameworks. And of course Tetrate’s suite of products helps enable you to implement those controls in your own infrastructure, starting as basic as inventorying services, APIs, and agent usage in your environment all the way to advanced controls like zero trust access, guardrails on AI input and output, and more.

Looking Ahead

This is just the start. Going forward, we are eager to continue our collaboration with FINOS, NIST, and others to develop standards that make AI and microservices adoption faster and more secure for all.