Tetrate Istio Distro Achieves FIPS Certification

Tetrate has achieved a unique milestone with an Istio distribution that has been verified to meet US Federal Information Processing Standard (FIPS) 140-2; in short, this distribution is FIPS 140-2 verified. You can access this distribution now from Tetrate (see tetratefips-v0) and can also consider Tetrate Istio Subscription, which includes support for this new distribution. This verified distribution is also included in the US Government’s Iron Bank repository for verified software. 

This FIPS-verified distribution is a specific build of the open source Istio project, the leading software platform for delivering service mesh architectures for use in developing and delivering cloud-native software. Istio is widely used with three other open source projects: Kubernetes container orchestration software, Envoy as a sidecar proxy, and Skywalking for observability. (Istio uses the Envoy proxy for its data plane, with Istio itself serving as the control plane.)

Federal certification is valuable for service mesh software because service mesh architectures in general, and Istio in particular, are used for the reference implementation of Zero Trust Architecture (ZTA). With US Government Executive Order 14028, ZTA has been endorsed by the federal government as a building block for secure software.

Tetrate Co-founder, Jeyappragash Jeyakeerthi (JJ), said, “We at Tetrate are very proud to have created the first FIPS-verified build for Istio. This is a goal we have had our eyes on since founding Tetrate in 2018. Our ongoing work with the US Government, including collaboration with the US National Institute of Standards and Testing (NIST), has helped us reach this high level of recognition for security in Istio service mesh.”

What FIPS 140-2 Verification Means

Because the Envoy proxy that is part of Istio encrypts and decrypts messages between services, Istio software is seen as containing a “cryptographic device” under US federal government standards. As such, Istio is assessed for its level of security standards adherence under FIPS 140-2, Security Requirements for Cryptographic Modules. 

There are several established providers of Istio distributions, any of whom can potentially meet FIPS 140-2 requirements. These requirements have a weaker and a stronger form: 

• FIPS 140-2 compliance. To be considered FIPS-compliant, the cryptographic module at the core of the encryption/decryption process must be tested and approved. In addition, the cipher suites used in the process must also be compliant. However, only these specific aspects of the product are tested and approved; the software as a whole is not. 
• FIPS 140-2 verification. For FIPS verification, a machine image of the software is produced and sent for testing at a government-approved testing lab. Testing takes weeks. If the software passes, that machine image only is FIPS 140-2 verified. When the developer wishes to update the software, they must create and deliver a new machine image, which goes through the same testing. 

When you use FIPS 140-2 verified (not just compliant) software, you know the specific machine image you are running has been tested, meeting the highest standard available. 

Why is Tetrate First?

Why is Tetrate the first company to create an Istio distribution that meets the very high bar of FIPS 140-2 verification, not just compliance? There are a number of contributing factors:

• Founders and maintainers. Tetrate was founded and is staffed by founders and key maintainers of the Istio and Envoy open source projects, as well as the related Skywalking observability project. Our expertise is unrivaled. 
• Original intent. This certification has been an important goal for Tetrate since the company’s founding in 2018. 
• FIPS 140-2 compliance. Tetrate was the first for-profit company to reach the first level, FIPS compliance for Istio. A few others have followed. 
• FIPS 140-2 verification. Tetrate has recently become the first company to reach the highest level, FIPS 140-2 verification for Istio. No one else has followed.
• NIST collaboration. Tetrate has been cooperating with the National Institute of Standards and Technology (NIST) from the beginning, and we started our annual NIST|Tetrate Conference on service mesh and related topics three years ago, in 2020. 
• NIST standards contribution. Senior Tetrate engineers have contributed to NIST standards on this topic from the beginning, such as SP 800-204A and SP 800-204B. 
• US Government usage. Tetrate is a key vendor for the US Air Force Platform One project, which use service mesh and a DevSecOps approach. 
• No forks in the road. Unlike others, Tetrate has not created rival open source projects to Istio and Envoy, controlled by one company for its own benefit. 

## What Will Be the Impact of FIPS 140-2 Certification for Istio?

People want the most secure software available, especially when the software in question is a key platform such as Istio. So the availability of a FIPS 140-2 verified version of Istio will have a big impact across the market for software development and delivery. 

Cybersecurity is a steadily growing concern across the entire economy. Cyberattacks are occurring at all levels of business, government, education, nonprofit organizations, and for individuals, affecting critical infrastructure in areas such as health care and energy. National security is also threatened by the growing impact of cyberattacks. 

Now, there’s a solution that offers the best of new technology and the assurance of US government certification – not simply compliance, the first level. The immediate impact of this new certification will play out in stages across the US Federal Government and the economy as a whole:

• US government agencies/projects that require FIPS 140-2 verification. Some secure projects require that relevant software and hardware they use meet FIPS 140-2 verification. These agencies and projects can now use Istio, in the form of Tetrate’s 140-2 verified Istio distribution. 
• US government agencies/projects that require “best available” FIPS 140-2 adherence. Until now, the “best available” FIPS 140-2 adherence was compliance. But, as there is now a verified Istio distribution available, these agencies and projects will need to use the new, verified Tetrate Istio distribution. 
• Vendors that sell to the US government. Vendors that sell software and software-related services to US agencies and projects will now find it either necessary, or highly desirable, to use the FIPS 140-2 verified Tetrate Istio distribution. 
• Security-sensitive industry sectors. Security-sensitive industry sectors such as ecommerce, financial services, and healthcare are quick to adopt US government standards and practices. They will be quick to move to the most secure version available, from Tetrate. 
• Other industry sectors. As service mesh, Istio, and use of verified Istio software become widespread, other industry sectors will also require a verified, not merely compliant, solution. 

What Makes Service Mesh the More Secure Option? 

A service mesh combines recent advances in software architecture to create an agile, reliable, and secure framework for software development and delivery:

• Containerized software. Software is delivered in containers that include necessary supporting software, insulating software from its runtime environment. 
• Kubernetes for container orchestration. Kubernetes manages container instances. 
• Microservices architecture. Software that was once delivered as a single monolithic entity is divided into multiple services that interact to provide desired functionality. 
• Sidecar proxy. At runtime, each instance of a software service is provided with an instance of a sidecar proxy. The proxy handles messaging between service instances, and between service instances and the control plane. 
• Service mesh. Messages from one sidecar proxy to another, and from sidecar proxies to the control plane, form a web of interaction: a service mesh. Security concerns are largely abstracted away from services and into the mesh, which can be maintained independently. 

The service mesh architecture is more secure because of the role of the sidecar proxy instances. Proxies provide functionality that create a secure environment within the application: they authorize, authenticate, and use transport level security (TLS) to encrypt/decrypt every message sent or received by a software service. (Think of it as https, within the application.) 

In addition to functions that have security as a direct concern, such as message encryption and decryption, proxies also handle functions like service discovery and load balancing across active service instances in a standard fashion. Because proxies are identical to each other, the provision of security and other runtime functionality is highly standardized. The services provided, and the fact that they are standardized, makes it easier to create and maintain a secure environment across the entire application. 

The service mesh serves as a new security kernel. The role of the proxy instances is such that neither the proxy instances, nor the service mesh as a whole, can be bypassed. The code that establishes the mesh can be scrutinized and hardened in a way that cannot be achieved by alternatives, such as sprinkling security code throughout application code or using security tools that operate at Layer 3 or Layer 4 of the OSI stack. Also, because the service mesh code is separate from application code, it can’t be modified at runtime. 

An application using service mesh also tends to be reliable – because it’s secure and standardized – and agile, because small units of software functionality can be updated, tested, and delivered one at a time, without changing anything else in the mesh. 

Next Steps

You can get the FIPS-compliant machine image for Istio (see tetratefips-v0) directly from Tetrate, for free. You can also obtain support via Tetrate Istio Subscription, available from Tetrate or directly on AWS. For more information, contact Tetrate.