Tetrate is among the leading proponents of zero-trust architectures, helping NIST define the standards, and enabling public and private enterprises to pursue a zero-trust strategy — powered by the service mesh at its core. We’re recognized leaders in this space: we have been the exclusive co-hosts of an annual conference with the National Institute of Standards and Technology (NIST) on this topic for three years so far, and counting, as mentioned below. We’ve recently been recognized by Gartner as a Cool Vendor for Cloud Computing, and we were recognized by IDC as an IDC Innovator 2021. We were also named one of the Top 10 Hottest Cloud Computing Startups of 2021 by CRN.
Istio and Envoy are the two crucial open-source projects for service mesh and, therefore, for zero trust. And our products – Tetrate Service Bridge (TSB), an application connectivity platform; Tetrate Cloud, a managed service offering for TSB; and the Tetrate Istio Subscription, which includes Envoy – are critical building blocks for the move to service mesh and zero trust. We also work with NIST to help create US government standards for zero trust.
We were excited to see that the US government, a Tetrate customer, has taken additional steps to endorse zero trust as its cybersecurity approach of choice, government-wide. On Wednesday, January 26th, we co-hosted the third annual Tetrate-NIST virtual conference, Zero Trust Architecture and DevSecOps for Cloud-Native Applications. We had a great event, but the federal government truly made our day, and that of other conference attendees with their announcement, in the form of a memo from the Office of Management and Budget.
The memo, “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles,” follows up on Executive Order 14028, Improving the Nation’s Cybersecurity, released last May. In the memo, President Biden cites increasingly sophisticated cybercrimes that threaten the public and private sectors. (One article describes cyberattacks as “the new WMD,” for weapons of mass destruction.)
As a crucial part of the response, the government commits to “advance toward Zero Trust Architecture.” In this blog post, we’ll explain what’s happening; describe zero trust; share why the government has endorsed it; and describe what this initiative means for IT professionals worldwide. Consider sharing this post widely with colleagues, and using it to help you decide whether, and how quickly, to move to zero trust in your own organization.
What Has Been Announced?
The government put together a website, at zerotrust.cyber.gov, to host some of the key documents supporting the executive order. They include:
- Executive Order 14028 itself, described above. The Order commits the federal government to “advance toward Zero Trust Architecture,” among other key goals.
- Federal Zero Trust Strategy, from the Office of Management and Budget, is summarized nicely in this article.
- Zero Trust Maturity Model, from the Cybersecurity and Infrastructure Security Agency (CISA). You can use this model to help assess your organization’s readiness in the journey to zero trust.
- Cloud Security Technical Reference Architecture, also from CISA. You can use this architecture to assess your organization’s progress in moving to the cloud.
These resources refer to several critical documents from the US National Institute of Standards and Technology (NIST), defining standards for zero trust:
- Special Publication (SP) 800-207 defines zero trust architecture
- SP 800-204, SP 800-204A, and SP 800-204B, co-authored by Zack Butcher, founding engineer at Tetrate, offer deployment recommendations
Using technologies in compliance with these Special Publications will help organizations move faster in their journey to achieving ZTA.
Within 60 days of the memo, the head of each Federal Government agency was required to update existing plans to prioritize moving to the cloud and develop a plan to implement zero trust architecture. The migration to cloud technology must also implement zero trust architecture.
Why Does This Matter?
If you work in IT for a federal agency, this matters tremendously, and you are probably already busy working to help meet the deadlines set out in the Executive Order.
If your organization is not a federal government agency, why should you care?
There are three key reasons:
- If your organization sells to or partners with the federal government, including the Department of Defense, you are likely to come under increasing pressure, eventually even mandates, to move to a zero trust security approach.
- Federal standards often set the agenda for other governments (inside and outside the US), their suppliers, and the private sector as a whole.
- IT security is an ever-more-important concern for all organizations. Zero Trust and service mesh are now very likely to be the most widely used, best supported, and most effective approach to securing your IT operations and applications.
There’s a harsh saying in Silicon Valley that captures the choice organizations have to make when a new standard emerges: “get on the train or die.” That may be the choice organizations face with regard to zero trust and service mesh.
What is Zero Trust?
With all this push toward zero trust architecture, what does it mean? Like trying to describe an elephant, you may take a different view, depending on which end of the issue you start with.
The key principle of zero trust is that security is not something that can be added to a system after the fact. There is no perimeter, physical or virtual, around any system that keeps bad guys from getting in. You have to assume that malicious actors already have access to physical systems.
As the Executive Order puts it, “the Zero Trust security model eliminates implicit trust.” Systems must grant the least access needed for each user to accomplish tasks at the level they are authenticated and authorized for. Comprehensive security is built into applications and systems.
This has three different sets of implications:
- For users seeking to access systems – authorization and authentication need to be made more rigorous. Virtual private networks (VPNs), in particular, come in for criticism. They are regarded as the very kind of “perimeter-based defense” that zero trust says can no longer be counted on. “Users should log into applications, rather than networks.” Single sign-on, multi-factor authentication, and information about a device’s context must be used together to authenticate each user.
- For application development and delivery, different software components must authorize and authenticate themselves to each other. This requirement means that IT infrastructure people and platform engineering must either add this functionality to every level of an application or move to new architectures that build this functionality in – neither of which is something that can be done quickly or easily.
- Data must always be encrypted – not only in transit but also at rest. For instance, mTLS security, part of the HTTP/2 standard, must always be enforced. This is a fundamental concern, but some vendors treat it as if it were the only thing you (or they) need to do to ensure zero trust, ignoring the other implications listed above.
For user security, this article does a good job of describing what zero trust means, and the changes it will require. Here at Tetrate, we are mainly concerned with zero trust requirements for application development and delivery – what it takes to build and deliver a secure application.
What’s an IT Professional to Do?
We can recommend three steps for most IT professionals to take.
The first is to make sure your organization moves quickly to enhance authentication and authorization for end users. The current requirements are relatively well spelled out in the federal documents.
The second is to ensure that encryption is applied to all data, at rest or in transit. Comprehensive use of mTLS is an important part of the solution. Most cloud systems already implement this approach, but your on-premises systems must also rise to this level. The service mesh can be a big tool for achieving this across your entire system without changing the application code.
The third, and our area of expertise, is the use of zero trust architectures for application development and delivery. Internally, you should move to the use of a service mesh architecture for application development and delivery. You will also want to adopt a DevSecOps approach, adding security to the widely used DevOps paradigm.
If you are a government supplier, all of this is an immediate priority. If not, however, you still need to get conversant quickly, then start planning to implement a zero trust approach yourself.
You can begin by reading our white paper, Zero Trust Architecture, by Tetrate Founding Engineer Zack Butcher, a member of the steering committee for Istio. This paper explains the service mesh architecture and why it’s a superior approach for implementing zero trust in application development and delivery.
You can also learn from the sessions at the recent NIST | Tetrate conference we mentioned earlier. This includes a case study of Platform One, which uses Istio, as part of Tetrate Service Bridge, along with DevSecOps and zero trust architecture.
We will have blog posts about each session in the weeks ahead, including links to session videos coming soon from NIST.
If you would like to dive right in, we are happy to talk to you directly about moving to a service mesh approach. With the Federal Government as customers, using our products to implement zero trust architecture for application development and delivery, we are experts in all the concerns driving the Executive Order and the government initiatives that accompany it. So contact us to see how we can help.