Primer on Zero Trust and FIPS for Cloud Native Applications

Executive Summary

• Enterprise information security architecture has become increasingly important as information systems have evolved into critical business assets.
• Zero trust network architecture is emerging as a preferred approach for enterprises to secure both their traditional and modern, cloud-native applications. A key component of zero trust architecture is encryption in transit.
• The Istio service mesh acts as a security kernel for distributed applications and serves as the foundation of a zero trust architecture, including providing comprehensive encryption in transit between system components.
• Tetrate offers a FIPS-verified distribution of Istio specifically designed for organizations requiring FedRAMP authorization and other organizations in regulated environments where the stock builds of Istio and Envoy aren’t suitable.
• The Federal Information Processing Standards (FIPS) are the information security standards for the U.S. federal government. Information systems built and run by federal agencies, contractors, and vendors are required to adhere to FIPS.
• FIPS is also widely regarded as a set of robust and trustworthy security standards that is often adopted by private sector organizations.
• The National Institute of Standards and Technology (NIST), the standards body responsible for defining FIPS, runs a program (CMVP) to validate that cryptographic modules adhere to FIPS standards and are suitable for use in U.S. federal agency information systems. Those modules are said to be FIPS validated. Software certified by a CMVP-accredited laboratory as using FIPS-validated modules correctly is said to be FIPS verified.
• Tetrate offers a 100% upstream distribution of Istio and Envoy called Tetrate Istio Distro (TID) that is the first to be FIPS verified.

Why Information Security Architecture Is Important

Information security architecture has become increasingly important as information systems have evolved into critical business assets. Cyber crime has reached industrial scale at the same time that business-critical functionality is growing more  sophisticated and powerful. 

That power comes with greater complexity: there are more pieces and parts that need to communicate with each other over networks and more places where those components and users can operate outside the traditional data center and fortified network perimeter. These pieces, parts, people, places—and their access to each other—must all be secured.

Traditional security architecture has long followed the paradigm of a strong fortified perimeter with more permissive access to internal systems once a user has been authenticated, authorized, and let through the castle gates.The complexity of modern, cloud-native applications and associated risk to critical business assets and reputation has prompted many organizations (and the U.S. federal government) to re-think their information security architecture from the ground up.

Zero Trust Architecture Is the Future of Enterprise Network Security

Traditional network security relies on a strong defensive perimeter around a trusted internal network to keep bad actors out and sensitive data in. In an increasingly complex networking environment, maintaining a robust perimeter is increasingly difficult.

Zero trust network architecture is emerging as a preferred approach for enterprises to secure both their traditional and modern, cloud-native applications. Zero trust network architecture inverts the assumptions of perimeter security. In a zero trust network, every resource is protected internally as if it were exposed to the open internet.

Zack Butcher, Tetrate founding engineer and co-author of the NIST standards for microservices security, identifies the following minimum five core runtime requirements for a zero trust architecture:

1. Communication within the system, with end-users, and with external systems should be encrypted (also known as encryption in transit) to ensure authenticity, integrity, and privacy;
2. All service-to-service communication should be mutually authenticated;
3. All service-to-service communication should be mutually authorized;
4. All end-user communication should be authenticated;
5. All end-user communication should be authorized.

As a dedicated infrastructure layer, the Istio service mesh acts as a security kernel for distributed applications that satisfies all five of these requirements. When we’re talking about FIPS, we’re solely focused on the first requirement: encryption in transit.

What Is FIPS?

FIPS is a set of standards for information processing systems that all U.S. federal agencies, contractors, and vendors must adhere to. FIPS is also widely regarded as a set of robust and trustworthy security standards that is often adopted by private sector organizations. 

A key part of FIPS governs cryptographic modules, the specialized hardware, software, and/or firmware that encrypt data to ensure privacy and authenticity. NIST offers a validation program for cryptographic modules to ensure that validated modules are safe and approved for use in federal information systems.

FIPS. Federal Information Processing Standards are the information security standards for the federal government defined by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA). As part of FIPS, the standards for cryptography are evolving, with the FIPS 140-2 document currently in effect and FIPS 140-3 published but not yet required by authorizing officials (AOs), the officials who grant authorization to operate (ATO), which is required to run any software for government use.

CMVP. The Cryptographic Module Validation Program (CMVP), a joint effort between NIST and the Canadian Centre for Cyber Security, promotes the use of validated cryptographic modules. CMVP tracks crypto implementations that have been validated by auditors to conform to FIPS 140-2 and/or 140-3. 

FedRAMP. FedRAMP, the most common ATO in the U.S. government, requires the use of FIPS 140-2 validated modules for encrypting data in transit and at rest.

What Is FIPS Validated vs Verified vs Certified?

FIPS validation. As part of CMVP, NIST authorizes independent labs to audit cryptographic modules submitted for review. Modules that pass this review are said to be FIPS validated. The validation status of all modules submitted to CMVP is published via a publicly searchable database.

FIPS verification. Software that uses FIPS-validated cryptographic modules may need additional verification from an accredited testing lab that those cryptographic modules are used correctly in order to be authorized by a program like FedRAMP. Such software is said to be FIPS verified. 

This approach to achieving federal authorization is a safer alternative to forking a module for independent FIPS validation. The forking approach has the sole advantage of listing the vendor of the forked module in the CMVP database. In contrast, the verification approach (what Tetrate does for Tetrate Istio Distro) offers the smallest possible footprint of sensitive code that must be FIPS validated and avoids the inevitable risk that a fork will drift from the more well-maintained upstream version of the module.

Applicability of validated modules. Currently validated modules under FIPS 140-2 are acceptable for use in new systems until Sept. 21, 2026, after which they will be placed on the “Historical” list. At that point, their use will be allowed only for existing systems. Agencies should continue to use FIPS 140-2 validated modules until a FIPS 140-3 validated module becomes available.FIPS certification.Certification is an industry term used to apply more generally to programs like CMVP that seek to provide some kind of provable compliance with a standard. In the context of FIPS 140, certified essentially means validated.

Tetrate Istio Distro (TID) and FIPS Validation

Tetrate Istio Distro is Tetrate’s hardened, performant, and fully upstream Istio distribution. It is also the first distribution of Istio to be FIPS verified for use in FedRAMP environments.

The Istio and Envoy binaries published by their respective project sites (istio.io and envoyproxy.io)  are not built using FIPS-validated crypto libraries. Those binaries are not approved for use by federal authorization programs such as FedRAMP.

Tetrate solves this problem by offering Istio and Envoy binaries that are built with FIPS-validated crypto modules and independently verified by an accredited third-party testing laboratory.

Boring Crypto. Istio—and its data plane of Envoy proxies—use BoringSSL which, in turn, uses a core module called Boring Crypto. Boring Crypto is FIPS 140-2 validated (Certificate #3678). Boring Crypto’s FIPS 140-2 validation status will be active until Sept. 21, 2026, and the Boring Crypto team is actively working towards FIPS 140-3 validation.

Tetrate Istio Distro FIPS builds. When pursuing FIPS validation for Istio and Envoy in TID, we used an existing crypto module that has already been validated (BoringSSL’s Boring Crypto). We then engaged an NVLAP-accredited testing lab to verify that our distribution uses the CMVP-validated crypto module correctly. This lets us deliver 100% upstream Istio and Envoy in TID, with no need for proprietary forks. And, when Boring Crypto achieves FIPS 140-3, we will update TID FIPS build certification accordingly.

A less desirable option would have been to fork a crypto library, independently maintain it, and get it validated and listed in the CMVP database, then validate that the resulting distribution uses the CMVP validated crypto module correctly.

Although our approach to getting FIPS validation for Istio and Envoy means Tetrate and TID do not have a unique entry in the CMVP database, we believe it is obviously better for users of TID and the Istio and Envoy communities since it does not require forking the highly sensitive functionality in cryptographic libraries.

Tetrate Istio Distro Is the Fastest Way to Get to Production with Istio

When you want to deploy Istio in production, the first question is where to get your Istio distribution. Tetrate Istio Distro is Tetrate’s hardened, performant, and fully upstream Istio distribution. Teams often choose to run TID because it’s simple to use and is built and supported by Tetrate’s Istio experts (in addition to being co-creators of Istio, we also built the official CNCF course on Istio).

TID support and FIPS validated builds are available as a paid subscription service, Tetrate Istio Subscription. It’s a great way to get started with Istio knowing you have a trusted distribution to begin with, have an expert team supporting you, and also have the option to get to FIPS compliance quickly if you need to.Find out more at tetrate.io or reach out to us to start a conversation.