The world is moving toward microservices-based applications. Service mesh is emerging as one of the main architectures to deploy and manage microservices environments, because of the benefits it brings with advanced traffic management, holistic observability and better security. Microservices communicate with each other through APIs, so securing communications between the individual services is becoming more important than ever and has to be addressed.

Mutual TLS (mTLS) secures communication between microservices in a service mesh. It uses cryptographically secure techniques to mutually authenticate individual microservices and encrypt the traffic between them.

Why mTLS?

According to Google, 90% of internet traffic is encrypted to prevent eavesdropping and man-in-the-middle attacks. Yet many cloud native application deployments today do not have encrypted communications between microservices, based on the weak assumption that traffic inside the cluster is secure and not susceptible to attacks. This is a risky assumption. Not only should communications between microservices be secured, but many regulations (like GDPR and HIPAA) also recommend end-to-end encryption to protect all data in transit.

In this era of zero-trust security, each individual microservice communication (request-response) must be authenticated, authorized and encrypted. Here’s why:

• Authentication uniquely identifies each microservice and ensures that a rogue microservice cannot access your sensitive data.
• Authorization determines which microservices can communicate with each other. You wouldn’t want the microservice that handles your company’s credit card processing to communicate with the microservice that manages the door badge reader for your office building.
• Encryption not only prevents third parties from intercepting and viewing your data in transit, but also thwarts man-in-the-middle attacks. You definitely don’t want credit card data to be visible to unauthorized entities on the network.

As companies move towards zero-trust security, mTLS provides a cryptographically secure way to authenticate, encrypt and enforce communication policies between microservices.

What Is mTLS?

Mutual TLS (or mTLS) refers to transport layer security that uses a two-way encrypted channel between the server and client. Today, mTLS is the preferred protocol for securing communications among microservices in cloud native applications.

While transport layer security (TLS) has been used to secure traffic between clients and servers on the internet for many years, it typically uses unidirectional identification — where a server presents a certificate to prove its identity to a client. A basic example of this one-way authentication is when you access your bank account online. The server sends your computer a certificate to prove it is actually the bank you are connecting to. That same certificate includes a public encryption key that is used to create a cryptographically secure encrypted link between you and the bank over which data passes.

Mutual TLS extends the client-server TLS model to include authentication of both parties. Where the bank relies on other, application-specific mechanisms to confirm a client’s identity — such as a user name and password (often accompanied by two-factor authentication) — mTLS uses x.509 certificates to identify and authenticate each microservice. Each certificate contains a public encryption key and an identity, and is signed by a trusted certificate authority who proves that the certificate represents the entity presenting it.

In mTLS, each microservice in a service mesh verifies the other’s certificate and uses the public keys to create encryption keys unique to each conversation. This enables the communications between pairs of microservices to be authenticated and encrypted.

How mTLS Works in a Service Mesh

What we have learned at Citrix, is, at a high level, the process of authenticating and establishing an encrypted channel using certificate-based mutual authentication in a service mesh involves the following steps:

1. Microservice A sends a request for the certificate of microservice B.
2. Microservice B replies with its certificate and requests the certificate of Microservice A.
3. Microservice A checks with the certificate authority that the certificate belongs to Microservice B.
4. Microservice A sends its certificate to microservice B and also shares a session encryption key (encrypted with the public key of microservice B).
5. Microservice B checks with the certificate authority that the certificate it received belongs to microservice A.
6. With both microservices mutually authenticated and a session key created, communication between them can be encrypted and sent via the secure link.

The Role of the Service Mesh Control Plane for mTLS

Istio is perhaps the most well-known, feature-rich and mature service mesh control plane that provides secure service-to-service communication, without the need for any application code changes. From an mTLS perspective, Istio and all service mesh control planes must offer:

• A certificate authority that handles certificate signing and management.
• A configuration API server that distributes communication policies (such as authentication policies, authorization policies and secure naming information) to the proxies.

The control plane distributes the certificates and authorization policies to the sidecars. When two microservices need to communicate, the sidecars establish a secure proxy-proxy link and are responsible for encrypting the traffic through it.

The Role of Sidecars for mTLS

While it is possible to define communication security policies and carry out authentication and encryption in the application microservices themselves, it requires implementing authentication mechanisms, defining authorization policies, and traffic encryption in the code of each microservice.

This is inefficient because you must write these into each and every microservice, you must update it when the application changes, and you need to test it on every release to ensure that the new code does not break the communication. This can be a burden on developers, leads to errors and prevents them from focusing on code that implements business logic. In a service mesh, the overhead of securing communications is offloaded to sidecars proxies, like Citrix ADC CPX or Envoy, that sit alongside each microservice.

When two microservices need to communicate, it is the sidecars that establish the mTLS connection through which encrypted traffic will flow. The sidecars exchange certificates and authenticate each other with the certificate authority. They check the authorization policies in the configuration pushed by the control plane, to see if the microservices are allowed to communicate. If they are, the sidecars will establish a secure link using a generated session key, so that all the data between the microservices will be encrypted. The actual microservice application code itself is not affected. Sidecars, therefore, make application development agile and more efficient.

Why Non-mTLS Communication Is Still Important

Sometimes it is important for microservices to communicate with external sources or microservices that may not have mTLS enabled, or may not be part of the same mTLS ecosystem. In these cases, data must be sent in plain text over an unencrypted and/or unauthenticated channel.

Microservices may need to make or receive API calls to other applications, which may be owned by a different app team who are not in a position to enable mTLS — or even an external third party. Similarly, microservices may need to send telemetry data to a non-mTLS observability stack — after all, every SRE needs telemetry data to gain visibility for root cause analysis and troubleshooting.

Furthermore, as multicluster deployments become more popular, there will be an increase in the number of mTLS “mismatches” — as some clusters will have it enabled and others not.

Investigate your environment for where a microservice may need to accept both mTLS and non-mTLS traffic, so you can plan proactively.

Implementing mTLS in a Service Mesh

There are many service mesh control planes with varying levels of maturity and unique features. When it comes to mTLS, all service meshes work on the same principles to secure communications between microservices. Many service meshes offer a solid mTLS baseline, but they differ in their overall capability and the way they are deployed. You need to be aware of how your chosen service mesh control plane implements mTLS and what features are implemented by default, or you risk breaking your applications.

Istio, for example, is advanced and flexible with its mTLS implementation. It offers granular levels to define the extent of your mTLS deployment. Mutual TLS can be set specific to a service, across a namespace, or over the entire service mesh — obviously, Istio selects the narrowest matching policy for each service.

This granularity enables you to assign namespace ownership to different organizational groups and lets them define their own mTLS settings. That said, each group needs to be mindful of the level of mTLS restriction they deploy — especially for microservices that communicate externally.

Watch Out for mTLS Defaults: Don’t Break Your Application While Trying to Secure It

You should pay attention to how your service mesh implements mTLS by default. Istio supports three mTLS modes that enable you to control how microservices communicate in a service mesh:

1. Permissive: Proxies will accept both mTLS and plain text traffic.
2. Strict: Proxies accept only mTLS traffic.
3. Disable: Mutual TLS is disabled.

Sensibly, Istio configures each proxy to use mTLS in permissive mode by default, which allows a service to accept both plain text and mutual TLS traffic. This flexibility is a best practice for all service mesh implementations because it lets microservices accept non-mTLS traffic from other sources so that you do not break the applications.

Permissive mode helps you get started with mTLS with less risk of breaking your applications because you can deploy, test communications and tighten security incrementally. This is extremely useful during workload migrations, because it allows microservices that cannot use mutual TLS to be moved into the mesh and still communicate.

Be aware that permissive mode is a great default, but it does actually weaken your security posture because it opens a door for plain text communication with other sources. While it may be tempting to implement strict mTLS from the start because it is more secure, it is a strategy that requires meticulous planning, full visibility, and analysis of your communication flows. There are many things that can break applications when you move to strict mode. For example:

• Microservices without sidecars will not complete an mTLS handshake; you may have to add a sidecar to those microservices without one.
• Incorrect naming of service ports will cause sidecars to reject mTLS requests; pay extra attention to Istio’s precise naming convention of $protocol-$service.

Be Aware of mTLS Differences in Various Service Mesh Control Planes

Of course, Istio is not the only service mesh to offer mTLS to secure communications — others offer similar functionality, but there are differences.

Red Hat OpenShift is based on the Istio control plane and has similar mTLS features, including granular implementation and Permissive mode by default, but replaces the underlying BoringSSL with OpenSSL.

LinkerD also offers mTLS, which by default is automatically enabled for HTTP-based communication between meshed pods via the LinkerD proxies. While LinkerD acknowledges some gaps in its mTLS offering, the latest 2.9 release addresses some of them and extends mTLS protection to all TCP connections — which is a big step on the road to zero-trust communications.

In the Kuma service mesh, mTLS is not enabled by default. When it is enabled, every connection between data plane proxies is denied by default. While this is a laudable security stance, it does mean that you have to explicitly allow connection using the TrafficPermissions feature. That said, Kuma lacks the breadth of features for secure communications that Istio offers and it will take some development for Kuma to catch up.

Amazon Web Services‘ AWS App Mesh also supports encryption between microservices. You can use AWS Certificate Manager or bring your own. AWS App Mesh supports “strict” and “permissive” modes.

Meeting Your mTLS Requirement

Mutual TLS is a critical component of zero-trust networking and is vital to secure the communications between the microservices in your service mesh. Implementation, however, is not entirely straightforward. You need to be aware that microservices often communicate with non-mTLS entities and you should make allowances accordingly. You should choose the communication mode carefully by weighing convenience versus security. Lastly, whichever service mesh control plane you choose, pay attention to the specific implementation for mTLS — they are not all the same.

Proper planning prevents poor performance. It’s no different for mutual TLS.

The post Mutual TLS: Securing Microservices in Service Mesh appeared first on Artificial Intelligence.

Google this week made a case for moving beyond firewalls to secure microservices-based applications built using containers by sharing the best practices for a zero-trust networking model it relies on to secure its own web-scale IT environment.

Maya Kaczorowski, a product manager for Google, says Google makes extensive use of a BeyondProd framework, a cloud-native networking model that, among other things, ensures there is no inherent mutual trust between services and that chokepoints for consistent policy enforcement across services are created. Other concepts embedded into BeyondProd include mutually authenticated service endpoints, transport security, edge termination with global load balancing and denial of service protection, end-to-end code provenance and runtime sandboxing.

All the services Google provides run atop the Borg container orchestration engine, a pre-cursor to Kubernetes that Google still employs, on which BeyondProd is deployed.

BeyondProd is not intended to replace the need for firewalls as much as it is designed to augment them, says Kaczorowski. In fact, Google this week announced it has expanded its relationship with a dozen providers of cybersecurity platforms, including firewall providers Palo Alto Networks and Fortinet. It’s not at all clear, however, that any of the three major cloud platforms are all that much more secure than the other. In fact, just about every third-party cybersecurity vendor that supports Google Cloud also supports Amazon Web Services (AWS) and Microsoft Azure.

Google, like other cloud service providers, is highly committed to securing its own infrastructure. However, the security of the applications running on top of any cloud platform remain the responsibility of the IT team that deployed them. As IT teams increasingly embrace microservices-based applications, many are discovering that legacy approaches to securing applications are now insufficient.

Kaczorowski says Google is sharing how BeyondProd is constructed to encourage IT organizations to build their own zero-trust networking model for securing microservices-based applications.

The challenge many organizations will encounter in the months and years ahead is the need to deploy a zero-trust networking model across multiple clouds and on-premises IT environments that are likely to be running hundreds, if not thousands, of microservices. Unfortunately, most IT organizations are still struggling with how to secure monolithic applications on public clouds.

The highly dynamic nature of the containers that make up the bulk of the microservices being deployed presents organizations with a major challenge that in most cases will require them to define and adopt a range of best DevSecOps practices around a zero-trust networking model that needs to be continuously updated and managed. In many cases, roles surrounding who is responsible for building and deploying the zero-trust network across a team of cybersecurity and networking professionals have yet to be defined. Similarly, many organizations are still trying to determine to what degree developers will be held accountable for maintaining the security of their applications before and after they are deployed in a production environment.

Cybersecurity is likely to remain one of the biggest barriers of adoption when it comes to building and deploying cloud-native applications for the foreseeable future. The issue, however, is not so much the security of the cloud platforms being employed as much as it is the immaturity of the processes being employed to secure the applications running on those clouds

The post Google Shares Best Practices for Securing Microservices appeared first on Artificial Intelligence.

As enterprises move more data and applications to the cloud, security becomes an even more a foundational component because, in order to meet industry compliance requirements, and map to an organization’s larger security strategy, it must be built into the overall cloud platform. When security is deployed as an afterthought, it often needs to be reconfigured by hand when network resources adjust to meet new business needs. Which defeats the whole purpose of building and deploying a scalable and highly elastic cloud infrastructure.

Unfortunately, blanket security is not part of any cloud benefits package. Security is a shared responsibility between your organization and the cloud provider, with very clean lines drawn between responsibilities. True, Microsoft Azure and the other major cloud providers have native security options, but they are focused primarily on securing the underlying network, while customers are expected to secure their own data, applications, workflows, and resources.

Most cloud providers provide documentation that spells out how responsibilities are divided between the provider and the consumer. Below is an example of the Azure model.

While this division may seem clear, the challenge tends to be one of scope and scale. Enterprises today use an average of 61 different cloud applications, about one-third of their total apps, according to the Fortinet Threat Landscape Report for Q3 2017. Complicating things further, many of these apps often span across multiple clouds. Which means that not only does security need to be deeply embedded within a single cloud environment, but security functionalities and protocols need to be able to operate consistently across different cloud environments so that enforcement can be consistently applied even as applications, data, and workflows move across and between cloud networks.

In addition to secure a cloud infrastructure, another serious challenge is the rapid adoption of Software as a Service. Today, anyone with a credit card can spin up or subscribe to a cloud-based application, a problem known as Shadow IT. The result is that many organizations have little to no idea where critical data and resources are being stored, or what tools are being used to access and process information. As a result, combined data breaches and losses from shadow IT applications (those outside of the IT department’s control) are estimated to cost companies between $1.5 trillion and $1.8 trillion every year, according to a 2017 post in the CloudCodes blog.

Concerns about security in the cloud have discouraged many executives from embracing the public cloud. However, the challenge exists not in the security of the cloud infrastructure, but in the policies and technologies used to secure and control the organization’s data and applications. Some analysts are predicting that, through 2022, at least 95% of cloud security failures will be the fault of the customer and not that of the cloud provider.

So, how can enterprises themselves prevent breaches and vulnerabilities when working in the cloud? Each cloud environment is unique, so requirements can change from provider to provider.

For this blog, here are our five must-haves for organizations to effectively secure their workloads in Microsoft Azure, especially when it is part of a larger, multi-cloud strategy.

1. Establish Ease of Use

You must centralize and simplify cloud security management, thereby enabling the automation of lifecycle management processes as well as establish and enforce consistent security policies.

Enforcing security for all assets and applications can be simplified through automation. Dynamic security policies can then rely on workload metadata to immediately and consistently capture all application traffic and assign a level of security commensurate to the needs of the workload.

To begin, therefore, you need to find a security solution that simplifies management, allowing you to focus on security issues and not things like configuration, enforcement, or maintaining consistency between the cloud and other environments.

2. Implement Native integration

Native integration of security capabilities in Azure — such as container security, auto scaling, Azure Resource Manager (ARM) templates, and more — helps you utilize cloud-based automation. This allows you to define consistent policies across your hybrid cloud environment, operate at speed and scale, and dynamically adapt as resources shift. Integration with cloud management resources through APIs also allows you to leverage cloud-based information as part of your overall security policy management and enforcement strategy.

3. Implement Intrusion Protection Systems

As organizations move more services to SaaS and IaaS platforms, complexity increases. With increased complexity comes an even greater need for an integrated approach to threat detection and response. Intrusion Protection Systems (IPS) provide a critical defense against malware, attacks, and exploits. This is especially important given the complexities of the current threat landscape and continually expanding attack surface.

To successfully detect complex threats in public cloud computing environments, comprehensive visibility is absolutely necessary. Network security teams need to be able to monitor and track all security components centrally, while threat intelligence not only needs to be centralized, but also shared in real time across multiple clouds — regardless of which cloud a threat has targeted.

With DevOps environments, teams need the ability to detect suspicious activity and identify compromised accounts. And for the entire network, an integrated security architecture should be backed by threat intelligence powered by advanced artificial intelligence and machine learning methodologies to better correlate threat intelligence, detect unknown threats, and respond at digital speeds.

4. Ensure Application Control

You also need to find a solution that uses application-level visibility and management to help build a secure, fluent multi-cloud infrastructure. Here are a few critical functions that an effective solution needs to provide:

• Blocking or restricting access to risky applications
• Setting security policies based on application type
• Optimizing bandwidth usage by prioritizing, de-prioritizing, or blocking traffic based on the application

5. Maintain High performance and High Availability

Securing Azure and other cloud environments requires resilience through high availability. To achieve this new security paradigm, services need to be available at ever higher SLAs.

To achieve high performance, you need a solution with:

• Security that matches the scalability and elasticity of cloud workloads
• Native cloud orchestration to automate auto scaling, high availability, and segmentation
• Resilient designs that meet your application requirements, without the need for complicated, expensive deployment tools

While public clouds support up to 99.999% of uptime, cloud-based data centers have still failed. A best security practice is to assume that everything will fail at some point, and build in resilience at the application layer sitting on top of the cloud infrastructure.

To avoid unwanted and unexpected downtime, Azure provides various mechanisms for redundancy through Fault Zones and Availability Zones. These provide the opportunity for application architects to implement instance-level and service-level redundancy. Remember that resiliency needs to include your security solutions as well as any infrastructure or applications.

Conclusion

Fortinet security solutions for Azure provide all five of these must-have capabilities.

They offer a broad set of tools that cover the entire attack surface to protect against advanced threats, the ability to integrate cloud controls with on-premises security solutions, and seamless integration and functionality with Fortinet solutions deployed in other environments, regardless of form factor. This means an enterprise gets consistent visibility and control across the entire organization that spans the entire distributed network.

You can discover for yourself the power and simplicity of the Fortinet Security Fabric by test driving our FortiGate Next-Generation Firewall, or taking it for a longer spin with a free 30-day trial. Both options are available now in the Microsoft Azure Marketplace.

For more on this topic, view the complementary on-demand webinar, “5 Essential Capabilities to Effectively Secure Azure,” with Brian Page, Fortinet cloud security architect.   

The post 5 Must-Haves for Effectively Securing Azure appeared first on Artificial Intelligence.