Are service meshes overhyped, or do they solve a real puzzle for enterprise IT systems? Service meshes are a relatively new technology, and many people have found it challenging to fit them into predefined tooling categories. That’s because service meshes have a wide variety of functionality, from load balancing to securing traffic. But service meshes do more than securing your traffic via mTLS, and they can be very important security tools for your enterprise.
Service meshes help organizations improve their security posture, working to both proactively prevent attacks through encryption and access control as well as to provide visibility into anomalous behavior when security incidents do happen. Service meshes can be a strong addition to organizations’ security tooling and are especially important for securing applications that have both cloud-native and legacy components.
In the past, controlling the perimeter of the network was considered “good enough” when it came to network security. There are two problems with this: First of all, even in legacy systems getting through the firewall was often not that hard and, once in, attackers could access the entire system. Just as importantly, this approach simply does not work for distributed, cloud-native applications that don’t even have a clear perimeter to protect. A service mesh makes it possible to tighten control over traffic inside the virtual network, so even if a malicious actor gets in, its presence is easier to detect and the extent of the damage can be limited.
Service Mesh and Security
Here’s why services meshes should be considered security tools—and how they work to secure modern enterprise applications.
Central Control Over Communications
Modern engineering organizations need to give individual developers the freedom to choose what components they use in applications as well as how to manage their own workflows. At the same time, enterprises need to ensure that there are consistent ways to manage how all of the parts of an application communicate inside the app as well as with external dependencies.
A service mesh provides a uniform interface between services. Because it’s attached as a sidecar acting as a micro-dataplane for every component within the service mesh, it can add encryption and access controls to communication to and from services, even if neither are natively supported by that service.
Just as importantly, the service mesh can be configured and controlled centrally. Individual developers don’t have to set up encryption or configure access controls; security teams can establish organization-wide security policies and enforce them automatically with the service mesh.
Developers get to use whatever components they need and aren’t slowed down by security considerations. Security teams can make sure encryption and access controls are configured appropriately, without depending on developers at all.
The ability to control access to different parts of the infrastructure is a key part of any organization’s security posture. But in most modern enterprises, each business unit will have applications running both on-premises and in the cloud—potentially in multiple clouds.
With an agnostic service mesh to bridge environments, organizations can segment networks in a way that still creates a seamless experience for users and doesn’t become too complex for security teams to manage effectively.
Inside each segment, the service mesh can be used to create attribute-based access controls (ABAC), role-based access controls (RBAC) or even next-gen access controls (NGAC). A service mesh allows organizations to tune this access control very granularly, including inside individual network segments and across different deployment environments.
In addition to providing consistent encryption and access controls, service meshes can also provide the telemetry that organizations need to identify potential security incidents and respond appropriately to anomalies.
Because all traffic moves through the service mesh, the mesh is able to collect and display granular information about network traffic. This includes the ability to track the origin and destination of every request sent through the mesh, which is important both for security as well as for passing compliance audits.
With a service mesh that connects both legacy and cloud-native environments, detailed traffic information is available for the entire system. Security teams can use a single dashboard to see how traffic is moving through the system and to correlate signals to users, IP addresses and content as it moves from one environment to another. Having all the information in one place reduces the risk of miscommunications or miscorrelations as traffic moves between environments, either obscuring a real security risk or raising red flags unnecessarily.
Consistent Cross-environment Security Postures
Most modern enterprises have a hybrid/multicloud IT system that includes legacy monoliths in data centers, cloud-native infrastructure in private clouds as well as workloads running in at least one public cloud. There are legitimate business reasons for all of these infrastructure choices, but organizations need to have a strong, consistent security posture across all of them. Service mesh technology allows organizations to connect all of the services, applications and components in the system, regardless of environment, and ensure encryption, access controls and visibility into traffic flows extend throughout the entire system.
Adding a service mesh to your security toolkit is a way to ensure consistency and compliance across the entire, heterogeneous system, no matter what kind of environments and deployment architectures you have. Ultimately, your security posture is only as strong as your most vulnerable deployment. A service mesh is the best way to ensure that every part of your infrastructure complies with your internal security policies.