Mar 6, 2023
The cloud native ecosystem with Kubernetes at its core has transformed how organizations deploy and operate applications in the cloud. One part of the stack has been getting particular traction from security professionals lately: the service mesh—an infrastructure layer that manages and controls network communication between Kubernetes-based microservices.
Early on, platform owners and site reliability engineers (SREs) mainly drove service mesh adoption. Tasked with building an internal infrastructure platform for their organization, they took advantage of service meshes to build reliability features into their platforms. These include load balancing, automated retries, blue-green deploys, and observability.
But the service mesh has recently found another interested audience: security and compliance teams. Over the past year, security and compliance teams have increasingly turn to Linkerd, the CNCF graduated service mesh to improve their security posture—especially in the cloud. Complex threat models, sophisticated attackers, and the lack of control and ownership over the low-level cloud networking infrastructure create exposure and risk that LInkerd is uniquely positioned to address.
To understand why security professionals are so interested in Linkerd, we first need to understand how the service mesh works. The most successful service meshes, including Linkerd, are based on a sidecar model in which a network proxy is injected into each Kubernetes pod — the atomic unit of Kubernetes-based applications. This proxy then transparently manages all incoming and outgoing pod traffic, implementing various features without requiring changes to the underlying application. And because the proxy is the single point of ingress and egress for all traffic for that pod, it represents an ideal place to implement network security controls.
Of course, deploying hundreds or even thousands of proxies within a single cluster will only make sense if you're using lightweight proxies that are transparent to the application. That's why the most advanced service meshes focus on minimizing each proxy's compute and operational footprint. Linkerd, for instance, makes use of ultralight proxies written in Rust for performance and security instead of the more popular but complex (and heavyweight) C++-based Envoy proxy.
For platform owners focused on reliability, a service mesh's ability to deliver latency-aware load balancing, automated retries, and "golden signal," metrics is incredibly compelling — regardless of implementation details. However, this same sidecar proxy model also makes service meshes invaluable for security and compliance owners. Just like for platform owners, service meshes allow security owners to implement critical security features without requiring any code changes from your development team.
We needed a service mesh to implement zero trust and comply with government regulation. With no time for experimentation and long implementation, we needed something that was simple and fast. After some research, we decided to give Linkerd a try. The implementation was fully automated by Buoyant Cloud, and the speed of deployment and expertise have all been top-notch. We had all prod services mTLSed within nine days! I don't know how it could have gone better. There was little to no interruption to our development during our deployment, and we deployed it in four different environments. Our developers didn't even notice!"—CISO of a large US Bank
Security professionals face a real challenge in cloud environments. How can they ensure security and compliance in the cloud, where they don't own the wires or the machines, and ultimately have no control over what transpires in the ednvironment?
Since the hardware can no longer provide necessary guarantees about security, we have to turn to the software isntead. A new set of technologies, concepts, and patterns have risen to the forefront, including mutual TLS, workload identity, and authorization policy (especially fine-grained policy, aka "microsegmentation").
Deep down, these are all software techniques delivering security on top of insecure foundations. The service mesh has become a fantastic place to implement these security features for the same reasons it was compelling for reliability features.
For instance, a big driver of Linkerd adoption is mutual TLS (or mTLS). Like “normal” TLS, mTLS ensures that when pods communicate with each other, they use a secure channel that’s encrypted and protected against manipulation—but additionally, mTLS verifies the identity of both pods, using cryptographic identities that are intrinsic to the pods rather than being tied to the network. The days of relying on IP addresses to provide any kind of identity, or establishing plaintext TCP connections and considering the job done, are long gone.
Similarly, letting the mesh enforce authorization policy means every pod can specify exactly which connections and requests are allowed, based not just on client workload identity but also on the requested (encrypted and unmodifiable) route, path, or method!
Linkerd's sidecar model is particularly well-suited for zero trust practitioners: the proxy in each pod acts as an enforcement point that controls all network access to the app components. This aligns perfectly with the zero trust "enforce everywhere, every time" directive.
Finally, some practical considerations exist when adopting a service mesh like Linkerd within an organization. Linkerd provides identity and policy layers realized outside the application code, which allows it to be owned, monitored, and controlled by security or platform teams. Numerous security-conscious organizations adopting Linkerd today state that this separation has become crucial to their service mesh success. Linkerd lets security owners retain control over policies and posture without incurring a new dependency on developers or network engineering teams.
It's difficult to keep up with the rapidly shifting cloud native ecosystem. But when it comes to network security, service meshes are the best way to adopt a zero trust approach uniformly across all services. The simplest and most secure way to do that is with Linkerd.
Our team of technical experts can help you tackle a modern, zero trust approach to Kubernetes security, compliance, and auditing. Best of all, we can automate the vast majority of it.
Book a demo with Buoyant today to see first-hand just how easy this can be!