Zero trust, mTLS, and the service mesh explained

Zero trust, mTLS, and the service mesh explained

Catherine Paganini

Jun 2, 2023

This blog is part of our new "service mesh concepts explained" series.

Over the past years, service mesh adoption has skyrocketed, but the reasons have shifted over time. While service mesh adoption was initially primarily driven by reliability and observability features, today, its ability to implement core security primitives such as mutual TLS and request-level authorization — both big components of a zero trust approach to network security — is the main driver. 

That sounds all great, but if you are new to the topic, you may still struggle to understand service meshes, zero trust, and mTLS and how they relate. This blog post will give you a high-level overview and some recommended reads. 

What is a service mesh?

A service mesh functions as the communication backbone of your microservices. The service mesh sits between your services and the underlying infrastructure, mediating service-to-service communication and providing granular control over traffic flow. Users gain powerful security features such as transparent mTLS, reliability features such as traffic shifting and automatic request retries, and observability features such as automatic monitoring of service "golden metrics." But in the context of zero trust, the security features are what we really care about.

What is mTLS?

mTLS stands for “Mutual TLS”, which plays a key role in achieving encryption in transit for your applications. Mutual TLS is simply "regular TLS" with one extra stipulation: it requires authenticating the client as well as the server. Many people associate TLS with encryption only, but TLS does much more. It provides three guarantees for a connection:

  • Authenticity: the parties on either side can prove that they are who they say they are;
  • Confidentiality: no one else can see what data is being exchanged; and
  • Integrity: the data received is the same data that was sent.

Most importantly for us today, mTLS provides workload identity on both sides of the connection, which is cornerstone of zero trust in service meshes.

What is zero trust?

Zero trust is based on two simple ideas:

  1. Check every access, to every resource, from every user, every time.
  2. Everyone only gets the minimum level of access needed to do their jobs. (This is also known as the principle of least privilege).

Though these ideas are simple, making them work requires strict access controls and continuous verification of the identity and trustworthiness of users and devices before granting access to resources.

How do service meshes, mTLS, and zero trust relate?

So, how do service meshes, mTLS, and zero trust relate? And how do they help keep your customer data safe? 

A service mesh provides the fundamental building blocks for a zero trust approach to networking without requiring any code changes to your application (in Linkerd's case, you don’t even need to configure it). With mTLS, the service mesh provides workload identity in a cryptographically-enforced way. With authorization policies, the service mesh allows you to enforce granular access controls based on these identities to ensure only authorized users and devices can access specific resources.

The service mesh provides these access controls in a uniform way across every microservice in your application, and a single point where these controls can be configured and their effects can be examined. This makes it much easier to manage and maintain access controls across a distributed microservice architecture.

The combination of zero trust and service mesh provides a strong foundation for secure and resilient microservice architectures. By implementing strict access controls and leveraging the service mesh's granular control, you can ensure your microservices are protected against unauthorized access and other threats.

Why you should adopt a zero trust approach 

Zero trust does not only make sense; it is important enough that the US government has gotten involved. The White House recently issued a memorandum setting forth a Federal zero trust strategy that requires all US federal agencies to meet specific zero trust security standards by the end of FY 2024.

If you're using Kubernetes, you're in luck. You can take a big step towards  zero trust networking days with Linkerd, the simplest and most secure service mesh on the planet. Get started today to see for yourself how easy it is! 

book
Further reading

For a deep dive into service meshes, check out "What is a service mesh?"

book
Further reading

For a deep dive into mTLS, check out "A Kubernetes engineer's guide to mTLS."

book
Further reading

For a deep dive into zero trust, check out "Zero trust basics in Kubernetes with Linkerd."

book
Further reading
book
Further reading