7 minute read 2 May 2023
Service Mesh Architecture

How an enterprise service mesh will ensure zero trust security for multi-cloud applications

Shivaprakash Abburu
By Shivaprakash Abburu

EY India Cybersecurity Consulting Partner

Cybersecurity optimist, Technology enthusiast

7 minute read 2 May 2023
Related topics Consulting Technology Cybersecurity
Upvote

Show resources

An enterprise service mesh will help organizations manage their micro application services and usher legacy apps into the cloud.

In brief

  • With a service mesh, companies can enhance their microservices architecture by creating robust enterprise applications.
  • It can be a challenge to implement security rules seamlessly across microservices written in many languages.
  • An enterprise service mesh offers a common foundation to integrate third-party code or teams.

According to one study, adopters of multi-cloud are 1.6x times more likely to exceed their organizational performance targets.

A multi-cloud approach, however, is not without challenges. Organizations need to build composite technology stacks with a great deal of orchestration; overhead costs increase as they need to avail services from various vendors; and with more vendors, ensuring security becomes a bigger challenge. Adopting a microservices architecture can help organizations address most of these concerns.

In fact, cloud-based microservices are not an entirely new concept. In 2009, one of the leading OTT platforms was facing issues with its IT infrastructure, as it could not keep up with the demand for its rapidly growing video streaming services. The company migrated its IT infrastructure from private data centers to a public cloud and replace its monolithic architecture with a microservices architecture. The OTT platform became one of the first companies to successfully migrate from a monolith to a cloud-based microservices architecture at scale.

Microservices or microservices architecture is a cloud-native architectural approach in which a single application is composed of many loosely coupled and independently deployable smaller components or services. They communicate with one other using a combination of REST APIs, event streaming, and message brokers. Applications are evolving into collections of functions and microservices, with everything becoming described in code. However, it is a challenge to operationalize security rules that can function seamlessly across the various technologies that developers use to build and deploy cloud-native applications. To address these challenges, organizations must adopt an enterprise service mesh. 

Service mesh ensures visibility  

Implementing a service mesh provides certain functionalities to manage and control communication relationships between microservices. Whether it is out-of-the-box security features such as authentication systems for legitimate users, role- or attribute-based access control for authorized user actions, secure channel communications between services using Mutual Transport Layer Security (mTLS), or real-time policy enforcement for workload protection based on requirements and platform, enterprise service mesh platforms offer holistic security capabilities that can be implemented for all microservices at scale.

Service mesh platforms for enterprises come with deep visibility into application and microservice behavior, such as measuring, correlating, and mitigating Service Level Objective (SLO) violations, gathering consistent metrics for all apps, providing a single point of view for all microservices and their data flow in real time, among other salient features.

How EY can help

Data protection and privacy

EY data protection and privacy services help organizations stay up-to-date with leading services in data security and data privacy, as well as complying with regulation in a constantly evolving threat environment and regulatory landscape.

Read more
Digital identity and access management

Identity and access management (IAM) is a foundational element of any information security program.

Read more

The question that arises is: is this for my organization? Yes, if:

  • You have microservices written in many languages that may not follow a common architectural pattern or framework (or you are in the middle of a language/framework migration).
  • You are integrating third-party code or inter-operating with teams that are a bit more distant, and you want a common foundation to build on.
  • Your organization keeps “re-solving” problems, especially in the utility code, and you are not able to resolve problems with conventional cloud services. 
  • You have robust security, compliance, or auditability requirements that span services.
  • Your teams spend more time localizing or understanding a problem than fixing it.

Achieving zero trust

Prior to the advent of service mesh, achieving zero trust was complex. Trust required tooling to manage certificates for services and workloads, as well as service authentication and authorization. However, service mesh implementations provide authentication and authorization identities through a central authority that provides certificates for each service.

Service Mesh walk through

  • Image description

    A web application developed without service mesh versus one developed with service mesh.

    Microservice communication

    • Proxy acts as an entry point of the request.
    • Security is imposed around the cluster. However, microservice communication within the cluster is not secured.
    • Attackers can initiate malicious requests within microservices if they gain cluster access.

    Micro Service Configuration

    • All microservices must have its own BL (Business Logic), COMM (Communication standards/protocols to be used), SEC (Security rules/specifications), RL (Routing Logic), and Metrics configuration.
    • Endpoint details of all the microservices must be updated in web server microservice.
    • The communication configuration must be updated with new endpoint details in each microservice whenever a new service is added.
What Service Mesh can offer

  • Image description

    Service Mesh with Sidecar

    • Business Logic and Configuration Logic are separated.
    • Configuration logic is managed by Sidecar application, which acts as a proxy.
    • No need for individual microservice configuration. K8s YAML files can be configured to inject configuration logic to control plane, and it propagates the instruction to every envoy proxy.

Without an enterprise service mesh platform, contemporary applications with a microservices-based architecture would have a much larger overhead in terms of design, development, and maintenance. Right from maintaining separate business logic and configuration specs to complex authentication and authorization implementations that are custom to the application, developers will have to spend a lot of time gluing together disparate technology components.

With an application developed through a service mesh implementation, developers can let the platform do much of the heavy lifting in terms of inter/intra communication, traffic routing between microservices, load balancing, policy enforcement, workflow and configuration safeguards. This allows development teams to focus primarily on using the right design patterns, efficient business logic, and other aspects.

How EY can help

Technology transformation

Organizations must consider foundational transformation rather than quick fixes and ad hoc investments to give them the agility to adapt.

Read more

  • Image description

    An enterprise service mesh traffic routing capability can control and ingress traffic and route it to appropriate microservices.

    Ingress Gateway: Ingress Gateway acts as a common entry point for all the external traffic to the cluster.

    • Rewrite, redirect or routes can easily be configured using custom resource definitions along with other features, such as monitoring, and tracing. 
    • Ingress Gateway is also an envoy proxy with load balancing capability that routes traffic to the envoy proxy of the Pod using the instructions set in the Virtual service and Destination rule YAML file.

    Egress Gateway: Egress Gateways are the exit points from the mesh that allow us to configure features, such as monitoring and routing rules to the outgoing traffic.

    • Any traffic outbound from the Pod will also pass through an envoy proxy. Default service mesh configurations allow unknown requests to pass through. 
    • Defining an Egress Gateway and routing outbound traffic through it will put stricter controls in place.
Service Mesh with sidecar

A service mesh improves the microservices architecture as it enables companies or individuals to create robust enterprise applications, made up of many such microservices on a hosting platform of their choice.

An enterprise service mesh solution allows developers to focus on adding business value to each service they build, rather than worrying about how each service communicates with the rest. For DevOps teams that have an established production continuous integration and continuous deployment (CI/CD) pipeline, a service mesh can be essential for programmatically deploying apps and application infrastructure to manage source code and test automation tools seamlessly.

Summary

Organizations use multiple cloud service providers to improve performance through speed and agility, but also must contend with different technology stacks, higher costs, security risks, and limited visibility of communication between the loose combinations of cloud-based microservices and applications. Adopting an enterprise service mesh allows organizations to manage and monitor microservices, including security features. This system can manage traffic and rules, allowing developers to focus on other beneficial tasks.

About this article

Shivaprakash Abburu
By Shivaprakash Abburu

EY India Cybersecurity Consulting Partner

Cybersecurity optimist, Technology enthusiast

Related topics Consulting Technology Cybersecurity
Upvote