Mutual TLS: Vital for Securing Microservices in a Service Mesh – Security Boulevard

Mutual TLS: Vital for Securing Microservices in a Service Mesh
Thu, 04/28/2022 – 16:10

Why do you need mTLS?

While TLS is being used to secure traffic between clients and servers on the internet, it does so by using unidirectional authentication — the server presents a digital certificate to prove its identity to a client. This is the classic scenario of a user accessing a web-based service or a website.

Cybersecurity Live - Boston

Mutual TLS extends the client-server TLS model to include authentication of both communicating parties. mTLS uses x.509 certificates to identify and authenticate each microservice. Each certificate contains a public encryption key, and an identity – it is signed by a trusted certificate authority (CA). In mTLS, each microservice in a service mesh verifies the other’s certificate and uses the public keys to create encryption keys unique to each conversation.

As zero trust security is becoming the cornerstone of corporate cybersecurity strategies and privacy compliance requirements are increasing, mTLS provides a secure way to ensure that each individual microservice communication is authenticated, authorized, and encrypted.

Authentication uniquely identifies each microservice and ensures that a rogue microservice cannot access your sensitive data. Authorization determines which microservices can communicate with each other. And encryption not only prevents third parties from intercepting and viewing your data in transit, but also defends against man-in-the-middle attacks.

How service mesh and mTLS work together

Service mesh control planes like Istio provide secure service-to-service communication, without the need for any application code changes. From an mTLS perspective, all service mesh control planes must offer a certificate authority to handle certificate signing and management, and a configuration API server to distribute authentication and authorization policies as well as secure naming information to the proxies.

Embedding mTLS into a service mesh control plane provides further functional benefits, such as:

  • Automatically encrypt and decrypt requests and responses to remove the burden from your application developers
  • Improve performance by prioritizing the reuse of existing connections, reducing the need for the computationally expensive creation of new ones
  • Understand and enforce how services are communicating, and prove it cryptographically
mTLS and sidecars

Certificate management and policy enforcement should not be allocated to the application microservice container. This is where sidecar patterns come in handy.

Sidecars were named after the sidecar attached to a motorcycle. In the pattern, the sidecar is attached to a parent application and provides supporting features for the application. The sidecar also shares the same lifecycle as the parent application, as it is created and retired alongside the parent.

sidecar ProxyEgg Mutual TLS: Vital for Securing Microservices in a Service Mesh - Security Boulevard

Going back to mTLS in service mesh, the control plane distributes the certificates and authorization policies to the sidecars. When two microservices need to communicate, the sidecars establish a secure proxy-proxy link and are responsible for encrypting the traffic through it.

Although it is possible to define security policies and implement authentication and encryption in the application microservices themselves, this is not efficient. You will need to implement authentication mechanisms, define authorization policies, and establish traffic encryption in the code of each microservice.

Even worse, you must write these into each microservice, update it when the application changes, and test it on every release to ensure that the new code does not break the communication. This adds excessive burden onto the shoulders of developers, leads to errors and prevents them from focusing on code that implements business logic.

When two microservices need to communicate, it is the sidecars that establish the mTLS connection to encrypt all traffic. The sidecars exchange certificates and authenticate each other with the certificate authority. They check the authorization policies in the configuration pushed by the control plane, to see if the microservices are allowed to communicate. If authorization is granted, the sidecars establish a secure link using a generated session key. The actual microservice application is not affected.

How to make mTLS work for your service mesh

Mutual TLS is a critical component of zero trust networking, and is vital to secure the communications between the microservices in your service mesh. Implementation, however, is not entirely straightforward. This is where cert-manager comes in handy.

Developed by Venafi’s partners at Jetstack, cert-manager integrates with Istio service mesh to provide signing capabilities for workloads. Working with the Security WG in the Istio community, the cert-manager team at Jetstack have built an integration that enables cert-manager to sign workload certificates in an Istio service mesh for mutual TLS authentication.

Related posts

Guest Blogger: Anastasios Arampatzis

When transitioning to a microservices architecture, it is important to consider that breaking applications into smaller pieces increases the surface area for attacks. Service mesh is emerging as one of the main architectures to deploy and manage microservices environments because of the benefits it brings with advanced traffic management, holistic observability, and better security.

Mutual TLS (mTLS) addresses this security challenge by protecting communication between microservices in a service mesh. mTLS provides client and server-side security for service-to-service communications. It enables organizations to enhance network security with reduced operational burden.

Venafi TLS Protect can solve your machine identity challenges.


UTM Medium

UTM Source

UTM Campaign

*** This is a Security Bloggers Network syndicated blog from Rss blog authored by brooke.crothers. Read the original post at:

Source of this news:

Related posts:

Is there a New World mm_connerr_rep_timeout error? the reason why WePC - PC Assembling Community
WePC is the essential net site for serious PC  game enthusiasts. We offer everything from high end MICROSOFT custom builds and steerage to the latest hardware and simply component reviews, ...
Fix Discord app won’t open in Windows 11/10 computer - TWCN Tech News
As a PC gamer, you may have encountered a couple of Discord errors on your Windows 10 or Windows 11 gaming rig. One of the issues you may experience is when you try to launch Discord, the app won’t j...
Choose Know About The Pirate School proxy Bay - Programming Insider
There are many sites set up for less than different domain names and can be accessible from different regions of the planet. Furthermore, all the original posts available from the Pirate Fres...
Meet WINTR, the all-in-one web scraping API -
by Teodor Nechita Software Managing Editor Eager to help those in need, Teodor writes articles daily on subjects regarding Windows, Xbox, and all things tech-related. When not working, y...
A security bug in health application Docket exposed COVID-19 shot records - TechCrunch
A security auscultate in the health software package Docket shown the private information of people vaccinated against COVID-19 into New Jersey and Utah, the place app received endorsements a...
Newest Payment Data Stealing Adware and spyware Hides in Nginx Function on Linux Servers simple The ...
E-commerce platforms on the U. S., Germany, and furthermore France have come under some sort of from a new form of malware where it targets Nginx servers so that they can masquerade its presenc...
Xbox game app not downloading and / or installing on Windows LAPTOP OR COMPUTER - TWCN Tech Data
Some sort of Xbox software for Windows 11/10 allows users to take part in games against the Microsoft Store with other Xbox players, create scoreboards, share their social advertising content, a...
Is The Shift To Single-Socket Servers Starting? - The Next Platform
One of the key strategic moves that AMD made when it architected its comeback in the datacenter was to beef up the compute, I/O, and memory on a single server socket while at the same time making ...
Form 425 D8 Holdings Corp. Filed by: D8 Holdings Corp. -
News and research before you hear about it on CNBC and others. Claim your 1-week free trial to StreetInsider Premium here. Filed by D8 Holdings Corp. pursuant to Rule 425 under the Securities Act o...
Can be the difference between a VPN and a proxy? - TechRadar
So you are looking to add an extra layer pertaining to privacy online, and have discovered the words VPN associated with proxy being thrown around? Both allow you to browse the world anonym...
ExpressVPN vs. IPVanish: Which is Better? - Alphr
ExpressVPN vs. IPVanish: Which is Better? Get Secure with ExpressVPN and Get 3 Months Free! Download Now Disclaimer: Some pages on this site may include an af...
7 Must-Haves For Fast, Secure WordPress Shared Hosting - Search Engine Journal
Ready to build your first website? Are you shopping for affordable WordPress web hosting?There are multiple types of web hosting solutions to choose from: shared hosting, dedicated hosting, cloud hos...
Saturday Night Live Recap: Nick Jonas Dreams of Post-COVID Life - Vulture
Saturday Night Live Nick Jonas Season 46 Episode 14 Editor’s Rating 3 stars *** Photo: NBC/Will Heath/NBC Though still primarily known as a pop star and one of the (reuni... to Hold Annual Meeting on December 29, 2021 - KULR-TV
LONG BEACH, NY , Nov. 23, 2021 (GLOBE NEWSWIRE) --  [Nasdaq: AUID], a leading provider of secure, mobile, biometric authentication solutions, today announced that its 2021 Annual Meet...
Hubpages Hosting in Nigeria simply Web4Africa — Technology — The Guardian Nigeria Report – Nigeria a...
web4africa With much of Nigeria’s business transactions increasing mobile online, it has become more important than for a business to have a an online presence in the form of a website. Whilst ...
Fix: Windows 11 error writing proxy settings -
by Vladimir Popescu Being an artist his entire life while also playing handball at a professional level, Vladimir has also developed a passion for all things computer-related. With an inna...
Blazor Developers Can Now Create Custom Elements, Render Components from JavaScript - Visual Studio ...
News Blazor Developers Can Now Create Custom Elements, Render Components from JavaScript By David Ramel09/16/2021 Microsoft's Blazor web-dev tech received a raft of improvements in the new .NET...
Fix RADS Error on League of Legends on Windows PC - TheWindowsClub
This post features different solutions to fix RADS Error on League of Legends effectively. League of Legends is a popular online multiplayer Battle Royale game. However, like any other BR, it isn’t f...

IP Rotating Proxy Onsale


First month free with coupon code FREE30