Melpomene - Fotolia

NIST drafts service mesh guidance for DevSecOps

A new NIST special publication shows how a service mesh can enhance access control for DevSecOps shops, but the network architecture hasn't gained widespread deployment.

Efforts by the National Institute of Standards and Technology to set standards for DevSecOps grew to include service mesh this week, though the network architecture is a long way from the same level of use as containers and Kubernetes.

NIST, service mesh vendor Tetrate and financial services company TIAA collaborated on a special publication document, released as a draft this week, that details best practices for microservices access control using a service mesh.

"Instead of providing piecemeal security for each [microservices] component … service mesh … provides services like authentication and authorization, network resilience and security monitoring," said Dr. Ramaswamy Chandramouli, senior scientist at NIST, in a presentation during a virtual event this week.

Microservices security calls for attribute-based access control, with multiple layers of authentication and authorization that inspect multiple components of identity, or attributes, as applications traverse an IT infrastructure. This contrasts with traditional role-based access control, which focuses on authenticating and authorizing actions by human users or accounts rather than application components. Role-based access control is usually enforced at the outer perimeter of the IT infrastructure by a traditional firewall.

Service mesh, a network architecture in which a centralized control plane manages a distributed set of sidecar proxies, is helpful for IT teams that want attribute-based access control because it supports a diverse set of authorization policies at both the service and end-user level, Chandramouli said. It also enforces security policies at multiple points in the network infrastructure through its proxies, rather than through a monolithic firewall.

The service mesh document, SP 800-204B, is open to comments in its draft form. Its final version, timing to be determined, will join a future update to NIST's SP 800-160 system security engineering standard that incorporates microservices, zero trust architecture and DevSecOps. The 800-160 update will cover high-level DevSecOps processes, while publications such as 800-204B will offer lower-level tactical guidance for specific tools.

NIST service mesh virtual event
Reps from NIST and service mesh vendor Tetrate presented DevSecOps guidance during a virtual event this week.

Users build case for service mesh in DevSecOps

IT pros who use Istio service mesh for security purposes also presented during the virtual event, which was hosted by NIST and Tetrate. These presenters said they favored service mesh as part of a DevSecOps process because it means developers don't have to deal with infrastructure security details.

We wanted to make sure that our developers can focus on adding business value instead of trying to figure out how to [manage] the infrastructure to make their services work.
Kevin PaigeCISO, Flexport

"Service mesh … takes the logic of governing service-to-service communication out of individual services and abstracts it into a layer of infrastructure," said Kevin Paige, chief information security officer at Flexport, a freight logistics and supply chain company in San Francisco. "We wanted to make sure that our developers can focus on adding business value instead of trying to figure out how to [manage] the infrastructure to make their services work."

Service mesh is the natural next stage of evolution in network architectures as applications become highly distributed, similar to the emergence of network switches in previous generations of compute technology, Paige said.

"But there is complexity that we have to address," he added.

Service mesh complexity, especially for multi-cluster Kubernetes, has prompted Flexport to migrate from upstream Istio to Tetrate's Service Bridge software, which adds a centralized management layer and extends Istio to non-container workloads.

Kevin Paige, FlexportKevin Paige

"Istio is amazing when you have one cluster," Paige said in an interview. "[The] problem is, clusters grow for different needs, and different services are hosted in different clusters, and everything starts to grow."

Flexport plans to put Tetrate Service Bridge in production next month to speed up its DevSecOps workflows. Upstream Istio in separate clusters requires a slower ticketing system and manual approvals for changes, but Paige said he anticipates that Tetrate Service Bridge will provide a more highly automated self-service interface.

Competitors such as Red Hat OpenShift and GKE offer their own take on service mesh management automation, but Tetrate appealed to Paige because it's not associated with a particular cloud provider or Kubernetes distro. Varun Talwar, Tetrate's CEO and co-founder, was also among the co-creators of gRPC and Istio at Google, and Tetrate engineers are contributors to Istio, which boosted the vendor's cachet for Paige.

"I don't want to be locked into a single vendor, and Tetrate's relationship with the open source community is something I look for in companies I partner with," he said.

Service mesh complexity hinders widespread use

It's early for service mesh adoption in the enterprise. While a 2020 CNCF survey found that 92% of 1,324 respondents use containers, 27% said they used a service mesh in production. This was an increase of 50% over the 2019 survey, but still leaves a wide gap between container adoption and that of service mesh.

Tetrate, founded in 2018, hasn't garnered a large customer base -- the company has accrued nine enterprise customers so far, Talwar said in an interview.

The company isn't alone among service mesh software vendors seeking more business, according to analyst research. Service mesh adoption data for 2020 is still being gathered at IDC, but adoption has generally been tepid so far, said Brad Casemore, the firm's research vice president for data center networks.

"Most revenue is accruing to cloud-delivered service mesh," Casemore said. "The service mesh startups, which typically predicate their business models on open source software and 'enterprise' versions thereof, are not generating meaningful service mesh revenue yet, though many are now engaging with paying customers."

Attendees at this week's virtual event expressed concerns in an online Q&A forum about the technology's complexity.

"I have heard about Istio a lot but not used it yet," said event attendee Vishal Masih, cybersecurity architect at Zephon, in an interview. Zephon is an independent security consultancy in McKinney, Texas, that works with federal and enterprise clients.

"The issue is re-architecting [applications] and the time and cost involved [in service mesh]," Masih said. "Zero trust can be achieved without service mesh."

Tetrate reps acknowledged that complexity can be a barrier to service mesh deployment during the event, particularly in service discovery for non-container workloads, though support for VMs has generally improved in recent versions of Istio.

Tetrate anticipates growth this year, both in its customer base and in general service mesh use among enterprise companies. The company's early customers include household names such as FICO, and many users have now weathered the transition between microservices-based early versions of the Istio control plane and the monolithic architecture it uses as of version 1.5, Talwar said.

Tetrate also plans to launch a hosted version of Service Bridge to further ease service mesh management for customers.

"This year we will start to see the early majority phase of adoption," Talwar said. "Blueprint architectures are starting to emerge about how to build and deploy service mesh at scale … that will give some maturity to the space and confidence to new users."

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center