What is Zero Trust Networking?
Zero Trust is a security model that that includes not trusting any person or system inside and outside of your network, verifies before establishing trust, and grants only the minimal access needed to complete a particular function. Public cloud infrastructure, SaaS, personal devices for corporate use, and microservices architecture all change the surface area for risk, hence a zero trust model.
Traditional security practices focused on securing the perimeter to keep the threats outside of your corporate network and prevent access. Yet even with a secure perimeter, internal systems and data are compromised if a malicious actor gets in or another internal system has a vulnerability.
Network segmentation breaks up security perimeters into a smaller collection of networks without overlapping or minimal overlaps to limit cascading issues if one network is breached or compromised. Visibility is critical to monitor ongoing network traffic, auditing, and to inspect for any anomalous activity.
Zero trust for microservices
Microservices architecture is often dynamic, ephemeral, distributed, and breaks existing security paradigms and tooling. Additionally, because microservices are a collection of loosely-coupled services the network between them is necessary for a properly functioning application. The application level network has three distinct traffic patterns including ingress (external client to the application), in-cluster (service-to-service), and egress (application to external client) – all are areas to apply zero trust.
Leveraging Envoy Proxy at the edge and in a service mesh provides a high performance and extensible data plane that can be configured and monitored through control planes at the single and multi-cluster level. You can establish secure connections between individuals and digital assets with encryption of traffic and smaller networks of microservices with minimal overlap.
Microservices architecture breaks traditional security processes and tooling.
- Changing definition of corporate perimeter challenges security model
- Existing security tools designed for static, long lived environments
- Mix of private and public cloud infrastructure and software assets
- Access required by internal employees, customers, partners, and other systems
- Multiple points of entry and exit across applications in hybrid cloud
A modern API infrastructure provides application level control over network behavior to implement zero trust.
- Security configurations are defined at the API level of each service
- Enforce the perimeter with WAF to filter out malicious traffic from entering the environment
- Define granular Auth policies to identify before granting access to specific services
- Apply rate limits at the Ingress and Service Mesh level to protect services
- Protect sensitive traffic with TLS/mTLS encryption
- Observability in Prometheus, Grafana, or a dashboard of your choice