Given their interconnected architecture, microservice solutions can be prone to breaches, vulnerabilities and attacks. While it’s important to follow best cybersecurity practices when developing a microservice-based project, there are, of course, other measures you can take to secure it. A recommended method is to implement a service mesh that will facilitate development and security processes. Read on to find out how a service mesh works and how it supports microservices.
What is a service mesh? How does it work?
A service mesh is a dedicated infrastructure layer that balances the traffic between different services in a microservice-based system. It ensures that the right services communicate with each other to complete relevant processes, which is particularly useful for complex microservice-based systems. You can apply a service mesh to your application early on when designing the architecture, or you can migrate your apps to it after launch to improve observability and traffic management.
A “service mesh” also refers to the security layer that comes with this software. It implements safety mechanisms and secures interservice communication, enabling the development team to focus on a solution’s business logic and adding value, rather than handling services. It also helps ensure smoother and faster connections between services.
A service mesh consists of a data plane and control plane. The data plane contains services and their sidecar proxies, which run alongside microservices. A sidecar proxy separates the business logic of a service from interservice communication and enables the implementation of a service mesh. The proxies handle the traffic between the services, which can focus on running their core processes. The data plane can make decisions based on the incoming and outcoming traffic, such as automating load balancing or timeouts. The control plane has an interface which you can use to configure the service mesh. It also updates and manages the proxies when rules or configurations change.
The benefits of implementing service mesh
A service mesh boosts the maturity of a solution’s architecture. There are different tools available to implement it, such as Istio, Consul, Linkerd and Tetragon, but generally they all provide the core advantages of using a service mesh.
Observability A service mesh helps to track the performance of microservices. It provides a consistent set of service metrics, without implementing additional tools, as it monitors the traffic between services. Additionally, you don’t have to implement app instrumentation to track the metrics. The proxies monitor ingress (incoming) and egress (outbound) traffic to give you access to this data. Some service mesh tools even incorporate complex mechanisms to log requests (e.g., Istio’s Envoy Access Logs).
Traffic management and resiliency A service mesh increases the fault tolerance of a system without requiring any changes in the code. It utilizes timeouts, circuit breakers, health checks and intelligent load balancing to make microservice-based solutions more resilient to downtime. It can also control connection pool sizes and support fault injection. With its monitoring capabilities, a service mesh can split traffic and steer it to other services to control the communication flow, which improves performance and ensures strategically planned deployments.
Security A service mesh provides a range of security measures, like authentication, authorization and audit tools that make it easier to safeguard your microservices and comply with different regulations. For example, a service mesh can isolate services and limit access to them to meet regulatory compliance required by ISO 27000, HIPAA or GDPR. You’ll learn more about how this layer supports cybersecurity in the next section.
Policy enforcement With a service mesh, you can easily set up different policies to implement security and compliance requirements to specific communication routes or entire processes within a microservices architecture.
Overall, this solution takes care of tasks associated with managing and monitoring microservices, as well as interservice communication and some security measures. As a result, a development team can focus on developing and enhancing business functionalities, rather than spending most of their time handling the logistics of a microservice system.
Service mesh and cybersecurity functionalities
A significant advantage of implementing a service mesh is that it comes with security mechanisms that increase the safety of a microservices solution. Here are some of the cybersecurity functionalities that a service mesh introduces.
The mutual Transport Layer Security (mTLS) authentication between microservices can be configured declaratively. It means that, regardless of code, you can make sure the interservice communication is safe already at the level of configuration. It’s a virtually foolproof method to ensure that data cannot be modified.
A service mesh helps mitigate server-side request forgery (SSRF). When microservices communicate with each other, a potential attacker can exploit one microservice’s SSRF vulnerability to access another service and, ultimately, the entire system. The service mesh infrastructure requires requests between services to be authorized, which protects the systems from SSRF attacks, unauthorized internal port scanning and service calls that bypass authorization.
It also provides high auditability. The features might differ, depending on a service mesh implementation tool, but generally they’ll give you access to detailed reporting and in-depth telemetry. Istio, for example, collects logs into one centralized component, which doesn’t allow any modifications. The logs are cohesive and consistently gathered for every instance of each microservice.
Authorization security policies are part of configuration. The policies enable you to define which services are authorized to access specific microservices. They also serve as the basis for defining user roles and their access privileges.
A service mesh implements mechanisms to verify egress (outbound) traffic. The ingress (incoming) traffic is filtered by a web application firewall. But the egress layer is sometimes overlooked, and it can also be used to infect an organization’s computers with malware. To secure egress traffic, a service mesh makes sure that outbound communication is compliant with established policies.
It facilitates hardening images to limit security risks. Prebuilt images, in particular, might be misconfigured or involve outdated packages. Since images are used across an entire architecture, you need to ensure they’re secured against attacks – and, as a result, that the production environment is also safe. Some best practices to harden container images include disabling root privileges when creating images. You should also scan the app with Static Application Security Testing (SAST) tools. It’s recommended to certify images so that only images with appropriate certificates can be implemented. Finally, it’s also a good idea to limit the contents of your app to what’s truly essential – for example, Istio gives you access to “distroless” images that only contain key elements required for an application to function.
A service mesh helps you validate configurations. As your system requires more and more microservices, it might get increasingly difficult to manage configurations for all of them. A service mesh makes it easier to analyze the security and configuration of an entire cluster through mechanisms that validate, control and ticket configuration. It’s a good way to mitigate vulnerabilities and security issues that stem from incorrect configuration.
Security management is centralized. A service mesh serves as a security center for the entire architecture. Different cybersecurity measures and mechanisms aren’t dispersed across various tools and split into different microservices – instead, you can manage everything in one place, which is especially convenient for more complex systems.
How service mesh empowers software development
Implementing a service mesh doesn’t only strengthen cybersecurity, but it also simplifies and enhances software development. In particular, it supports development teams in the following three areas.
Fault tolerance Following the Don’t Repeat Yourself (DRY) principle, a service mesh introduces declarative management of fault tolerance (e.g., Retry, Circuit Breaker, connection read timeout and Bulkhead) so that it is handled on the proxy level. As a result, a microservice contains only its essence – business logic. Developers don’t have to program each microservice from scratch. Instead, they can focus on the business logic of each service, saving time and simplifying the overall process of building new services.
Canary deployment This method of deployment enables you to roll out an update to a small section of an app – e.g., one machine or component – to test the process before you implement it across the entire production environment. It can also be used to verify and collect feedback from selected user groups, e.g., defined by their device type. With a service mesh layer, it’s easy to manage canary deployments and follow an iterative approach and a Lean methodology, thereby increasing the maturity of your system architecture.
Fault injection Since a service mesh gives you more control over microservices, you can easily run fault injection testing in a controlled environment and check such error-prone scenarios as delays, cascading failures and component or service unavailability. It’s a good method to see if a system behaves as expected, or what it does when it encounters a problem. Fault injection testing also helps you simulate unwanted scenarios and find solutions with little impact on production traffic.
Mature microservice architectures mean more secure solutions
A service mesh significantly increases the security of microservice-based applications and streamlines development processes. By simplifying and centralizing security configuration, as well as facilitating fault tolerance management, it also decreases development costs. Finally, the monitoring functionalities a service mesh implements make it easier to track service traffic and audit applications.
Insufficient security measures can lead to unstable software, data leaks and breaches that compromise entire organizations. That’s why companies are turning to software partners like Software Mind who design and develop digital solutions with the highest cybersecurity standard in mind. Contact us to find out how our engineering experts can help you enhance your software development life cycles, drive innovation and safeguard your solutions.
Read also: Microservices & Non-functional Testing
About the authorDaniel Sutkowski
Software Architect and Team Manager
Daniel has more than 10 years’ experience in software development in various fields, including telecommunications, security and payments. He specializes mainly in Java and related technologies geared toward microservices architecture and has experience working with containers and their orchestration using Kubernetes. He is interested in frontend technologies that focus on UX/UI aspects. A contributor to the Software Mind Security Guild. Daniel is a proponent of the KISS principle.
About the authorJan Jurek
Senior Software Architect
A Senior Software Architect and Team Manager with almost 15 years’ experience, Jan has developed and managed projects using a wide array of tools and technologies, especially Java. Passionate about enhancing products and services for his clients, Jan leverages his engineering background and security expertise to ensure safe and swift software delivery. When not exploring the exciting possibilities of Kubernetes, AWS and Web Application Security, he can be found giving lectures to students at various Polish universities.
About the authorMateusz Żelazko
Principal Software Engineer
A Principal Software Engineer, Mateusz has over 10 years’ experience in designing and implementing Java and microservice-based systems for businesses in the telecommunications and manufacturing industries. As an active contributor to the Security Guild, his professional interests revolve around the security of web applications, system optimizations and finding solutions to performance issues.
About the authorTomasz Kuc
Senior System Engineer
A Senior System Engineer with many years' experience in IT, Tomasz has implemented a range of systems and worked on diverse IT projects, in recent years mainly for mobile operators. He has a keen interest in security, especially as regards analyzing malware and researching different kinds of cyber risks.