Zero-Trust Architectures

In the last two decades public cloud has taken hold more and more so that an increasing number of companies has decided to migrate their workflows from their own, private, datacenters to a public cloud provider. Application development needs to be more adaptable as we transition to cloud solutions, creating a new cloud native approach consisting of microservice instead of monoliths. This led to important security challenges such as workload authentication. Following the cloud’s growth, new tools and models arose, like the Service Mesh and the Zero Trust paradigm. The first one is a dedicated infrastructure layer that you can add to your applications, allowing you to transparently add capabilities like observability, traffic management, and security, without adding them to your own code. The second one is an IT security approach that assumes that no network perimeter is safe so every communication must be authenticated. It is a concept created on the belief that implicit trust is always a vulnerability, and therefore security must be designed with the strategy of “Never trust, always verify”. With these concepts in mind, a Proof of Concept was realized to test wheter a Zero Trust architecture can be achieved using a Service Mesh, in particular a product called Istio. It consisted in a sample Spring Boot application deployed in a Kubernetes cluster created using Minikube. On top of the application, Istio was installed and configured to fullfill the Zero Trust model. Furthermore, Istio’s additional features such as the Ingress Gateway and the Egress Gateway were used to obtain the highest security level possible. A simple authentication server was included in the PoC as well, realized using Keycloak. After realizing the whole architecture, a series of tests were carried out to test wheter the Zero Trust model and the security requirements were achieved or not. The results showed that a Service Mesh could be used to achieve a Zero Trust architecture, so the focus shifted on a real case scenario: implementing the Service Mesh in an already up and running application, that provides a critical workflow in a big company. This was possible thanks to the help of Blue Reply, my internship company. The application already implemented the Zero Trust model without the use of the Service Mesh and this implementation had some flaws and disadvantages like: an excess of utility code in the microservices, no observability tools and less maintainability. Its implementation involved the use of a JWT exchange from the original user request throughout all the transaction. After shutting this feature down, implementing and configuring Istio, a series of tests were carried out to test the improvements compared to the initial structure. The results confirmed the initial intentions so we can affirm that the Service Mesh is a very useful tool to obtain a high level of security and observability even in an already running application. Following Istio’s multicloud capabilities, further work can be done to explore this aspect due to a growth of the multicloud approach.