tetrate.io Open in urlscan Pro
151.101.66.159  Public Scan

Form analysis
1 forms found in the DOM

GET https://tetrate.io/blog/

<form role="search" method="get" action="https://tetrate.io/blog/" class="search-form">
  <input type="search" class="search-field" placeholder="Search..." value="" name="s" title="Search for:">
  <button type="submit" class="search-submit" title="Search">SEARCH</button>
</form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

We won't track your information when you visit our site. But in order to comply
with your preferences, we'll have to use just one tiny cookie so that you're not
asked to make this choice again.

Accept Decline


Tetrate Extends Scope and Reach of Istio Service Mesh

Read the Article › ✕
GET DEMO
 * 


 * Products
   * * *  * Tetrate Service Bridge
            Application connectivity platform
            
            
            
             * Product Overview
             * Think in App SCOR
             * Benefits
             * FAQ
         
            
         
          * Tetrate Istio Subscription
            Enterprise-grade Istio
 * Documentation
 * Resources
   * * *  * Tetrate Academy
            Certification and free online courses
          * Tetrate Library
            Whitepapers, podcasts, guides and more
          * Zero Trust Architecture
            End-to-end application security
          * Free eBook: SkyWalking
            Your guide to observability at scale
          * Guides
            Learn more about products and technologies
            
            
            
             * Istio Service Mesh
             * Envoy Proxy
             * Envoy Gateway
             * API Gateway
 * Blog
 * Company
   * * *  * About Us
            The Tetrate chronicles
          * Partners
            Tetrate partner network
            
            
            
             * National Institute of Standards and Technology (NIST)
             * Amazon Web Services (AWS)
         
          * Events
            Webinars, conferences, and meetups
          * Careers
            We are hiring!
          * Open Source
            Our contributions and projects
          * Press
            Media coverage and announcements
          * Contact Us
            Get in touch and let’s talk








Keep up with the latest from us

blog
Security


UNDERSTANDING ISTIO AND OPEN POLICY AGENT (OPA)

March 8, 2023  |   Security,  Service Mesh,  Tetrate Service Bridge,

One of the things we’re asked about by our customers adopting a service mesh
practice is how Open Policy Agent (OPA) and service mesh fit together and
interact in their application infrastructure. In this article, we’d like to
weigh in with some thoughts on where service mesh and OPA policy are best
suited, respectively, and how they complement each other.

A good way to frame the discussion is with NIST’s standards for Zero Trust
Architecture, since they’re directly applicable to the interplay between service
mesh and OPA. In the upcoming NIST standards document, Special Publication
800-207A: A Zero Trust Architecture (ZTA) Model for Access Control in Cloud
Native Applications in Multi-Location Environments, identity-based segmentation
is a primary concept. You can watch the presentation we gave at this year’s
Cloud Native Security Con with Ramaswami Chandramouli from NIST for an in-depth
discussion, but the draft spec proposes the following five policy checks as a
minimum standard that should be applied on each request coming into the system
and at every subsequent hop.

Five policy checks for realizing identity-based segmentation with a service
mesh:

 1. Encryption in transit
 2. Service identity and authentication
 3. Service-to-service authorization
 4. End-user identity and authentication
 5. End-user-to-resource authorization

In short, service mesh is a dedicated infrastructure layer that’s purpose built
to implement policy for the first four of these checks  and has some role to
play in the fifth. Where OPA shines is in number five: end-user-to-resource
authorization.

Istio’s sidecar proxies act as a security kernel for microservices applications.
The Envoy data plane is a universal Policy Enforcement Point (PEP) that
intercepts all traffic and can apply policies at the application layer. In that
capacity, it is a reference monitor (NIST SP 800-204B). With Envoy as a PEP, we
can move security concerns out of the application and into the mesh.

Policy checks 1-2: Encryption in transit and service identity & authentication.
To satisfy the first two policy checks, encryption in transit and service
identity and authentication, the mesh implements mTLS for all communication in
the system.

Policy check 3: Service-to-service authorization. Service mesh also provides for
policy three, service-to-service authorization. OPA can start to play a role
here, but since OPA is general purpose, it doesn’t have a DSL around service
communication, so you’d have to create that yourself. On the other hand, we
think policy tends to be more natural and easy to express in the language that’s
built for it. Service mesh—and even more so, the application connectivity and
security platform we built on top of Istio, Tetrate Service Bridge—have nouns
that make sense for writing service-to-service policy.

Policy check 4: End-user identity and authentication. For the fourth policy
check, we need to authenticate end-user identity at every hop in the system. The
service mesh provides the enforcement points to do the check, but the actual
decision about user authentication  is neither in the domain of service mesh nor
OPA. Instead, we need to delegate out to a trusted identity provider to render 
verdicts here.

Policy check 5: End-user-to-resource authorization. The fifth policy check for
zero trust cloud native access control is where OPA can play a significant role.
Service mesh doesn’t have a model for the relationship between end-users and
resources and, as a result, is not well-suited to writing policy about it. The
guidance from NIST  is to integrate with existing systems via OIDC or leverage
dedicated authorization infrastructure—e.g., NIST’s next-generation access
control (NGAC) and Open Policy Agent.

For example, take the case of a media streaming service and its playlists. There
may be millions to billions of playlists that we need to authorize an end-user
against. In the same way that OPA is not particularly well-suited for
service-to-service authorization, Istio authorization policy is not suited for
end-user-to-resource authorization; but, OPA is.

OPA is also well-suited to a step beyond the NIST ZTA policy framework: applying
business-specific policy to a request. After we do the five policy checks for
zero trust, we can delegate to OPA as a rules engine to enforce business policy.

We’ll have more to say on this in the coming months, especially as SP 800-207A
moves through the drafting process. But, in the meantime, the recordings of our
talks at Cloud Native Security Con offer a  deeper discussion of these issues:

 * Identity Based Segmentation for a ZTA – Zack Butcher, Tetrate & Ramaswamy
   Chandramouli, NIST
 * Sponsored Keynote: From Google to NIST — The Future of Cloud Native Security
   – Zack Butcher, Tetrate 


AUTHOR(S)

 * Tetrate

Search
SEARCH



Subscribe to our blog

Categories
 * ABAC 2
 * Announcements 14
 * Apache SkyWalking 19
 * API Gateway 5
 * AWS 12
 * Business & People Operations 4
 * Careers 18
 * Case Studies 9
 * Customer Experience & Delivery 7
 * CVE Fixes 5
 * Design 1
 * Engineering 8
 * Envoy Gateway 1
 * Envoy Proxy & GetEnvoy 43
 * Events 23
 * FIPS Certification 2
 * Funding 1
 * GetIstio 1
 * Istio 92
 * Istio Distro 3
 * Kubernetes 25
 * mTLS 4
 * NGAC 3
 * Observability 13
 * Open Source 60
 * Remote Learning 1
 * Resiliency 1
 * Security 33
 * Service Mesh 70
 * Tetrate 151
 * Tetrate Service Bridge 16
 * Wasm 15
 * wazero 1
 * Zero Trust 15

Products
 * Tetrate Service Bridge
 * Tetrate Istio Subscription

Resources
 * Tetrate Academy
 * Tetrate Library
 * Zero Trust Architecture
 * Free eBook: SkyWalking
 * Blog

Company
 * About Us
 * Partners
 * Events
 * Open Source
 * Press
 * Contact Us

Copyright © Tetrate 2023. All rights reserved. Terms and Conditions and Privacy

X
Download the Special Report