Tetrate Archives

NIST Standards for Zero Trust: the SP 800-204 Series

Introduction

This is the second installment in a two-part series on NIST standards for zero trust security. The first installment covers NIST Special Publication (SP) 800-207, which lays the groundwork for zero trust principles for the enterprise, but makes no specific implementation recommendations.

The follow-up series is made up of four special publications: SP 800-204, SP 800-204A, 800-204B, and 800-204C. This series is co-authored with NIST by Tetrate founding engineer Zack Butcher and takes up where SP 800-207 leaves off.

This series provides security strategies for microservices applications. It mostly focuses on communications between services and between services and a control plane, as described below, under the header Threat Background. In this article, we’ll present an overview of the most important concepts, best practices, and specific deployment recommendations in each of the four papers of the SP 800-204 series:

Istio, Tetrate

Istio component ports and functions in detail

In my last blog, I gave you a detailed overview of the traffic in the Istio data plane, but the data plane does not exist in isolation. This article will show you the ports and their usages for each component of both the control plane and data plane in Istio, which will help you understand the relationship between these flows and troubleshoot them.

Envoy proxy & GetEnvoy, Istio, Tetrate

How Tetrate Service Bridge Workspaces Ease Service Mesh Implementation

“All problems in computer science can be solved by another level of indirection.” – David Wheeler

Service mesh is an architectural construct designed to ease software development and delivery in a microservices environment. Making service mesh work at scale requires some new thinking and the introduction of a few new abstractions.

Here at Tetrate, we have been working on service mesh – its opportunities and its challenges – as long as anyone around. This work is based on our founders’ and key employees’ existing and ongoing roles as founders and maintainers of the open source projects that are most widely used in service mesh implementations: the Envoy proxy, Istio service mesh software, and the Skywalking observability project.

To complement the open source projects, and to create a complete solution, we created Tetrate Service Bridge (TSB). TSB adds a highly functional management plane to service mesh implementations, collaborating with Istio as the control plane and Envoy as the data proxy.

FIPS Certification, Istio Distro, Tetrate

Tetrate Istio Distro Achieves FIPS Certification

Tetrate has achieved a unique milestone with an Istio distribution that has been verified to meet US Federal Information Processing Standard (FIPS) 140-2; in short, this distribution is FIPS 140-2 verified. You can access this distribution now from Tetrate (see tetratefips-v0) and can also consider Tetrate Istio Subscription, which includes support for this new distribution. This verified distribution is also included in the US Government’s Iron Bank repository for verified software.

This FIPS-verified distribution is a specific build of the open source Istio project, the leading software platform for delivering service mesh architectures for use in developing and delivering cloud-native software. Istio is widely used with three other open source projects: Kubernetes container orchestration software, Envoy as a sidecar proxy, and Skywalking for observability. (Istio uses the Envoy proxy for its data plane, with Istio itself serving as the control plane.)

Istio, Security, Tetrate

Tetrate First to Provide Hardened Istio to DoD’s Iron Bank

Game of Thrones fans know the Iron Bank as a lender to governments, businesses, and individuals across the known world. But Iron Bank is also the repository for digitally signed container images that are accredited for use across the US Department of Defense. Iron Bank software is accessible to anyone who registers on the Iron Bank repository.

Iron Bank software must comply with relevant Federal Information Processing Standards (FIPS). Now, a FIPS-compliant version of Istio, provided and supported by Tetrate, has been accepted by the DoD and added to Iron Bank. This version of Istio is supported by the Tetrate support service, Tetrate Istio Subscription. Istio is now easily available for rapid deployment across the DoD and beyond.

The DoD is the largest organization in the world, by headcount (more than 2 million employees, civilian and military) and by budget (more than $700B per year.) About 100,000 of those 2 million employees are involved in software development and delivery. So the use of service mesh and Istio, along with Zarf (see below) and disconnected systems, by the DoD will have a large impact across the US government and beyond.

Tetrate

Tetrate Adds Istio and Envoy Support for Arm Neoverse

Arm and Tetrate strengthen the responsiveness of Istio service mesh with integrated hardware and software for high performance computing and cloud-to-edge workloads

Tetrate, founded by creators and maintainers of Istio and Envoy, today announced that Istio service mesh and Envoy proxy now support the Arm® Neoverse™ platform. Arm is the leading technology provider of processor IP and its designs have enabled more than 215 billion chips. Neoverse support enables widely used open source software projects to run faster, with less energy usage and lower total cost of ownership.

Tetrate

NIST-Tetrate 2022 Conference Talks: NIST Standards for Service Mesh

At the joint NIST-Tetrate conference this year on ZTA and DevSecOps for Cloud Native Applications, Tetrate founding engineer Zack Butcher offered a deep dive into new publications in the NIST SP 800-204 series that sets the standards on security for the use of microservices architecture for the US Government. In this article, we’ll provide a brief overview of Zack’s talk, with a link to a full recording for all the details.

Tetrate

NIST SP 800-207: Laying the Groundwork for Zero Trust Architecture

Background

Since the first animal took a bite out of its neighbor, security concerns have driven an ever-escalating evolution of threat and defense. The evolutionary call and response between threat actors and defenders is punctuated by periods of rapid change between periods of stasis.

We are now in such a period of rapid change. The current security landscape presents us with twin competing challenges: cyber attacks have rapidly increased in scale and sophistication while, at the same time, modern, cloud-native architectures have outgrown traditional network security practices.

In an effort to modernize the security posture of federal agencies and private industry to meet these new challenges, the US government has endorsed zero trust network architecture as a way forward. The National Institute of Standards and Technology (NIST), the body tasked with defining the standards and deployment recommendations for zero trust in the enterprise, has authored a series of special publications to do just that.

In this article, the first of two on NIST zero trust standards, we’ll review NIST’s cornerstone paper, SP 800-207: Zero Trust Architecture, which defines the tenets of zero trust network security and offers recommendations for how to adopt it in your organization.

Envoy proxy & GetEnvoy, Tetrate

Designing Traffic flow via Tier-1 and Tier-2 Ingress Gateways

Introduction

Tetrate’s application connectivity platform, Tetrate Service Bridge (TSB), offers two gateway types, called Tier-1 and Tier-2, that are both based on Envoy and help to achieve different goals. Let’s explore how each type of gateway functions, and when to choose one gateway type versus another.

ABAC, NGAC, Security, Tetrate, Zero Trust

NIST-Tetrate 2021 Conference Talk: ABAC for microservices applications using a service mesh

Access control is fundamental to application security. Modern applications, more than ever, need a flexible access control mechanism that can succinctly express access rules, take into account a large number of objects and dynamic runtime attributes, and be evaluated efficiently at runtime. These rules must also be both intelligible and auditable so the current state of access policy enforcement is knowable and can be easily understood.