The rise of containerization and Kubernetes has catalyzed a widespread adoption of microservices architecture for packaging and deploying cloud-native applications. According to a recent report, 85% of surveyed companies said they are modernizing their apps to a microservices architecture.
However, there is one challenge that most organizations are struggling with – securing microservices. According to the State of Kubernetes security report 2023, 67% of companies have delayed or slowed down deployment due to security concerns. The complex architecture and the sheer number of small, loosely connected services working for a single application make the microservices ecosystem highly difficult to secure.
As many microservices handle sensitive data, such as user information, intellectual property, financial data or healthcare records, communication breaches can have serious consequences – data leaks, service disruption, compliance violations, and reputational damage. In light of these risks, there is a greater need and a bigger push to implement the right measures to secure access to microservices and protect communications.
Service-to-Service Communications in Kubernetes Gives Rise to a Large Attack Surface
In the context of Kubernetes, a pod is the smallest deployable unit, representing one or more containers that, in turn, host microservices. Microservices within a pod communicate with each other or with microservices in other pods to deliver an application’s functionality. This native communication line between microservices is often unrestricted (especially between microservices in the same pod), leaving the door open for malicious lateral movement and data theft. Without proper security measures, service-to-service communications can be highly vulnerable to attacks.
Kubernetes is often used in multi-tenant environments where different teams or applications share the same cluster. In such an interoperable setup, even if a single microservice is breached, the impact is multifold as the breach can quickly propagate to all the other pods and containers that are connected to the compromised microservice.
Also, compared to monolithic applications, microservices architectures generate a high volume of east-west traffic that is generally not dictated by API gateways. This creates a much larger attack surface and a greater possibility of data exposure.
“One north-south request from an application end user to an application can result in hundreds of east-west transactions. Network access control lists, as they are part of Kubernetes, are a foundational control. Layer-7-based capabilities that can also provide ‘laser cut’ policies will be chosen based on the sensitivity and risk of the MSA.”
– Gartner®, Container Supply Chain: 10 Security Vulnerabilities and How to Address Them (March, 2023
While the Kubernetes network policies and segmentation help restrict access and prevent lateral movement by acting as a gatekeeper for the pods, controlling incoming and outgoing traffic – they do not fully address the problem – as they don’t protect the communication between two pods or between two microservices within the same pod, leaving cluster services vulnerable to attacks.
An effective way of securing the pod-to-pod or service-to-service communication is to implement mTLS or mutual TLS.
How mTLS Helps Secure Service-to-Service Communications in Kubernetes?
Mutual TLS is a two-way authentication process where the identities of both the communicating parties (i.e. a client and server) are verified to establish a secure connection. It is an extension of the standard TLS protocol, which is one-way authentication, where only the server needs to present its x.509 certificate to authenticate itself to the client.
In the context of Kubernetes, mTLS enables microservices to authenticate each other by verifying their unique identities (x.509 certificates). Only after confirming that the certificates are valid and issued by a trusted Certificate Authority (CA), the two services begin their communication with a shared session key.
Mutual authentication ensures that only trusted microservices are allowed to connect and communicate. In other words, it prevents rogue microservices from accessing cluster resources, minimizing the attack surface to a large extent.
Apart from enabling secure access, mTLS also helps secure communication among microservices by encrypting the traffic. This protects business-critical data from interception, eavesdropping, and man-in-the-middle attacks.
Mutual TLS Through Service Mesh
Mutual TLS for microservices is often implemented via a service mesh—a dedicated infrastructure layer for managing communication between microservices. Service mesh provides traffic management, observability, reliability, and security for microservices. The primary purpose of a service mesh is to help offload the architectural complexity of securing communication so developers don’t have to worry about making changes to the application code of each microservice.
For implementing mTLS, the service mesh control plane offers:
- A Certificate Authority that issues trusted x.509 certificates for microservices authentication
- A configuration API server to define and deliver communication security policies for authentication and authorization to the sidecar proxies.
- Sidecar proxies that sit alongside each microservice and help manage communications based on security policies
When two microservices in a service mesh need to communicate with each other, the sidecars of the two microservices exchange certificates and authenticate each other. They check the security policies for authentication and authorization to see if the microservices are allowed to communicate. If they are, the sidecars will establish a secure mTLS connection, through which encrypted traffic will flow. Some of the most popular service mesh solutions that organizations use today are Istio and Linkerd.
mTLS Is a Core Requirement for Microservices, Kubernetes, and Application Security
Most of today’s internet and cloud traffic is encrypted with TLS to prevent eavesdropping and man-in-the-middle attacks. Yet, organizations often ignore encryption for communications between microservices, assuming that the traffic inside the cluster is secure by default and not susceptible to attacks. This is a false sense of security as pod-to-pod communications in Kubernetes happen to expose more data to the internet when compared to monoliths, which carry out all communication in memory.
Implementing mTLS for microservices can help minimize the risk of unauthorized application access and hackers snooping on communications, therefore strengthening application security. As companies pivot towards zero trust security, mTLS can provide an effective means for continuous verification and enabling trusted communications between microservices. Additionally, implementing mTLS helps comply with regulations like Sarbanes Oxley (SOX), GDPR HIPAA, and others, which highly recommend strong authentication and end-to-end encryption for data confidentiality.
How AppViewX KUBE+ Simplifies Mutual TLS Authentication and Secures Service Mesh Communications in Kubernetes?
AppViewX KUBE+ is a ready-to-consume, scalable certificate lifecycle management solution for Kubernetes environments. It provides a central solution to discover, manage, automate, and govern certificates (or machine identities) across containerized workloads and Kubernetes infrastructure.
When it comes to securing east-west application traffic, AppViewX KUBE+ enables mTLS authentication between services by integrating with major service mesh solutions, such as Istio and Linkerd. Generally, service mesh providers offer a self-signed Certificate Authority (CA) for issuing certificates to services. The challenge with using these internal CAs is that oftentimes they are not compliant with industry standards and best practices. They do not adhere to the strict procedures laid out for certificate issuance and management. Another challenge with CAs provided by service meshes is that they store the root certificate and the signing private key within the cluster which can be a potential security risk, leading to vulnerabilities in certificate management.
The best way to overcome the above challenges is to ensure that the certificates in the control and data plane are rooted in the enterprise chain of trust. AppViewX KUBE+ helps achieve this by integrating with all major public and private CAs. Seamless CA-agnostic integrations help ensure all clusters have the same enterprise root of trust and separate intermediate signing certificates do not need to be generated for different domains or clusters. KUBE+ also provides a signer, which solves the real-world problem of integrating service meshes with existing enterprise PKI solutions. KUBE+ signer helps sign the workload certificates with a trusted CA and installs the trust anchor within the cluster in an auto enrolled fashion. This not only simplifies certificate management but also ensures PKI is always available along with offline CA issuance.