Image Blog Securing Mesh With API Gateway
September 18, 2018

How to Secure the Microservices Mesh

API Gateways
Microservices

Your microservices mesh — or service mesh for short — helps you control applications. But all too often, the microservices mesh can be vulnerable to security risks. Especially if you're using a microservices mesh like Istio.

In this blog, we share why securing the microservices mesh is important and how to do it. 

Back to top

What Is a Microservices Mesh?

A microservices mesh is an infrastructure layer that handles communication in microservices architecture. Using a microservices mesh makes it easy to control how applications share information with one another. 

Back to top

Why Securing the Microservices Mesh Is Important

Securing the microservices mesh is important to protect your data. And the best way to secure the microservices mesh is to use an API gateway. This ensures you can prevent unauthorized data access, loss of data integrity, or degradation of the quality of service. 

Security is an essential element of any organization’s API strategy. API security does share a lot of aspects that are common to both website security and network security.

But it's also fundamentally different in terms of:

  • Usage patterns.
  • Unique areas of risks for microservices and sidecars.

For instance, APIs move the boundary of interaction from the web tier to the backend applications, microservices, and data sources directly.

Emerging microservices architectural concepts create new security challenges for DevOps teams. This includes concepts such as sidecars and platforms to inject sidecars into container pods. That's because new layers of abstraction are introduced into an already complex system of components and protocols. This is especially critical for emerging technologies like Kubernetes

Securing the Edge API and Microservices Mesh

Learn how to build a strong API security strategy. Get our white paper to learn how to secure the edge API and microservices mesh. 

📕 GET THE WHITE PAPER

Back to top

How to Secure the Microservices Mesh With Akana

Using an API gateway is the best way to secure the microservices mesh. And the best API gateway to do it? That's the Akana API gateway

In the table below, we show how the Akana API platform can be used to secure the microservices mesh of Istio sidecars. 

 
How to Secure the Microservices Mesh With Akana*

Features

Microservices Mesh of Istio Sidecars

Akana API Platform

Deny Checker

1.0.1 Stable

v8.4 Mature Allow and deny rules configurable with a policy administration declarative user interface (UI).

List Checker

1.0.1 Stable

v8.4 Mature Allow and deny rules configurable with a policy administration declarative UI.

Pluggable Key/Cert Support for Istio CA

1.0.1 Stable

v8.4 Mature Integrated Java PKI and HSM keystores.

Service-to-service mutual TLS

1.0.1 Stable

v8.4 Mature With the ability to enforce mutual TLS 1.2.

Kubernetes: Service Credential Distribution

1.0.1 Stable

v8.4 Mature Policy decision point (DB) and policy enforcement point (gateway) contract management architecture.

VM: Service Credential Distribution

1.0.1 Beta

v8.4 Mature Policy decision point (DB) and policy enforcement point (gateway) contract management architecture.

Mutual TLS Migration

1.0.1 Beta

v8.4 Mature Client certificate management is self service for apps consuming mutual TLS APIs More info: How to implement 2-way SSL.

Traffic Control: Label/content based routing, traffic shifting

1.0.1 Beta

v8.4 Mature Visual Process Designer to create custom traffic flows using the branch, split, and join process activities.

Resilience features: Timeouts, retries, connection pools, outlier detection

1.0.1 Beta

v8.4 Mature Resilience features with many QoS policy templates and integrated health status monitoring of a container’s outgoing HTTP connection pool statistics, incoming HTTP thread pools, database connection pools, container memory usage, usage monitoring queues, JMS connections, container configuration state, and container lifecycle.

Gateway: Ingress, egress for all protocols

1.0.1 Beta

v8.4 Mature Protect the microservices mesh layer of the network with a tier of edge DMZ API gateways, rather than connecting the mesh controller directly to a cloud load balances.

TLS termination and SNI support in gateways

1.0.1 Beta

v8.4 Mature The API platform's support of SNI means that multiple keys/certificates can be used for one HTTPS endpoint. You can have individual identity keys/certificates per API implementation. Each implementation can use its own key/certificate for its own clients.

Authentication policy

1.0.1 Alpha Operators specify Istio authorization policies using .yaml files. Once deployed, Istio saves the policies in the Istio Config Store.

v8.4 Mature Easily link different identity providers and policies to different APIs and application contracts with an integrated Akana OAuth server, Bearer, MAC, JWT, JOSE token support, and easy integration with user directories and OpenID Connect providers. More info: Using the JOSE Security Policy.

End User (JWT) Authentication

1.0.1 Alpha Istio only supports JWT origin authentication.

v8.4 Mature A key advantage of the Bearer token is that the Resource Server can validate the token, without having to go to the Authorization Server. This is more efficient in terms of performance, especially when the Resource Server and OAuth Provider are different vendors. Signed and Encrypted JWT Tokens are also supported by the Akana API Gateway.

OPA Checker

1.0.1 Alpha All policies in OPA are written in Rego policy language (V1)

v8.4 Mature Create authentication domains and policies declaratively with a web browser.

Authorization (RBAC)

1.0.1 Alpha The RbacConfig object is a mesh-wide singleton with a fixed name value of default. You can only use one RbacConfig instance in the mesh. Like other Istio configuration objects, RbacConfig is defined as a Kubernetes CustomResourceDefinition (CRD) object.

v8.4 Mature The Akana OAuth Authorization service includes such activities as initiating a resource owner grant, authenticating the resource owner with the corresponding resource owner domain, and obtaining the resource owner's authorization for the application's access to the resources, with the specific scopes requested. Calls to this service are always initiated by the resource owner, never by the application. Since the authorization endpoint is only used in three-legged scenarios, these operations are only used by three-legged grant types (Authorization Code and Implicit).
Additionally, Licenses and Scopes provide authorization functionality to apps and APIs with or without the use of an OAuth token. More info: Authorization server authorization service.

Enabling custom filters in Envoy

1.0.1 Alpha

v8.4 Mature Filtering of protocol headers, path, query parameters, and XML or JSON message parts with XPath, JSONPath, RegEx using policies, or custom processes More info: Using regular expressions in policies.

*This table uses open source servicemesh 1.0.1, beta and alpha features compared to version 8.4 of the Akana API Platform. This clearly illustrates why it is imperative to leverage the features of a mature API gateway architecture on the edge of the cloud and in the core of the service mesh for proper authentication, authorization, mediation, and resiliency.

Back to top

Secure Your Microservices Mesh Today

The Akana API gateway makes it easy to secure the microservices mesh. 

With the Akana API gateway, you gain:

  • Power.
  • Resilience.
  • Flexibility.

You can deploy the Akana API gateway across multiple clouds, and you can use it alongside technologies like Istio and Kubernetes. 

Plus, Akana comes with built-in security policies that you can apply fast. This includes OAuth and JWT.  

In fact, the strength of the Akana API gateway is why a Fortune 500 company chose Akana. Read the case study >>

See for yourself why the Akana API gateway is the best choice to secure the microservices mesh. Get started with your free 6-month trial.

Try Akana for Free▶️ Watch a Demo First

 

 

👉 Become an Expert

Explore additional resources:

Back to top